On Di, 2018-07-24 at 00:23 +0800, Yu Chen wrote: > > Good point, we once tried to generate key in kernel, but people > suggest to generate key in userspace and provide it to the > kernel, which is what ecryptfs do currently, so it seems this > should also be safe for encryption in kernel. > https://www.spinics.net/lists/linux-crypto/msg33145.html > Thus Chun-Yi's signature can use EFI key and both the key from > user space. Hi, ecryptfs can trust user space. It is supposed to keep data safe while the system is inoperative. The whole point of Secure Boot is a cryptographic system of trust that does not include user space. I seriously doubt we want to use trusted computing here. So the key needs to be generated in kernel space and stored in a safe manner. As we have a saolution doing that, can we come to ausable synthesis? Regards Oliver