> On Sep 8, 2021, at 10:03 AM, Jarkko Sakkinen <jarkko@xxxxxxxxxx> wrote: > > On Tue, 2021-09-07 at 12:00 -0400, Eric Snowberg wrote: >> Many UEFI Linux distributions boot using shim. The UEFI shim provides >> what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure >> Boot DB and MOK keys to validate the next step in the boot chain. The >> MOK facility can be used to import user generated keys. These keys can >> be used to sign an end-user development kernel build. When Linux boots, >> pre-boot keys (both UEFI Secure Boot DB and MOK keys) get loaded in the >> Linux .platform keyring. >> >> Currently, pre-boot keys are not trusted within the Linux trust boundary >> [1]. These platform keys can only be used for kexec. If an end-user > > What exactly is "trust boundary"? And what do you mean when you say that > Linux "trusts" something? AFAIK, software does not have feelings. Please, > just speak about exact things. I am using terminology used previously by others when addressing this issue. If I should be using different terminology, please advise. The kernel does not trust pre-boot keys within it, meaning these pre-boot keys can not be used to validate items within the kernel. This is the “trust boundary”. Preboot keys are on one side of the boundary, compiled-in keys are on the other. MOK keys are pre-boot keys. Currently they can not be used to validate things within the kernel itself (kernel modules, IMA keys, etc).