On Sun, Nov 04, 2012 at 09:14:47AM +0000, James Bottomley wrote: > I've actually had more than enough experience with automated installs > over my career: they're either done by paying someone or using a > provisioning system. In either case, they provision a static image and > boot environment description, including EFI boot services variables, so > you can provision a default MOK database if you want the ignition image > not to pause on firstboot. And now you've moved the attack vector to a copy of your provisioning system instead. > There is obviously the question of making the provisioning systems > secure, but it's a separate one from making boot secure. You don't get to punt on making the kernel secure by simply asserting that some other system can be secure instead. The chain of trust needs to go all the way back - if your security model is based on all installs needing a physically present end user, all installs need a physically present end user. That's not acceptable, so we need a different security model. -- Matthew Garrett | mjg59@xxxxxxxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html