This patch set is base on the efi-lock-down and keys-uefi branchs in David Howells's linux-fs git tree. The main purpose is using the MOKx to blacklist kernel module. As the MOK (Machine Owner Key), MOKx is a EFI boot time variable which is maintained by shim boot loader. We can enroll the hash of blacklisted kernel module (with or without signature) to MOKx by mokutil. Kernel loads the hash from MOKx to blacklist keyring when booting. Kernel will prevent to load the kernel module when its hash be found in blacklist. This function is useful to revoke a kernel module that it has exploit. Or revoking a kernel module that it was signed by a unsecure key. Except MOKx, this patch set fixs another two issues: The MOK/MOKx should not be loaded when secure boot is disabled. And, modified error message prints out appropriate status string for reading by human being. Lee, Chun-Yi (4): MODSIGN: do not load mok when secure boot disabled MODSIGN: print appropriate status message when getting UEFI certificates list MODSIGN: load blacklist from MOKx MODSIGN: checking the blacklisted hash before loading a kernel module certs/load_uefi.c | 71 +++++++++++++++++++++++++++++++++++-------------- include/linux/efi.h | 25 +++++++++++++++++ kernel/module_signing.c | 62 ++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 136 insertions(+), 22 deletions(-) -- 2.10.2 -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html