On Tue, Mar 13, 2018 at 10:18:35AM -0700, James Bottomley wrote: > On Tue, 2018-03-13 at 18:38 +0800, Lee, Chun-Yi wrote: > > This patch adds the logic for checking the kernel module's hash > > base on blacklist. The hash must be generated by sha256 and enrolled > > to dbx/mokx. > > > > For example: > > sha256sum sample.ko > > mokutil --mokx --import-hash $HASH_RESULT > > > > Whether the signature on ko file is stripped or not, the hash can be > > compared by kernel. > > What's the use case for this? We're already in trouble from the ODMs > for the size of dbx and its consumption of the extremely limited > variable space, so do we really have a use case for adding module > blacklist hashes to the UEFI variables given the space constraints (as > in one we can't do any other way)? > The dbx is a authenticated variable that it can only be updated by manufacturer. The mokx gives a flexible way for distro to revoke a key or a signed module. Then we don't need to touch shim or bother manufacturer to deliver new db. Currently it doesn't have real use case yet. I knew that the NVRAM has limited space. But distro needs a backup solution for emergency. Thanks a lot! Joey Lee -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
