Hi Matthias,
On Wed, 2019-12-04 at 14:57 +0100, Matthias Gerstner wrote:
> I was able to still get things to work by building my own custom kernel
> with the custom CA being built into the kernel which is a lot of more
> effort, however, and a scenario we can't easily support for our
> customers.
>
> I can understand the reasoning of that new option, that trusting
> arbitrary platform certificates shipped with the hardware might not be a
> good idea. I wonder, however, whether moving these certificates from
> .secondary_trusted_keys to .platform doesn't also affect other
> components than just IMA?
>
> I would be interested in your view on this and any advice.
The pre-boot keys were probably also being used to verify 3rd party
kernel modules. If the kernel was built with
CONFIG_SYSTEM_EXTRA_CERTIFICATE, the customer could insert their key
post build.[1] This would obviously require the kernel to be
resigned.
I agree there needs to be a simpler way of including a customer key,
without requiring them to resign the kernel. Do you have some
thoughts?
Mimi
[1] c4c361059585 ("KEYS: Reserve an extra certificate symbol for
inserting without recompiling")
