Re: [PATCH v3 01/14] integrity: Introduce a Linux keyring for the Machine Owner Key (MOK)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 8/12/21 2:58 PM, Jarkko Sakkinen wrote:
On Wed, Aug 11, 2021 at 10:18:42PM -0400, Eric Snowberg wrote:
Many UEFI Linux distributions boot using shim.  The UEFI shim provides
what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure
Boot DB and MOK keys to validate the next step in the boot chain.  The
MOK facility can be used to import user generated keys.  These keys can
be used to sign an end-users development kernel build.  When Linux
boots, both UEFI Secure Boot DB and MOK keys get loaded in the Linux
.platform keyring.

Add a new Linux keyring called .mok.  This keyring shall contain just
I would consider ".machine" instead. It holds MOK keys but is not a
MOK key.

I agree with changing the name.

I believe the underlying source from where CA keys are loaded might vary based on the architecture (".mok" is UEFI specific.). The key part is that this new keyring should contain only CA keys which can be later used to vouch for user keys loaded onto IMA or secondary keyring at runtime. It would be good to have a "ca" in the name, like .xxxx-ca, where xxxx can be machine, owner, or system. I prefer .system-ca.

Thanks & Regards,

     - Nayna




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux