On Wed, Feb 9, 2022 at 10:21 PM James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: > > On Tue, 2022-02-08 at 13:10 +0000, Matthew Wilcox wrote: > > On Tue, Feb 08, 2022 at 12:01:22PM +0100, Julian Andres Klode wrote: > > > It's worth pointing out that in Ubuntu, the generated MOK key > > > is for module signing only (extended key usage > > > 1.3.6.1.4.1.2312.16.1.2), kernels signed with it will NOT be > > > bootable. > > > > Why should these be separate keys? There's no meaningful security > > boundary between a kernel module and the ernel itself; a kernel > > modulecan, for example, write to CR3, and that's game over for > > any pretence at separation. > > It's standard practice for any automated build private key to be > destroyed immediately to preserve security. Thus the modules get > signed with a per kernel ephemeral build key but the MoK key is a long > term key with a special signing infrastructure, usually burned into the > distro version of shim. The kernel signing key usually has to be long > term because you want shim to boot multiple kernels otherwise upgrading > becomes a nightmare. Fully agreed. -- Best Regards Masahiro Yamada
