[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130226165003.GA28593@kroah.com>
Date: Tue, 26 Feb 2013 08:50:03 -0800
From: Greg KH <gregkh@...uxfoundation.org>
To: David Howells <dhowells@...hat.com>
Cc: Florian Weimer <fw@...eb.enyo.de>,
Matthew Garrett <mjg59@...f.ucam.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Josh Boyer <jwboyer@...hat.com>,
Peter Jones <pjones@...hat.com>,
Vivek Goyal <vgoyal@...hat.com>,
Kees Cook <keescook@...omium.org>, keyrings@...ux-nfs.org,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [GIT PULL] Load keys from signed PE binaries
On Tue, Feb 26, 2013 at 03:11:41PM +0000, David Howells wrote:
> Greg KH <gregkh@...uxfoundation.org> wrote:
>
> > > (6) To maintain secure boot mode, the kernel must be signed and the boot
> > > loader must check the signature on it. The key must be either compiled
> > > into the bootloader (and thus validated by the bootloader signature) or
> > > must reside in the UEFI database.
> > >
> > > [*] Note: This step is simplified a bit.
> >
> > That's all fine, and now your machine can boot both Linux and Windows
> > wonderfully. Distros have shipped code doing this for a short while now
> > thanks to Matthew's and other developer's effort in writing a UEFI
> > bootloader / shim that Microsoft has signed.
> >
> > > (7) To maintain secure boot mode, the kernel modules must be signed and the
> > > kernel must check the signature on them. The key must be compiled into
> > > the kernel or the bootloader or must reside in the UEFI database.
> >
> > Wait right here. This is NOT mandated by UEFI, nor by anyone else. It
> > might be a nice thing that some people and companies want to implement,
> > but please don't think that some external entity is requiring that Linux
> > implement this, that is not true.
>
> What's the point in having the bootloader check the signature on a kernel
> (which you say is fine) if you then permit it to be modified arbitrarily once
> it is running? If you don't have signed modules then there's no point having
> signed kernels (assuming you don't disable module loading).
I'm not saying that it isn't something nice to have, I really like
signed kernel modules. I'm saying that the key-signing of our Linux
shim bootloader is not dependant on having signed kernel modules, that's
all. This has been proven by the fact that we have gotten bootloaders
signed without having this functionality in the kernel at the time.
thanks,
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists