lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Aug 2018 23:31:27 +0200 From: Yannik Sembritzki <yannik@...britzki.me> To: James Bottomley <James.Bottomley@...senPartnership.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Vivek Goyal <vgoyal@...hat.com> Cc: David Howells <dhowells@...hat.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Peter Anvin <hpa@...or.com>, the arch/x86 maintainers <x86@...nel.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Dave Young <dyoung@...hat.com>, Baoquan He <bhe@...hat.com>, Justin Forbes <jforbes@...hat.com>, Peter Jones <pjones@...hat.com>, Matthew Garrett <mjg59@...gle.com> Subject: Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot On 15.08.2018 23:13, James Bottomley wrote: > Consider a UEFI system for which a user has taken ownership, but which > has some signed ROMs which are UEFI secure boot verified. Simply to > get their system to boot the user will be forced to add the ODM key to > the UEFI db ... and I'm sure in that situation the user wouldn't want > to trust the ODM key further than booting. I definitely agree with this point. Is there any solution, except from building your own kernel, to the scenario I described? I think there should be. (I've personally run into this with VirtualBox, which I IIRC couldn't load, even though I provisioned my own PK, and signed both kernel and VirtualBox module with my own key. I could've compiled my own kernel with my //own key, but that is pretty impractical for most users.) Yannik
Powered by blists - more mailing lists