[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 7 Jul 2021 10:23:04 -0600
From: Eric Snowberg <eric.snowberg@...cle.com>
To: Christoph Hellwig <hch@...radead.org>
Cc: keyrings@...r.kernel.org,
linux-integrity <linux-integrity@...r.kernel.org>,
Mimi Zohar <zohar@...ux.ibm.com>,
David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>,
herbert@...dor.apana.org.au, davem@...emloft.net,
jarkko@...nel.org, jmorris@...ei.org, serge@...lyn.com,
keescook@...omium.org, gregkh@...uxfoundation.org,
torvalds@...ux-foundation.org, scott.branden@...adcom.com,
weiyongjun1@...wei.com, nayna@...ux.ibm.com, ebiggers@...gle.com,
ardb@...nel.org, nramas@...ux.microsoft.com, lszubowi@...hat.com,
linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
linux-security-module@...r.kernel.org,
James.Bottomley@...senpartnership.com, pjones@...hat.com,
glin@...e.com, "konrad.wilk@...cle.com" <konrad.wilk@...cle.com>
Subject: Re: [PATCH RFC 00/12] Enroll kernel keys thru MOK
> On Jul 7, 2021, at 12:46 AM, Christoph Hellwig <hch@...radead.org> wrote:
>
> On Tue, Jul 06, 2021 at 10:43:51PM -0400, Eric Snowberg wrote:
>> This is a follow up to the "Add additional MOK vars" [1] series I
>> previously sent. This series incorporates the feedback given
>> both publicly on the mailing list and privately from Mimi. This
>> series just focuses on getting end-user keys into the kernel trust
>> boundary.
>
> WTF is MOK?
MOK stands for Machine Owner Key. The MOK facility can be used to
import keys that you use to sign your own development kernel build,
so that it is able to boot with UEFI Secure Boot enabled. Many Linux
distributions have implemented UEFI Secure Boot using these keys
as well as the ones Secure Boot provides. It allows the end-user
a choice, instead of locking them into only being able to use keys
their hardware manufacture provided, or forcing them to enroll keys
through their BIOS.
Powered by blists - more mailing lists