[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20211223041014.GB1178@linux-l9pv.suse>
Date: Thu, 23 Dec 2021 12:10:14 +0800
From: joeyli <jlee@...e.com>
To: Mimi Zohar <zohar@...ux.ibm.com>
Cc: "Lee, Chun-Yi" <joeyli.kernel@...il.com>,
James Morris <jmorris@...ei.org>,
Eric Snowberg <eric.snowberg@...cle.com>,
David Howells <dhowells@...hat.com>,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] integrity: Do not load MOK and MOKx when secure boot be
disabled
Hi Mimi,
On Tue, Dec 21, 2021 at 06:28:31PM -0500, Mimi Zohar wrote:
> On Sat, 2021-12-18 at 10:09 +0800, Lee, Chun-Yi wrote:
> > The security of Machine Owner Key (MOK) relies on secure boot. When
> > secure boot is disabled, EFI firmware will not verify binary code. Then
> > arbitrary efi binary code can modify MOK when rebooting.
> >
> > This patch prevents MOK/MOKx be loaded when secure boot be disabled.
> >
> > Signed-off-by: "Lee, Chun-Yi" <jlee@...e.com>
>
> Thanks, Joey!
>
> This patch is now queued in the next-integrity-testing branch waiting
> further review/tags.
>
> Mimi
Thanks for your review!
Joey Lee
Powered by blists - more mailing lists