lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 09 Feb 2022 08:21:09 -0500 From: James Bottomley <James.Bottomley@...senPartnership.com> To: Matthew Wilcox <willy@...radead.org>, Julian Andres Klode <julian.klode@...onical.com> Cc: Masahiro Yamada <masahiroy@...nel.org>, Ben Hutchings <ben@...adent.org.uk>, linux-efi <linux-efi@...r.kernel.org>, Linux Kbuild mailing list <linux-kbuild@...r.kernel.org>, efi@...ts.einval.com, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, David Howells <dhowells@...hat.com>, keyrings@...r.kernel.org, David Woodhouse <dwmw2@...radead.org>, debian-kernel <debian-kernel@...ts.debian.org> Subject: Re: [PATCH v2] builddeb: Support signing kernels with the module signing key On Tue, 2022-02-08 at 13:10 +0000, Matthew Wilcox wrote: > On Tue, Feb 08, 2022 at 12:01:22PM +0100, Julian Andres Klode wrote: > > It's worth pointing out that in Ubuntu, the generated MOK key > > is for module signing only (extended key usage > > 1.3.6.1.4.1.2312.16.1.2), kernels signed with it will NOT be > > bootable. > > Why should these be separate keys? There's no meaningful security > boundary between a kernel module and the ernel itself; a kernel > modulecan, for example, write to CR3, and that's game over for > any pretence at separation. It's standard practice for any automated build private key to be destroyed immediately to preserve security. Thus the modules get signed with a per kernel ephemeral build key but the MoK key is a long term key with a special signing infrastructure, usually burned into the distro version of shim. The kernel signing key usually has to be long term because you want shim to boot multiple kernels otherwise upgrading becomes a nightmare. James
Powered by blists - more mailing lists