| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Jul 2023 10:13:10 +0100
From: Matthew Garrett <mjg59@...f.ucam.org>
To: Ard Biesheuvel <ardb@...nel.org>
Cc: Luca Boccassi <bluca@...ian.org>, Peter Jones <pjones@...hat.com>,
Emanuele Giuseppe Esposito <eesposit@...hat.com>,
x86@...nel.org, Thomas Gleixner <tglx@...utronix.de>,
lennart@...ttering.net, Ingo Molnar <mingo@...hat.com>,
Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"H. Peter Anvin" <hpa@...or.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Masahiro Yamada <masahiroy@...nel.org>,
Alexander Potapenko <glider@...gle.com>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Daniel P . Berrangé <berrange@...hat.com>,
linux-kernel@...r.kernel.org, linux-efi@...r.kernel.org
Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage
On Fri, Jul 14, 2023 at 10:52:20AM +0200, Ard Biesheuvel wrote:
> Maybe the OEMs have gotten better at this over the years, but it is
> definitely not possible for the distros to rely on being able to get
> their own cert into KEK and sign their builds directly.
Getting certs into local machine databases should[1] be possible on all
Windows certified machines, but in the status-quo there's no
cross-vendor solution to doing this. Relying on the Shim-provided
mechanisms is much safer from a consistency perspective.
[1] Every time someone has claimed it's impossible to me I've ended up
demonstrating otherwise, but that's not a guarantee
Powered by blists - more mailing lists