| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6de0d2978abd641ac1e5ddaaf88d1c25ba612a85.camel@HansenPartnership.com> Date: Fri, 21 Mar 2025 16:53:50 -0400 From: James Bottomley <James.Bottomley@...senPartnership.com> To: Eric Snowberg <eric.snowberg@...cle.com> Cc: Paul Moore <paul@...l-moore.com>, Mimi Zohar <zohar@...ux.ibm.com>, David Howells <dhowells@...hat.com>, Jarkko Sakkinen <jarkko@...nel.org>, "open list:SECURITY SUBSYSTEM" <linux-security-module@...r.kernel.org>, David Woodhouse <dwmw2@...radead.org>, "herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au>, "davem@...emloft.net" <davem@...emloft.net>, Ard Biesheuvel <ardb@...nel.org>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Roberto Sassu <roberto.sassu@...wei.com>, Dmitry Kasatkin <dmitry.kasatkin@...il.com>, Mickaël Salaün <mic@...ikod.net>, "casey@...aufler-ca.com" <casey@...aufler-ca.com>, Stefan Berger <stefanb@...ux.ibm.com>, "ebiggers@...nel.org" <ebiggers@...nel.org>, Randy Dunlap <rdunlap@...radead.org>, open list <linux-kernel@...r.kernel.org>, "keyrings@...r.kernel.org" <keyrings@...r.kernel.org>, "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>, "linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>, "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org> Subject: Re: [RFC PATCH v3 00/13] Clavis LSM On Fri, 2025-03-21 at 20:15 +0000, Eric Snowberg wrote: > > On Mar 21, 2025, at 10:55 AM, James Bottomley > > <James.Bottomley@...senPartnership.com> wrote: [...] > > > Hopefully that is not the case, since the public key ships on > > > just about every single PC built. > > > > I don't understand why Microsoft no-longer owning the private key > > is a problem? Only the public key ships on PCs and that hasn't > > changed (at least not yet, it might have to for NIST requirements > > since RSA2048 is being deprecated). > > A couple concerns come to mind. First, the vetting process being > done for individuals that have signing authority with the HSM outside > of Microsoft. I'm not aware UEFI has published any information on this. I think the shim-review repo predates UEFI ownership, but I'm sure the maintainers of the repository can answer how they came to be trusted ... > Another would be access control of the HSM. Especially if it is not > within Microsoft's possession. ... and how they handle the HSM. However, if you're worried about risks to the integrity of secure boot, I'd be much more concerned about the number of ODM motherboard manufacturers who seem to have managed to lose their PK private keys, or keys they placed into db, somehow ... Regards, James
Powered by blists - more mailing lists