Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot

From: Yannik Sembritzki
Date: Wed Aug 15 2018 - 17:31:32 EST

Next message: Linus Torvalds: "Re: [GIT PULL] gcc-plugin updates for v4.19-rc1"
Previous message: Jon Derrick: "[PATCH 1/2] PCI/DPC: Add 'nodpc' parameter"
In reply to: James Bottomley: "Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot"
Next in thread: James Bottomley: "Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 15.08.2018 23:13, James Bottomley wrote:
> Consider a UEFI system for which a user has taken ownership, but which
> has some signed ROMs which are UEFI secure boot verified. Simply to
> get their system to boot the user will be forced to add the ODM key to
> the UEFI db ... and I'm sure in that situation the user wouldn't want
> to trust the ODM key further than booting.
I definitely agree with this point.

Is there any solution, except from building your own kernel, to the
scenario I described?
I think there should be.
(I've personally run into this with VirtualBox, which I IIRC couldn't
load, even though I provisioned my own PK, and signed both kernel and
VirtualBox module with my own key. I could've compiled my own kernel
with my //own key, but that is pretty impractical for most users.)

Yannik

Next message: Linus Torvalds: "Re: [GIT PULL] gcc-plugin updates for v4.19-rc1"
Previous message: Jon Derrick: "[PATCH 1/2] PCI/DPC: Add 'nodpc' parameter"
In reply to: James Bottomley: "Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot"
Next in thread: James Bottomley: "Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]