Re: [GIT PULL] Load keys from signed PE binaries

From: Vivek Goyal
Date: Tue Feb 26 2013 - 10:38:59 EST

On Tue, Feb 26, 2013 at 10:30:45AM -0500, Vivek Goyal wrote:
> On Tue, Feb 26, 2013 at 04:57:47AM +0000, Matthew Garrett wrote:
> [..]
> > > - encourage things like per-host random keys - with the stupid UEFI
> > > checks disabled entirely if required. They are almost certainly going
> > > to be *more* secure than depending on some crazy root of trust based
> > > on a big company, with key signing authorities that trust anybody with
> > > a credit card. Try to teach people about things like that instead.
> > > Encourage people to do their own (random) keys, and adding those to
> > > their UEFI setups (or not: the whole UEFI thing is more about control
> > > than security), and strive to do things like one-time signing with the
> > > private key thrown out entirely. IOW try to encourage *that* kind of
> > > "we made sure to ask the user very explicitly with big warnings and
> > > create his own key for that particular module" security. Real
> > > security, not "we control the user" security.
> >
> > Yes, ideally people will engage in self-signing and distributions will
> > have mechanisms for dealing with that.
> So even if a user installs its own keys in UEFI to boot self signed
> shim, kernel and modules, I am assuming that we will still need to
> make sure kexec does not load and run an unsigned kernel? (Otherwise
> there is no point in installing user keys in UEFI and there is an
> easy way to bypass it).

As I am kind of lost in the long mail thread, so I will ask. If a user
installs its own keys in UEFI database and boots self signed linux
kernel, will we still make sure that no unsigned code can be run at
ring 0 (without explicitly asking user on console).

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at