Re: [GIT PULL] Load keys from signed PE binaries

From: Kent Yoder
Date: Tue Feb 26 2013 - 11:46:08 EST


On Tue, Feb 26, 2013 at 4:21 AM, Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote:
> On Tue, Feb 26, 2013 at 02:07:22AM -0800, Raymond Jennings wrote:
>> Just curious here, but is this as much of an issue if a user is
>> somehow able to take ownership of his own machine?
>
> No, if you're doing your own key management then it's no problem at
> all.
>
>> I'm assuming this is related to TPM somehow.
>
> No, completely unrelated.

Almost completely. As Matthew I'm sure knows, TPM is also used to
establish a chain of trust, but not using signed
firmware/kernel/modules, but chained hashes that are later signed
using the TPM. It does avoid the issue of embedding keys from a
centralized authority in your box's firmware.

Kent

> --
> Matthew Garrett | mjg59@xxxxxxxxxxxxx
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/