Re: [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only

From: Dmitry Kasatkin
Date: Tue Jun 10 2014 - 17:00:46 EST


On 10 June 2014 23:40, Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote:
> On Tue, Jun 10, 2014 at 11:34:17PM +0300, Dmitry Kasatkin wrote:
>
>> Preventing loading keys from uefi except dbx by default actually improves
>> security. Adding kernel parameter to read db we make system more
>> vulnerable.
>
> It only adds security if you're performing a measured boot and remote
> attestation. Otherwise you implicitly trust that key anyway. In almost
> all cases refusing to trust db gives you a false sense of security
> without any real improvement. I don't think it's obvious it should be
> the default.
>
> --
> Matthew Garrett | mjg59@xxxxxxxxxxxxx

May be you are right... "in almost all cases"...

It does not mater if one trust DB or not... It's all about
distro/system configuration...

Normal user even will not know what is default behavior and what
kernel parameter disables or enables...
And distro will have it by default or will use kernel parameter... It
does not change anything...

I am just discussing kernel configuration...
Without kind of looking to it I cannot be sure if UEFI keys will
appear on system keyring or not.
Now I have to be aware how kernel is compiled... If it is compiled
with CONFIG_KEYS_UEFI or so
I need to remember may be to supply addition kernel parameters to
limit key UEFI usage...

It is may be not a big deal...

--
Thanks,
Dmitry
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/