Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot

From: Yannik Sembritzki
Date: Wed Aug 15 2018 - 17:31:32 EST


On 15.08.2018 23:13, James Bottomley wrote:
> Consider a UEFI system for which a user has taken ownership, but which
> has some signed ROMs which are UEFI secure boot verified. Simply to
> get their system to boot the user will be forced to add the ODM key to
> the UEFI db ... and I'm sure in that situation the user wouldn't want
> to trust the ODM key further than booting.
I definitely agree with this point.

Is there any solution, except from building your own kernel, to the
scenario I described?
I think there should be.
(I've personally run into this with VirtualBox, which I IIRC couldn't
load, even though I provisioned my own PK, and signed both kernel and
VirtualBox module with my own key. I could've compiled my own kernel
with my //own key, but that is pretty impractical for most users.)

Yannik