Re: [PATCH v4 00/12] Enroll kernel keys thru MOK

From: Jarkko Sakkinen
Date: Thu Aug 19 2021 - 07:38:16 EST

Next message: Lukas Bulwahn: "[PATCH v2 0/2] Kconfig symbol fixes on powerpc"
Previous message: Mark Brown: "Re: [kbuild] drivers/regulator/bd718x7-regulator.c:531:8: warning: Excessive padding in 'struct bd718xx_regulator_data' (8 padding bytes, where 0 is optimal)."
In reply to: Eric Snowberg: "[PATCH v4 12/12] integrity: Only use mok keyring when uefi_check_trust_mok_keys is true"
Next in thread: Mimi Zohar: "Re: [PATCH v4 00/12] Enroll kernel keys thru MOK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2021-08-18 at 20:20 -0400, Eric Snowberg wrote:
> Many UEFI Linux distributions boot using shim. The UEFI shim provides
> what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure
> Boot DB and MOK keys to validate the next step in the boot chain. The
> MOK facility can be used to import user generated keys. These keys can
> be used to sign an end-user development kernel build. When Linux boots,
> pre-boot keys (both UEFI Secure Boot DB and MOK keys) get loaded in the
> Linux .platform keyring.
>
> Currently, pre-boot keys are not trusted within the Linux trust boundary
> [1]. These platform keys can only be used for kexec. If an end-user
> wants to use their own key within the Linux trust boundary, they must
> either compile it into the kernel themselves or use the insert-sys-cert
> script. Both options present a problem. Many end-users do not want to
> compile their own kernels. With the insert-sys-cert option, there are
> missing upstream changes [2]. Also, with the insert-sys-cert option,
> the end-user must re-sign their kernel again with their own key, and
> then insert that key into the MOK db. Another problem with
> insert-sys-cert is that only a single key can be inserted into a
> compressed kernel.
>
> Having the ability to insert a key into the Linux trust boundary opens
> up various possibilities. The end-user can use a pre-built kernel and
> sign their own kernel modules. It also opens up the ability for an
> end-user to more easily use digital signature based IMA-appraisal. To
> get a key into the ima keyring, it must be signed by a key within the
> Linux trust boundary.

As of today, I can use a prebuilt kernel, crate my own MOK key and sign
modules. What will be different?

> Downstream Linux distros try to have a single signed kernel for each
> architecture. Each end-user may use this kernel in entirely different
> ways. Some downstream kernels have chosen to always trust platform keys
> within the Linux trust boundary for kernel module signing. These
> kernels have no way of using digital signature base IMA appraisal.
>
> This series introduces a new Linux kernel keyring containing the Machine
> Owner Keys (MOK) called .mok. It also adds a new MOK variable to shim.

I would name it as ".machine" because it is more "re-usable" name, e.g.
could be used for similar things as MOK. ".mok" is a bad name because
it binds directly to a single piece of user space software.

/Jarkko

Next message: Lukas Bulwahn: "[PATCH v2 0/2] Kconfig symbol fixes on powerpc"
Previous message: Mark Brown: "Re: [kbuild] drivers/regulator/bd718x7-regulator.c:531:8: warning: Excessive padding in 'struct bd718xx_regulator_data' (8 padding bytes, where 0 is optimal)."
In reply to: Eric Snowberg: "[PATCH v4 12/12] integrity: Only use mok keyring when uefi_check_trust_mok_keys is true"
Next in thread: Mimi Zohar: "Re: [PATCH v4 00/12] Enroll kernel keys thru MOK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]