Re: [PATCH v5 00/12] Enroll kernel keys thru MOK
From: Eric Snowberg
Date: Wed Sep 08 2021 - 13:10:40 EST
> On Sep 8, 2021, at 10:03 AM, Jarkko Sakkinen <jarkko@xxxxxxxxxx> wrote:
>
> On Tue, 2021-09-07 at 12:00 -0400, Eric Snowberg wrote:
>> Many UEFI Linux distributions boot using shim. The UEFI shim provides
>> what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure
>> Boot DB and MOK keys to validate the next step in the boot chain. The
>> MOK facility can be used to import user generated keys. These keys can
>> be used to sign an end-user development kernel build. When Linux boots,
>> pre-boot keys (both UEFI Secure Boot DB and MOK keys) get loaded in the
>> Linux .platform keyring.
>>
>> Currently, pre-boot keys are not trusted within the Linux trust boundary
>> [1]. These platform keys can only be used for kexec. If an end-user
>
> What exactly is "trust boundary"? And what do you mean when you say that
> Linux "trusts" something? AFAIK, software does not have feelings. Please,
> just speak about exact things.
I am using terminology used previously by others when addressing this issue.
If I should be using different terminology, please advise. The kernel does not
trust pre-boot keys within it, meaning these pre-boot keys can not be used to
validate items within the kernel. This is the “trust boundary”. Preboot keys are
on one side of the boundary, compiled-in keys are on the other. MOK keys are
pre-boot keys. Currently they can not be used to validate things within the
kernel itself (kernel modules, IMA keys, etc).