[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secureboot: how to use MOK



On Sun, Oct 27, 2019 at 10:45:49AM +0100, Florian Weimer wrote:
> * Thomas Goirand:

> > I've setup my new laptop with secureboot, and now, I can't use the DKMS
> > modules from Virtualbox, as they aren't signed. I've been told by Sledge
> > that I should use MOK to do that, and that DKMS packages are supposed to
> > have all in them to support MOK.

> I don't think secure boot provides any benefit at all if you store the
> kernel module signing key on the same machine.

Generate the MOK certificate with EKU 1.3.6.1.4.1.2312.16.1.2.  This
indicates that the key should only be trusted for kernel modules, not for
kernels or other EFI applications (bootloaders etc).  The value is honored
by shim, grub (via shim), and the kernel (but not by the firmware - but the
firmware itself doesn't trust the MOK anyway, so this doesn't matter).

This does not eliminate all attacks that involve getting access to the
private key on the machine; but it does prevent the presence of MOK + DKMS
being used to attack the firmware.

We do this by default in Ubuntu with dkms.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: PGP signature


Reply to: