[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secureboot: how to use MOK

Steve Langasek writes:
> On Sun, Oct 27, 2019 at 10:45:49AM +0100, Florian Weimer wrote:
>> * Thomas Goirand:
>> I don't think secure boot provides any benefit at all if you store the
>> kernel module signing key on the same machine.
>
> Generate the MOK certificate with EKU 1.3.6.1.4.1.2312.16.1.2.  This
> indicates that the key should only be trusted for kernel modules, not for
> kernels or other EFI applications (bootloaders etc).  The value is honored
> by shim, grub (via shim), and the kernel (but not by the firmware - but the
> firmware itself doesn't trust the MOK anyway, so this doesn't matter).
>
> This does not eliminate all attacks that involve getting access to the
> private key on the machine; but it does prevent the presence of MOK + DKMS
> being used to attack the firmware.

I thought the Linux kernel did not call `ExitBootServices()` and this is
the reason we have to require all modules to be signed by default.  (Or
even if it did, this applies to all modules loaded before.)  So the
Linux kernel should be able to chainload anything, just like shim.

So why does this prevent attacks on the firmware?  It shouldn't matter
if you can sign the kernel or any module run in the same context as the
kernel.

Ansgar
Reply to: