Re: Secureboot: how to use MOK

[Florian Weimer <fw@deneb.enyo.de>]

* Steve Langasek:

>> and this is the reason we have to require all modules to be signed by
>> default.
>
> Enforcement of kernel module signatures is part of what's called the
> "lockdown" featureset.  It is optional, and not a requirement from
> the UEFI spec,

The requirement is in the Microsoft signing policy (or the document
that comes closest to such a policy):

|  b. Developers might assume that secure boot security requirements
|  have been satisfied when their initial boot is complete. However,
|  if a secure boot system permits launch of another operating system
|  instance after execution of unauthenticated code, the security
|  guarantee of secure boot is compromised. If this vulnerability is
|  exploited, the submission might be revoked.

<https://techcommunity.microsoft.com/t5/Windows-Hardware-Certification/Microsoft-UEFI-CA-Signing-policy-updates/ba-p/364828>

Admittedly, that part isn't entirely clear. I think most vendors have
an escape hatch to load unsigned kernel modules even in secure boot
mode, without a reboot or physical presence check.