Re: Secureboot: how to use MOK
* Steve Langasek:
>> and this is the reason we have to require all modules to be signed by
>> default.
>
> Enforcement of kernel module signatures is part of what's called the
> "lockdown" featureset. It is optional, and not a requirement from
> the UEFI spec,
The requirement is in the Microsoft signing policy (or the document
that comes closest to such a policy):
| b. Developers might assume that secure boot security requirements
| have been satisfied when their initial boot is complete. However,
| if a secure boot system permits launch of another operating system
| instance after execution of unauthenticated code, the security
| guarantee of secure boot is compromised. If this vulnerability is
| exploited, the submission might be revoked.
<https://techcommunity.microsoft.com/t5/Windows-Hardware-Certification/Microsoft-UEFI-CA-Signing-policy-updates/ba-p/364828>
Admittedly, that part isn't entirely clear. I think most vendors have
an escape hatch to load unsigned kernel modules even in secure boot
mode, without a reboot or physical presence check.
Reply to: