Re: [PATCH v2] builddeb: Support signing kernels with the module signing key
- To: Julian Andres Klode <julian.klode@canonical.com>
- Cc: Masahiro Yamada <masahiroy@kernel.org>, Ben Hutchings <ben@decadent.org.uk>, linux-efi <linux-efi@vger.kernel.org>, Linux Kbuild mailing list <linux-kbuild@vger.kernel.org>, efi@lists.einval.com, Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, David Howells <dhowells@redhat.com>, keyrings@vger.kernel.org, David Woodhouse <dwmw2@infradead.org>, debian-kernel <debian-kernel@lists.debian.org>
- Subject: Re: [PATCH v2] builddeb: Support signing kernels with the module signing key
- From: Matthew Wilcox <willy@infradead.org>
- Date: Tue, 8 Feb 2022 13:10:34 +0000
- Message-id: <[🔎] YgJrypdQium7AcWV@casper.infradead.org>
- In-reply-to: <[🔎] 20220208110122.2z4cmbqexmnxuxld@jak-t480s>
- References: <20211218031122.4117631-1-willy@infradead.org> <CAK7LNAQUChvX3NoukBnjBfJJGu+a96pfbM--xHEHOygWPgE9eA@mail.gmail.com> <YdSOV7LL0vWCMcWl@casper.infradead.org> <[🔎] CAK7LNAQgixJSnDUMfjc+tg90oMdVoh+i5faEn-rqgmHR3Bk6dQ@mail.gmail.com> <[🔎] 20220208110122.2z4cmbqexmnxuxld@jak-t480s>
On Tue, Feb 08, 2022 at 12:01:22PM +0100, Julian Andres Klode wrote:
> It's worth pointing out that in Ubuntu, the generated MOK key
> is for module signing only (extended key usage 1.3.6.1.4.1.2312.16.1.2),
> kernels signed with it will NOT be bootable.
Why should these be separate keys? There's no meaningful security
boundary between a kernel module and the ernel itself; a kernel
modulecan, for example, write to CR3, and that's game over for
any pretence at separation.
Reply to: