On Thu, Nov 07, 2019 at 03:04:16AM +0100, Ansgar wrote: > Steve Langasek writes: > > On Sun, Oct 27, 2019 at 10:45:49AM +0100, Florian Weimer wrote: > >> * Thomas Goirand: > >> I don't think secure boot provides any benefit at all if you store the > >> kernel module signing key on the same machine.
> > Generate the MOK certificate with EKU 1.3.6.1.4.1.2312.16.1.2. This > > indicates that the key should only be trusted for kernel modules, not for > > kernels or other EFI applications (bootloaders etc). The value is honored > > by shim, grub (via shim), and the kernel (but not by the firmware - but the > > firmware itself doesn't trust the MOK anyway, so this doesn't matter). > > This does not eliminate all attacks that involve getting access to the > > private key on the machine; but it does prevent the presence of MOK + DKMS > > being used to attack the firmware. > I thought the Linux kernel did not call `ExitBootServices()` I don't know why you have the impression that it doesn't. This is basically the first thing the EFI entry point does, after taking care of certain EFI fixups. > and this is the reason we have to require all modules to be signed by > default. Enforcement of kernel module signatures is part of what's called the "lockdown" featureset. It is optional, and not a requirement from the UEFI spec, but there are various reasons why one might want this added security and so it's quite reasonable to key its enablement on whether or not your system has booted with SecureBoot enabled (if SecureBoot is NOT enabled, then there's no point in enforcing module signatures since your pre-boot execution environment is not secure anyway and an attacker could just replace your kernel, or trick your kernel into trusting other keys for signatures.) > (Or even if it did, this applies to all modules loaded before.) So the > Linux kernel should be able to chainload anything, just like shim. The kernel doesn't load any modules before calling ExitBootServices. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: PGP signature
