On Wed, 2018-08-15 at 13:47 -0700, Linus Torvalds wrote: > On Wed, Aug 15, 2018 at 12:49 PM Vivek Goyal <vgo...@redhat.com> > wrote: > > > > I see that module signing code trusts only builtin keys and > > not the keys in secondary_trusted_keys keyring. > > This, I think, makes sense. > > It basically says: we don't allow modules that weren't built with the > kernel. Adding a new key later and signing a module with it violates > that premise.
Yes, the point is about layers of trust. The UEFI secure boot keys for a standard (i.e. system where the user hasn't taken ownership) contain Microsoft and some ODM vendor keys. You're forced to trust these keys in the boot (or reboot) environment because that's consistent with the way windows operates (any breach and microsoft will get annoyed and help us sort it out). You can't trust them for other kernel key operations because that's outside the boot environment trust boundary and if something goes wrong (say someone at an ODM signs a malicious linux kernel module because the ODM keys are trusted to sign modules) Microsoft won't care and we'll be on our own with no real ability to sort it out. James
