On Tue, Jun 10, 2014 at 11:34:17PM +0300, Dmitry Kasatkin wrote: > Preventing loading keys from uefi except dbx by default actually improves > security. Adding kernel parameter to read db we make system more > vulnerable.
It only adds security if you're performing a measured boot and remote attestation. Otherwise you implicitly trust that key anyway. In almost all cases refusing to trust db gives you a false sense of security without any real improvement. I don't think it's obvious it should be the default. -- Matthew Garrett | mj...@srcf.ucam.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
