On Tue, 2012-09-18 at 19:51 +0100, Alan Cox wrote:
On Tue, 18 Sep 2012 18:34:12 +0100
David Howells [off-list ref] wrote:
quoted
Alan Cox [off-list ref] wrote:
quoted
Why do this in the kernel.That appears to be completely insane.
A number of reasons:
(1) The UEFI signature/key database may contain ASN.1 X.509 certificates and
we may need to use those very early in the boot process, during initrd.
Ok that makes some sense. Presumably they've also got to fall within what
you trust and sign ?
The idea is that you implicitly trust keys in the lists maintained by
your system firmware and/or shim ("mok") key databases, or else you
shouldn't have Secure Boot turned on in the first place. Using these
keys and hashes allows you to e.g. relatively easily add a key you're
using to sign a module you're currently developing, while still *ahem*
enjoying the many benefits of signed modules, kernel, and bootloader.
(Though obviously we would never recommend adding a public key whose
private half you're normally keeping on that same machine.)
--
Peter