Thread (26 messages) 26 messages, 4 authors, 2021-08-13

Re: [PATCH v3 01/14] integrity: Introduce a Linux keyring for the Machine Owner Key (MOK)

From: Eric Snowberg <eric.snowberg@oracle.com>
Date: 2021-08-12 22:17:42
Also in: keyrings, linux-crypto, linux-integrity, lkml

On Aug 12, 2021, at 12:58 PM, Jarkko Sakkinen [off-list ref] wrote:

On Wed, Aug 11, 2021 at 10:18:42PM -0400, Eric Snowberg wrote:
quoted
Many UEFI Linux distributions boot using shim.  The UEFI shim provides
what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure
Boot DB and MOK keys to validate the next step in the boot chain.  The
MOK facility can be used to import user generated keys.  These keys can
be used to sign an end-users development kernel build.  When Linux
boots, both UEFI Secure Boot DB and MOK keys get loaded in the Linux
.platform keyring.

Add a new Linux keyring called .mok.  This keyring shall contain just
I would consider ".machine" instead. It holds MOK keys but is not a
MOK key.
I’m open to renaming it to anything that you and the other maintainers 
feel would be appropriate.  I just want to make sure there is an agreement 
on the new name before I make the change.  Thanks.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help