Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S938791AbcKQLSi convert rfc822-to-8bit (ORCPT ); Thu, 17 Nov 2016 06:18:38 -0500 Received: from mx1.redhat.com ([209.132.183.28]:48546 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751088AbcKQLSe (ORCPT ); Thu, 17 Nov 2016 06:18:34 -0500 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <20161117102205.hoypgpq5hfw6z2w7@p310> References: <20161117102205.hoypgpq5hfw6z2w7@p310> <20161117064100.hmjmfw42ytm526yh@p310> <147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk> <147931987366.16460.12891767069975068260.stgit@warthog.procyon.org.uk> <26349.1479376560@warthog.procyon.org.uk> To: Petko Manolov Cc: dhowells@redhat.com, keyrings@vger.kernel.org, matthew.garrett@nebula.com, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, Mimi Zohar Subject: Re: [PATCH 4/9] KEYS: Allow unrestricted boot-time addition of keys to secondary keyring MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <27877.1479381511.1@warthog.procyon.org.uk> Content-Transfer-Encoding: 8BIT Date: Thu, 17 Nov 2016 11:18:31 +0000 Message-ID: <27878.1479381511@warthog.procyon.org.uk> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 17 Nov 2016 11:18:33 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1761 Lines: 40 Petko Manolov wrote: > > > Well, I for one do not explicitly trust these keys. I may even want to > > > completely remove or replace them. > > > > Fine be me. However, if you remove them all I would guess that you cannot > > perform a secure boot. > > Maybe not on PC, but there's plenty of other architectures out there. What > if i replace all UEFI keys with my own? Then I would imagine that you can do a secure boot, but that you have to sign your own shim, grub, kernel, etc.. > > Note that it's to be expected that the keys being loaded from the UEFI > > database cannot have their signatures checked - which is why they would > > have to be implicitly trusted. For the same reason, the kernel does not > > check the signatures on the keys compiled into the kernel image. > > I build all kernels that matter to me and i _do_ trust myself. > Unfortunately i can't say the same for any corporation out there. > > Trusting a key because your vendor shipped the HW with it so that you have no > way to verify the signature is pretty weak argument IMHO. I'm not making an argument there. There is a reason I think that I can't check them. Well, possibly I could *if* those keys are actually signed *and* I have certs built into the kernel by which I can verify all those keys in UEFI variables. I don't know whether this is actually practical. > > You can argue this either way. There's a config option to allow you to > > turn this on or off. Arguably, this should be split in two: one for the > > whitelist (db, MokListRT) and one for the blacklist (dbx). > > I did not see the config option. There is one? See patch 8 where these variables are actually parsed. CONFIG_LOAD_UEFI_KEYS is available there. David