Re: [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only

From: Matthew Garrett
Date: Tue Jun 10 2014 - 17:41:16 EST

Next message: Trond Myklebust: "[GIT PULL] Please pull NFS client updates"
Previous message: Dmitry Kasatkin: "Re: [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only"
In reply to: Dmitry Kasatkin: "Re: [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only"
Next in thread: Dmitry Kasatkin: "Re: [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jun 11, 2014 at 12:34:28AM +0300, Dmitry Kasatkin wrote:

> My statement is still valid. It is a hole...
>
> To prevent the hole it should be explained that one might follow
> certain instructions
> to take ownership of your PC. Generate your own keys and remove MS and
> Vendor ones...

The hole is that the system trusts keys that you don't trust. The
appropriate thing to do is to remove that trust from the entire system,
not just one layer of the system. If people gain the impression that
they can simply pass a kernel parameter and avoid trusting the vendor
keys, they'll be upset to discover that it's easily circumvented.

--
Matthew Garrett | mjg59@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Trond Myklebust: "[GIT PULL] Please pull NFS client updates"
Previous message: Dmitry Kasatkin: "Re: [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only"
In reply to: Dmitry Kasatkin: "Re: [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only"
Next in thread: Dmitry Kasatkin: "Re: [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]