Re: [PATCH v2] builddeb: Support signing kernels with the module signing key

From: Matthew Wilcox
Date: Tue Feb 08 2022 - 08:22:33 EST

Next message: Chen-Yu Tsai: "[PATCH v3 23/31] clk: mediatek: mux: Reverse check for existing clk to reduce nesting level"
Previous message: Karol Herbst: "Re: [PATCH] drm/nouveau/backlight: Just set all backlight types as RAW"
In reply to: Julian Andres Klode: "Re: [PATCH v2] builddeb: Support signing kernels with the module signing key"
Next in thread: Julian Andres Klode: "Re: [PATCH v2] builddeb: Support signing kernels with the module signing key"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 08, 2022 at 12:01:22PM +0100, Julian Andres Klode wrote:
> It's worth pointing out that in Ubuntu, the generated MOK key
> is for module signing only (extended key usage 1.3.6.1.4.1.2312.16.1.2),
> kernels signed with it will NOT be bootable.

Why should these be separate keys? There's no meaningful security
boundary between a kernel module and the ernel itself; a kernel
modulecan, for example, write to CR3, and that's game over for
any pretence at separation.

Next message: Chen-Yu Tsai: "[PATCH v3 23/31] clk: mediatek: mux: Reverse check for existing clk to reduce nesting level"
Previous message: Karol Herbst: "Re: [PATCH] drm/nouveau/backlight: Just set all backlight types as RAW"
In reply to: Julian Andres Klode: "Re: [PATCH v2] builddeb: Support signing kernels with the module signing key"
Next in thread: Julian Andres Klode: "Re: [PATCH v2] builddeb: Support signing kernels with the module signing key"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]