From: Mimi Zohar <zohar@linux.ibm.com>
To: Lenny Szubowicz <lszubowi@redhat.com>,
linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org,
platform-driver-x86@vger.kernel.org,
linux-security-module@vger.kernel.org, ardb@kernel.org,
jmorris@namei.org, serge@hallyn.com, keescook@chromium.org,
bp@alien8.de, pjones@redhat.com, dhowells@redhat.com,
prarit@redhat.com
Subject: Re: [PATCH 0/3] integrity: Load certs from EFI MOK config table
Date: Wed, 26 Aug 2020 07:55:10 -0400 [thread overview]
Message-ID: <6f63a0cf1349281ef2c407d95abedfba1f90345a.camel@linux.ibm.com> (raw)
In-Reply-To: <20200826034455.28707-1-lszubowi@redhat.com>
Hi Lenny,
On Tue, 2020-08-25 at 23:44 -0400, Lenny Szubowicz wrote:
> Because of system-specific EFI firmware limitations,
> EFI volatile variables may not be capable of holding the
> required contents of the Machine Owner Key (MOK) certificate
> store. Therefore, an EFI boot loader may pass the MOK certs
> via a EFI configuration table created specifically for this
> purpose to avoid this firmware limitation.
>
> An EFI configuration table is a simpler and more robust mechanism
> compared to EFI variables and is well suited for one-way passage
> of static information from a pre-OS environment to the kernel.
>
> This patch set does not remove the support for loading certs
> from the EFI MOK variables into the platform key ring.
> However, if both the EFI MOK config table and corresponding
> EFI MOK variables are present, the MOK table is used as the
> source of MOK certs.
>
> The contents of the individual named MOK config table entries are
> made available to user space via read-only sysfs binary files under:
>
> /sys/firmware/efi/mok-variables/
Please include a security section in this cover letter with a
comparison of the MoK variables and the EFI configuration table
security (eg. same mechanism?). Has mokutil been updated? If so,
please provide a link.
Mimi
next prev parent reply other threads:[~2020-08-26 11:55 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-26 3:44 [PATCH 0/3] integrity: Load certs from EFI MOK config table Lenny Szubowicz
2020-08-26 3:44 ` [PATCH 1/3] efi: Support for MOK variable " Lenny Szubowicz
2020-08-26 3:44 ` [PATCH 2/3] integrity: Move import of MokListRT certs to a separate routine Lenny Szubowicz
2020-09-01 20:48 ` Mimi Zohar
2020-09-02 7:55 ` Andy Shevchenko
2020-09-05 0:57 ` Lenny Szubowicz
2020-08-26 3:44 ` [PATCH 3/3] integrity: Load certs from the EFI MOK config table Lenny Szubowicz
2020-08-26 11:55 ` Mimi Zohar [this message]
2020-09-05 1:30 ` [PATCH 0/3] integrity: Load certs from " Lenny Szubowicz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6f63a0cf1349281ef2c407d95abedfba1f90345a.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=ardb@kernel.org \
--cc=bp@alien8.de \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lszubowi@redhat.com \
--cc=pjones@redhat.com \
--cc=platform-driver-x86@vger.kernel.org \
--cc=prarit@redhat.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.