From: joeyli <jlee@suse.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>,
James Morris <jmorris@namei.org>,
Eric Snowberg <eric.snowberg@oracle.com>,
David Howells <dhowells@redhat.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] integrity: Do not load MOK and MOKx when secure boot be disabled
Date: Thu, 23 Dec 2021 12:10:14 +0800 [thread overview]
Message-ID: <20211223041014.GB1178@linux-l9pv.suse> (raw)
In-Reply-To: <9b93e099fc6ee2a56d70ed338cd79f2c1ddcffa5.camel@linux.ibm.com>
Hi Mimi,
On Tue, Dec 21, 2021 at 06:28:31PM -0500, Mimi Zohar wrote:
> On Sat, 2021-12-18 at 10:09 +0800, Lee, Chun-Yi wrote:
> > The security of Machine Owner Key (MOK) relies on secure boot. When
> > secure boot is disabled, EFI firmware will not verify binary code. Then
> > arbitrary efi binary code can modify MOK when rebooting.
> >
> > This patch prevents MOK/MOKx be loaded when secure boot be disabled.
> >
> > Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
>
> Thanks, Joey!
>
> This patch is now queued in the next-integrity-testing branch waiting
> further review/tags.
>
> Mimi
Thanks for your review!
Joey Lee
prev parent reply other threads:[~2021-12-23 4:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-18 2:09 [PATCH] integrity: Do not load MOK and MOKx when secure boot be disabled Lee, Chun-Yi
2021-12-21 12:56 ` Mimi Zohar
2021-12-21 23:28 ` Mimi Zohar
2021-12-23 4:10 ` joeyli [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211223041014.GB1178@linux-l9pv.suse \
--to=jlee@suse.com \
--cc=dhowells@redhat.com \
--cc=eric.snowberg@oracle.com \
--cc=jmorris@namei.org \
--cc=joeyli.kernel@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.