All of
 help / color / mirror / Atom feed
From: joeyli <>
To: Elaine Palmer <>
	Dimitri Ledkov <>,
	Eric Snowberg <>,
	Nayna Jain <>,
	George Wilson <>,
	Mimi Zohar <>
Subject: Re: keyrings, key usage, and trust models
Date: Wed, 28 Sep 2022 13:59:00 +0800	[thread overview]
Message-ID: <20220928055900.GT4909@linux-l9pv.suse> (raw)
In-Reply-To: <>


On Wed, Jul 20, 2022 at 02:43:54PM -0400, Elaine Palmer wrote:
> At LSS 2022 NA, a recent talk titled, "Establishing Trust
> in Linux Keyrings – Is trust built-in, imputed, or transitive?"[1]
> triggered some discussion, which is best continued here.
> Background and current state as of Linux 5.18
> ---------------------------------------------
> To save space, some terms are abbreviated:
>   Official name           abbreviated  Origin of trust / who vouches
>   -------------           -----------  ----------------------------- 
>   secure boot keys        SB keys      hardware keys (if present)
>   bootloader              bootloader   SB keys
>   kernel signer           signer       bootloader
>   .builtin_trusted_keys   builtin      kernel signer  
>   .secondary_trusted_keys secondary    builtin & (new in 5.18) machine
>   .ima                    ima          builtin & secondary
>   .platform               platform     firmware, SB, MOK
>   .machine                machine      MOK, management system
> In simplified story form, hardware keys authorize secure boot keys,
> which authorize the bootloader, which authorizes whoever signs
> the kernel, who authorizes the builtin keys, which (along with
> the machine keys) authorize the secondary keys, which
> (along with builtin) authorize the ima keys.
> The firmware, secure boot keys, or machine owner keys (MOK)
> authorize the platform keys. MOK or a management system
> authorizes the machine keys.

There is a case where the platform manufacturer is also the machine
ower. Is it possible that they use keys in db as mok? 

On the other hand, why kernel only allows keys in db for kexec? Is it
because UEFI spec says db is the signature store only for secure boot?

Thanks a lot!
Joey Lee

      parent reply	other threads:[~2022-09-28  5:59 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <>
2022-07-20 18:43 ` keyrings, key usage, and trust models Elaine Palmer
2022-07-21 22:53   ` Eric Snowberg
2022-09-28  5:59   ` joeyli [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220928055900.GT4909@linux-l9pv.suse \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.