[PATCH v3 01/14] integrity: Introduce a Linux keyring for the Machine Owner Key (MOK)
eric.snowberg at oracle.com
Thu Aug 12 22:16:51 UTC 2021
> On Aug 12, 2021, at 12:58 PM, Jarkko Sakkinen <jarkko at kernel.org> wrote:
> On Wed, Aug 11, 2021 at 10:18:42PM -0400, Eric Snowberg wrote:
>> Many UEFI Linux distributions boot using shim. The UEFI shim provides
>> what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure
>> Boot DB and MOK keys to validate the next step in the boot chain. The
>> MOK facility can be used to import user generated keys. These keys can
>> be used to sign an end-users development kernel build. When Linux
>> boots, both UEFI Secure Boot DB and MOK keys get loaded in the Linux
>> .platform keyring.
>> Add a new Linux keyring called .mok. This keyring shall contain just
> I would consider ".machine" instead. It holds MOK keys but is not a
> MOK key.
I’m open to renaming it to anything that you and the other maintainers
feel would be appropriate. I just want to make sure there is an agreement
on the new name before I make the change. Thanks.
More information about the Linux-security-module-archive