[PATCH] integrity: Do not load MOK and MOKx when secure boot be disabled

Mimi Zohar zohar at linux.ibm.com
Tue Dec 21 23:28:31 UTC 2021


On Sat, 2021-12-18 at 10:09 +0800, Lee, Chun-Yi wrote:
> The security of Machine Owner Key (MOK) relies on secure boot. When
> secure boot is disabled, EFI firmware will not verify binary code. Then
> arbitrary efi binary code can modify MOK when rebooting.
> 
> This patch prevents MOK/MOKx be loaded when secure boot be disabled.
> 
> Signed-off-by: "Lee, Chun-Yi" <jlee at suse.com>

Thanks, Joey!

This patch is now queued in the next-integrity-testing branch waiting
further review/tags.

Mimi



More information about the Linux-security-module-archive mailing list