[PATCH] integrity: Do not load MOK and MOKx when secure boot be disabled
Mimi Zohar
zohar at linux.ibm.com
Tue Dec 21 23:28:31 UTC 2021
On Sat, 2021-12-18 at 10:09 +0800, Lee, Chun-Yi wrote:
> The security of Machine Owner Key (MOK) relies on secure boot. When
> secure boot is disabled, EFI firmware will not verify binary code. Then
> arbitrary efi binary code can modify MOK when rebooting.
>
> This patch prevents MOK/MOKx be loaded when secure boot be disabled.
>
> Signed-off-by: "Lee, Chun-Yi" <jlee at suse.com>
Thanks, Joey!
This patch is now queued in the next-integrity-testing branch waiting
further review/tags.
Mimi
More information about the Linux-security-module-archive
mailing list