[PATCH] integrity: Do not load MOK and MOKx when secure boot be disabled
joeyli
jlee at suse.com
Thu Dec 23 04:10:14 UTC 2021
Hi Mimi,
On Tue, Dec 21, 2021 at 06:28:31PM -0500, Mimi Zohar wrote:
> On Sat, 2021-12-18 at 10:09 +0800, Lee, Chun-Yi wrote:
> > The security of Machine Owner Key (MOK) relies on secure boot. When
> > secure boot is disabled, EFI firmware will not verify binary code. Then
> > arbitrary efi binary code can modify MOK when rebooting.
> >
> > This patch prevents MOK/MOKx be loaded when secure boot be disabled.
> >
> > Signed-off-by: "Lee, Chun-Yi" <jlee at suse.com>
>
> Thanks, Joey!
>
> This patch is now queued in the next-integrity-testing branch waiting
> further review/tags.
>
> Mimi
Thanks for your review!
Joey Lee
More information about the Linux-security-module-archive
mailing list