[PATCH v5 00/12] Enroll kernel keys thru MOK

Eric Snowberg eric.snowberg at oracle.com
Wed Sep 8 17:09:44 UTC 2021

> On Sep 8, 2021, at 10:03 AM, Jarkko Sakkinen <jarkko at kernel.org> wrote:
> On Tue, 2021-09-07 at 12:00 -0400, Eric Snowberg wrote:
>> Many UEFI Linux distributions boot using shim.  The UEFI shim provides
>> what is called Machine Owner Keys (MOK).  Shim uses both the UEFI Secure
>> Boot DB and MOK keys to validate the next step in the boot chain.  The
>> MOK facility can be used to import user generated keys.  These keys can
>> be used to sign an end-user development kernel build.  When Linux boots,
>> pre-boot keys (both UEFI Secure Boot DB and MOK keys) get loaded in the
>> Linux .platform keyring.  
>> Currently, pre-boot keys are not trusted within the Linux trust boundary
>> [1]. These platform keys can only be used for kexec. If an end-user
> What exactly is "trust boundary"? And what do you mean when you say that
> Linux "trusts" something? AFAIK, software does not have feelings. Please,
> just speak about exact things.

I am using terminology used previously by others when addressing this issue.  
If I should be using different terminology, please advise. The kernel does not 
trust pre-boot keys within it, meaning these pre-boot keys can not be used to 
validate items within the kernel. This is the “trust boundary”. Preboot keys are
on one side of the boundary, compiled-in keys are on the other.  MOK keys are 
pre-boot keys.  Currently they can not be used to validate things within the 
kernel itself (kernel modules, IMA keys, etc).

More information about the Linux-security-module-archive mailing list