Introduce a new MOK variable called MokListTrustedRT #423
Conversation
|
Upstream Linux seems to be receptive to this approach. However they will not move forward with the Linux review until code enters shim first. Please see the patch above for review. References to this topic: https://lwn.net/ml/linux-kernel/20210914211416.34096-1-eric.snowberg@oracle.com/ |
Many ASRock boards will not render MokManager correctly if the Unicode Box Drawing characters are used. Signed-off-by: Tony Persson <tony@tonypersson.se>
|
Thanks for your review Peter. I'll also add the new var to the MokVars.txt. |
Introduce a new MOK variable called MokListTrustedRT. It allows an end-user to decide if they want to trust MOKList keys within the soon to be booted Linux kernel. This variable does not change any functionality within shim itself. When Linux boots, if MokListTrustedRT is set and EFI_VARIABLE_NON_VOLATILE is not set, keys in MokListRT are loaded into the .machine keyring instead of the .platform keyring. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
|
The corresponding mokutil changes are located here: https://github.com/esnowberg/mokutil/tree/mokvars-v3 |
|
Pushed as 4e51340 |
| EFI_VARIABLE_NON_VOLATILE, | ||
| .no_attr = EFI_VARIABLE_RUNTIME_ACCESS, | ||
| .flags = MOK_MIRROR_DELETE_FIRST | | ||
| MOK_VARIABLE_MEASURE | |
There was a problem hiding this comment.
What was the intention for this flag to be set?
This pushes the content of the MokListTrusted in the PCR7, which doesn't make sense to me. This should only change the behavior of linux which is after the ExitBootServices that this variable is set to zero or one doesn't change the Secure Boot Policy (https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36 section 3.3.4 PCR usage) of the machine before that and should not make it to PCR7
MokListTrusted was added by mistake to PCR 7 in 4e51340. The value of MokListTrusted does not alter the behavior of secure boot so, as per https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36 (section 3.3.4 PCR usage) so it should not be factored in the value of PCR 7. See: rhboot#423 rhboot@4e51340 Fixes rhboot#484 Fixes rhboot#492
MokListTrusted was added by mistake to PCR 7 in 4e51340. The value of MokListTrusted does not alter the behavior of secure boot so, as per https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36 (section 3.3.4 PCR usage) so it should not be factored in the value of PCR 7. See: rhboot#423 rhboot@4e51340 Fixes rhboot#484 Fixes rhboot#492 Signed-off-by: Arthur Gautier <arthur.gautier@arista.com>
MokListTrusted was added by mistake to PCR 7 in 4e51340. The value of MokListTrusted does not alter the behavior of secure boot so, as per https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36 (section 3.3.4 PCR usage) so it should not be factored in the value of PCR 7. See: #423 4e51340 Fixes #484 Fixes #492 Signed-off-by: Arthur Gautier <arthur.gautier@arista.com>
MokListTrusted was added by mistake to PCR 7 in 4e51340. The value of MokListTrusted does not alter the behavior of secure boot so, as per https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36 (section 3.3.4 PCR usage) so it should not be factored in the value of PCR 7. See: rhboot#423 rhboot@4e51340 Fixes rhboot#484 Fixes rhboot#492 Signed-off-by: Arthur Gautier <arthur.gautier@arista.com>
Introduce a new MOK variable called MokListTrustedRT. It allows an end-user
to decide if they want to trust MOKList keys within the soon to be booted
Linux kernel. This variable does not change any functionality within shim
itself. When Linux boots, if MokListTrustedRT is set and
EFI_VARIABLE_NON_VOLATILE is not set, keys in MokListRT are loaded into the
.machine keyring instead of the .platform keyring.
Signed-off-by: Eric Snowberg eric.snowberg@oracle.com