[PATCH v2] builddeb: Support signing kernels with the module signing key
Matthew Wilcox
willy at infradead.org
Tue Feb 8 13:10:34 GMT 2022
On Tue, Feb 08, 2022 at 12:01:22PM +0100, Julian Andres Klode wrote:
> It's worth pointing out that in Ubuntu, the generated MOK key
> is for module signing only (extended key usage 1.3.6.1.4.1.2312.16.1.2),
> kernels signed with it will NOT be bootable.
Why should these be separate keys? There's no meaningful security
boundary between a kernel module and the ernel itself; a kernel
modulecan, for example, write to CR3, and that's game over for
any pretence at separation.
More information about the Efi
mailing list