[Acked] Xenial: Load signed external modules using local MOK key
Andy Whitcroft
apw at canonical.com
Mon Apr 18 08:02:04 UTC 2016
On Wed, Apr 13, 2016 at 10:16:28AM -0600, Tim Gardner wrote:
> This mighty blob of code implements the functionality required to extract
> encryption keys and certificates from UEFI and use them to verify signed
> modules. This is important for locally compiled modules such as DKMS. A user
> would create or acquire a key and enter it into the MOK while also signing
> their local module with the same key. Upon reboot said key will appear in
> the kernel UEFI keyring which is then used to verify the new module.
>
> This code is pretty much untested, but I wanted some more eyeballs on it in
> order to make sure my interpretation reflects reality.
>
> This is phase 1 of secure boot signed module enforcement. Subsequent phases
> involve backporting this pile to Trusty and all kernels in between. Refer to
> https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot in order to
> understand why I am pushing for these changes at such a late date.
As best as I can tell these look to be a complete set. There is such a
lot of code here that a line by line comparison is almost impossible,
but the look reasonable to me.
Acked-by: Andy Whitcroft <apw at canonical.com>
-apw
More information about the kernel-team
mailing list