On 1/22/2016 1:23 PM, Gordon Messmer wrote:
On 01/22/2016 11:11 AM, John R Pierce wrote:
if you can insert a custom Machine Owner Key into this keyring, then
anyone with sufficient ingenuity can, too. which renders the whole
signature thing moot, other than as another step to be cracked.
I'm not sure you understand mokutil. You do know that in order to
enroll a key you must be physically present at the console before the
kernel boots, right? In order to enroll a key, you must have admin
access in the OS, and physical access to the hardware.
in order to install a kernel module without signing, you still need root
level access to the OS, so thats nothing new.
Most all servers I run have remote KVM via IPMI, or are VM's, so this
can be done without physical presence, unless somehow mokutil disables
KVM (keyboard/video/mouse, not kernel virtualization) AND refuses to run
in a VM. Sure, if someone has penetrated my IPMI and/or virtualization
management, I'm already in a world of hurt, but no physical presence is
required.
--
john r pierce, recycling bits in santa cruz
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
