On Sun, Oct 27, 2019 at 10:45:49AM +0100, Florian Weimer wrote: > * Thomas Goirand:
> > I've setup my new laptop with secureboot, and now, I can't use the DKMS > > modules from Virtualbox, as they aren't signed. I've been told by Sledge > > that I should use MOK to do that, and that DKMS packages are supposed to > > have all in them to support MOK. > I don't think secure boot provides any benefit at all if you store the > kernel module signing key on the same machine. Generate the MOK certificate with EKU 1.3.6.1.4.1.2312.16.1.2. This indicates that the key should only be trusted for kernel modules, not for kernels or other EFI applications (bootloaders etc). The value is honored by shim, grub (via shim), and the kernel (but not by the firmware - but the firmware itself doesn't trust the MOK anyway, so this doesn't matter). This does not eliminate all attacks that involve getting access to the private key on the machine; but it does prevent the presence of MOK + DKMS being used to attack the firmware. We do this by default in Ubuntu with dkms. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: PGP signature