On 15.08.2018 23:13, James Bottomley wrote: > Consider a UEFI system for which a user has taken ownership, but which > has some signed ROMs which are UEFI secure boot verified. Simply to > get their system to boot the user will be forced to add the ODM key to > the UEFI db ... and I'm sure in that situation the user wouldn't want > to trust the ODM key further than booting. I definitely agree with this point.
Is there any solution, except from building your own kernel, to the scenario I described? I think there should be. (I've personally run into this with VirtualBox, which I IIRC couldn't load, even though I provisioned my own PK, and signed both kernel and VirtualBox module with my own key. I could've compiled my own kernel with my //own key, but that is pretty impractical for most users.) Yannik