Message ID | 570E70DC.4060209@canonical.com |
---|---|
State | New |
Headers | show |
On Wed, Apr 13, 2016 at 10:16:28AM -0600, Tim Gardner wrote: > This mighty blob of code implements the functionality required to extract > encryption keys and certificates from UEFI and use them to verify signed > modules. This is important for locally compiled modules such as DKMS. A user > would create or acquire a key and enter it into the MOK while also signing > their local module with the same key. Upon reboot said key will appear in > the kernel UEFI keyring which is then used to verify the new module. > > This code is pretty much untested, but I wanted some more eyeballs on it in > order to make sure my interpretation reflects reality. > > This is phase 1 of secure boot signed module enforcement. Subsequent phases > involve backporting this pile to Trusty and all kernels in between. Refer to > https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot in order to > understand why I am pushing for these changes at such a late date. As best as I can tell these look to be a complete set. There is such a lot of code here that a line by line comparison is almost impossible, but the look reasonable to me. Acked-by: Andy Whitcroft <apw@canonical.com> -apw
On 13.04.2016 18:16, Tim Gardner wrote:
> git://kernel.ubuntu.com/rtg/ubuntu-xenial.git uefi-keyring
I would also say its hard to validate correctness but it looks like all parts
are related to the task.
My only complaint would be that the modification of config options seems to be
ordered before applying patches that actually define them. I would rather place
them on top. Also, personally I would favour a bit more reasoning for the
changes at least in the bug report. Or even into the individual commit messages
as that is the first thing one hits when looking for reasons why something is
configured the way it is.
Since that are no hard reasons against, I am ACKing and leave the details to
whomever is slamming stuff in.
-Stefan