Morten Linderud
Morten Linderud
If the file extension is not ".bmp" just say it can't be verified. Good enough I think
Yep, I got that :) But a simple fil extension check if fine if imagemagick is not available I think.
I don't think `integrity` disallows loading of unsigned modules, so not *as* important I reckon. I'm unsure if the UEFI keys gets loaded into the keyring with `ìntegrity` and `confidentiality`....
There is nothing to test yet I believe. I'll try write a separate go library for kernel module signing and see if that works first. Then I'll work on some...
I was wrong :/ Turns out this was possible, but the kernel seperated the UEFI keys into the `.platform` keyring which the modules does not verify against. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.0.y&id=9dc92c45177ab70e20ae94baa2f2e558da63a9c7 Fedora/RedHat carries...
Seems like there is some movement upstream to have `MokTrustPlatform` tell the kernel if the secure boot keys should be trusted or not. I'm annoyed that a lot of this...
After reading up on the patches I think we can get this to work using `sbctl` with this workflow. * Create and set `MokListTrustedRT` to `1` * Write our keys...
"Yes", but the issue is that the MOK variables are read from the EFI configuration table setup by `shim`. So without the `shim` software in your bootchain the kernel is...
The issue is that there is only two ways to load a trusted key into the Linux keyring. Include one at build-time or use the patch series above. There is...
You would still need to have the shim there, unless you have `sd-boot` setup the EFI configuration table :) I wanted to mention it at some point, but it's a...