Vendor-specificity of KEK

Posted Jul 19, 2025 10:08 UTC (Sat) by linuxtardis (guest, #178362)
In reply to: Vendor-specificity of KEK by linuxtardis
Parent article: Linux and Secure Boot certificate expiration

I found a brief overview of the different keys in a Matthew Garrett's presentation from 2012: https://youtu.be/V2aq5M3Q76U?si=hnMbw_H8LzaiMi1I&t=1832

Vendor-specificity of KEK

Posted Jul 19, 2025 20:12 UTC (Sat) by raven667 (subscriber, #5198) [Link] (1 responses)

Many of the problems mjg59 talks about in 2012 were solved, with shim and mokutil for example so you can load locally built kernel modules with a local keypair using akmods that are trusted enough, you have to subscribe the key on the machine from the local console, it can't be done remotely, so you can only use this mechanism to hose your own machine, and it doesn't cause problems with the security boundary SecureBoot is trying to create, which is malware coming in over the network and modifying the boot process in a way that is silent to the user, like malware could go through the akmods dance to boot into mokutil to authorize a key, but you can just say "no" and it's stuck.

And at the time they didn't have a use case for using SecureBoot for virtualization guests but now that is something which is used to help validate the kernel booted cleanly even for servers, it's not trying to protect against the hypervisor vendor which owns the underlying hardware anyway, but still trying to keep malware from modifying the server OS in ways that aren't detectable.

Vendor-specificity of KEK

Posted Jul 19, 2025 20:31 UTC (Sat) by linuxtardis (guest, #178362) [Link]

Yeah, linking the video here without providing this update was unfortunate. Thank you for mentioning this.