Linux Driver (Helper) Signing #1399
Replies: 1 comment
-
I'm talking about MOK, or a custom key hierarchy (PK etc.) loaded by the user instead of the Microsoft ones. The difference is irrelevant for chipsec though: it should only care about receiving a private and public key and call the signing script, something along the lines of:
The advantages of having chipsec do it is that you configure the path to the keys once somehow, and then it's done automatically when you rebuild regardless of the mode (--inplace or release), and locating the signing script based on the path of the kernel headers it has to figure out anyway. Again, really just a small convenience change to simplify build scripts in my case. |
Beta Was this translation helpful? Give feedback.
-
@kerneis-anssi brought up an interesting question about signing the chipsec driver in linux. I know there are ways to do this with MOK, but you'd really want to keep this to particular one-off systems, because the driver effectively bypasses the kernel lockdown concepts by opening user-space access to memory and registers.
@kerneis-anssi were you talking about MOK signing or something else? Do we need alternate solutions?
Beta Was this translation helpful? Give feedback.
All reactions