On 1/22/2016 1:23 PM, Gordon Messmer wrote:> On 01/22/2016 11:11 AM, John R Pierce wrote:
>> if you can insert a custom Machine Owner Key into this keyring, then
>> anyone with sufficient ingenuity can, too. which renders the whole
>> signature thing moot, other than as another step to be cracked.
>
> I'm not sure you understand mokutil. You do know that in order to
> enroll a key you must be physically present at the console before the
> kernel boots, right? In order to enroll a key, you must have admin
> access in the OS, and physical access to the hardware.
in order to install a kernel module without signing, you still need root
level access to the OS, so thats nothing new.
Most all servers I run have remote KVM via IPMI, or are VM's, so this
can be done without physical presence, unless somehow mokutil disables
KVM (keyboard/video/mouse, not kernel virtualization) AND refuses to run
in a VM. Sure, if someone has penetrated my IPMI and/or virtualization
management, I'm already in a world of hurt, but no physical presence is
required.
--
john r pierce, recycling bits in santa cruz