Re: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled

2018-03-14 Thread joeyli
Hi Ard, First! Thanks for your review! On Tue, Mar 13, 2018 at 05:25:30PM +, Ard Biesheuvel wrote: > On 13 March 2018 at 10:37, Lee, Chun-Yi wrote: > > The mok can not be trusted when the secure boot is disabled. Which > > means that the kernel embedded certificate

Re: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled

2018-03-13 Thread Ard Biesheuvel
On 13 March 2018 at 10:37, Lee, Chun-Yi wrote: > The mok can not be trusted when the secure boot is disabled. Which > means that the kernel embedded certificate is the only trusted key. > > Due to db/dbx are authenticated variables, they needs manufacturer's > KEK for