On Fri, May 22, 2020 at 05:38:40PM -0000, Dimitri John Ledkov wrote:
> I guess my general level of paranoia w.r.t number of roots of trust, and
> ability to inspect them.

> Improved subject would help a lot.

> Can that shim cert sign online signing subkeys? Can the shim cert sign
> grub? Kernel? Kernel Modules? Are the questions I don't even want to
> think about.

$ openssl pkcs7 -noout -print_certs -text -inform DER -in /tmp/detach.der 
[...]
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data 
Encipherment, Key Agreement, Certificate Sign, CRL Sign, Encipher Only, 
Decipher Only
            X509v3 Extended Key Usage: 
                Code Signing, Microsoft Trust List Signing
            X509v3 Basic Constraints: 
                CA:FALSE
[...]

It cannot sign subkeys.

If it signed any of grub, kernel, or kernel modules, it would be trusted.
However since it is an ephemeral key that's thrown away after the build,
this would not happen.  And it would be pointless to try to limit what could
be signed with this key, given that it is already used to sign EFI binaries,
which is the highest level of trust.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1880197

Title:
  ephemeral key used to sign mokmanager should have better certificate
  attributes

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to