On Fri, May 22, 2020 at 05:38:40PM -0000, Dimitri John Ledkov wrote: > I guess my general level of paranoia w.r.t number of roots of trust, and > ability to inspect them.
> Improved subject would help a lot. > Can that shim cert sign online signing subkeys? Can the shim cert sign > grub? Kernel? Kernel Modules? Are the questions I don't even want to > think about. $ openssl pkcs7 -noout -print_certs -text -inform DER -in /tmp/detach.der [...] X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign, Encipher Only, Decipher Only X509v3 Extended Key Usage: Code Signing, Microsoft Trust List Signing X509v3 Basic Constraints: CA:FALSE [...] It cannot sign subkeys. If it signed any of grub, kernel, or kernel modules, it would be trusted. However since it is an ephemeral key that's thrown away after the build, this would not happen. And it would be pointless to try to limit what could be signed with this key, given that it is already used to sign EFI binaries, which is the highest level of trust. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880197 Title: ephemeral key used to sign mokmanager should have better certificate attributes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs