Comment # 24 on bug 1173158 from 
(In reply to Ludwig Nussel from comment #23)

> Right now we are loading unsigned modules so there is not much of a
> difference to that. 

Yes it is, it's pretending to be safe while it's not. You may argue the same
holds for SB in general, but hey, unencrypted secret keys on the disk of the
system they're supposed to protect should be a no-go in any case.

> In the worst case if storing the private key really is a
> concern, a new one could be created for each rebuild of the ko and the
> private key deleted afterwards.

That I'd really call the worst case. The whole MOK concept only makes sense if
you generate a key that you intend to trust, and keep that key reasonably safe.
If you're not willing to do that, you'll be better off by just disabling secure
boot (or use unsigned modules).

You are receiving this mail because: