Am 30.03.2017 um 15:48 schrieb jsegitz(a)suse.de:
> On Wed, Mar 29, 2017 at 09:19:42PM +0200, Malte Gell wrote:
>> And, do I understand correctly, MokManager.efi is signed with the
>> Microsoft KEK and writes my user key into the UEFI db key store? Thus,
>> MokManager.efi is a way to get user keys into UEFI db?
>
> yes, with MokManager you can enroll your own keys
Oh, is MokManager able to enroll new PK and KEK keys?
That would be awesome, some mainboards have no EFI GUI for doing that
and my Asrock only has a broken test PK..... :-(
thanks
Malte
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org
Hi there,
to bring pain to a new level I play with secure boot and want to get a
custom kernel run with secure boot. I read the SUSE how to from there:
https://en.opensuse.org/openSUSE:UEFI#Booting_a_custom_kernel
But, I am a bit confused, this guides signs vmlinuz, but not a single
module!?
Don´t the kernel modules need to be signed as well?
Or is there some magic that applies the vmlinuz signature automatically
to all modules?!
Last, there is a UEFI boot entry "opensuse-trusted" (or similar), I
guess this is meant to use with secure boot / shim?
regards
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org
Am 29.03.2017 um 18:14 schrieb jsegitz(a)suse.de:
> On Wed, Mar 29, 2017 at 01:04:46PM +0200, Malte Gell wrote:
>> to bring pain to a new level I play with secure boot and want to get a
>> custom kernel run with secure boot. I read the SUSE how to from there:
>>
>> https://en.opensuse.org/openSUSE:UEFI#Booting_a_custom_kernel
>>
>> But, I am a bit confused, this guides signs vmlinuz, but not a single
>> module!?
>> Don´t the kernel modules need to be signed as well?
> For openSUSE kernels module loading is not restricted (for SLES it is)
Ok. I think this is no problem, there still is MODULE_SIG_FORCE to care
for signed modules.
And, do I understand correctly, MokManager.efi is signed with the
Microsoft KEK and writes my user key into the UEFI db key store? Thus,
MokManager.efi is a way to get user keys into UEFI db?
thanks
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org
Just out of curiousity,
do SUSE kernel have security specific patches / features, the vanilla
kernel does not have?
regards
m
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org
In order to allow UDP broadcast with the SUSEfirewall, is it enough to add
e.g. BROADCAST="123,456" to the rules or is there more to add?
I ask, because in my set UDP broadcast may have been dropped, despite
using BROADCAST="123"....
thanksx
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org
Hi list,
seccheck sent me a mail from a SLES 12 SP 1. I do not understand what
the mail should tell me.
Subject: *** SECURITY information for <hostname> ***
Content (one line): <hostname> : Mar 12 08:09:24 : root : problem with
defaults entries ; TTY=unknown ; PWD=/ ;
<hostname> ist just the placeholder for the real hostname :)
What does "problem with defaults entries" mean?
Puzzled
Werner
--