Re: [opensuse-security] signing custom kernel for secure boot
Am 30.03.2017 um 15:48 schrieb jsegitz@suse.de:
On Wed, Mar 29, 2017 at 09:19:42PM +0200, Malte Gell wrote:
And, do I understand correctly, MokManager.efi is signed with the Microsoft KEK and writes my user key into the UEFI db key store? Thus, MokManager.efi is a way to get user keys into UEFI db?
yes, with MokManager you can enroll your own keys
Oh, is MokManager able to enroll new PK and KEK keys? That would be awesome, some mainboards have no EFI GUI for doing that and my Asrock only has a broken test PK..... :-( thanks Malte -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Fri, Mar 31, 2017 at 01:12:34AM +0200, Malte Gell wrote:
Oh, is MokManager able to enroll new PK and KEK keys?
AFAIK not. This is something that should only be able in the BIOS
That would be awesome, some mainboards have no EFI GUI for doing that and my Asrock only has a broken test PK..... :-(
Did you check if you can fix this by updating you BIOS? Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg)
participants (2)
-
jsegitz@suse.de
-
Malte Gell