On 1/22/2016 1:23 PM, Gordon Messmer wrote: > On 01/22/2016 11:11 AM, John R Pierce wrote: >> if you can insert a custom Machine Owner Key into this keyring, then >> anyone with sufficient ingenuity can, too. which renders the whole >> signature thing moot, other than as another step to be cracked. > > I'm not sure you understand mokutil. You do know that in order to > enroll a key you must be physically present at the console before the > kernel boots, right? In order to enroll a key, you must have admin > access in the OS, and physical access to the hardware. in order to install a kernel module without signing, you still need root level access to the OS, so thats nothing new. Most all servers I run have remote KVM via IPMI, or are VM's, so this can be done without physical presence, unless somehow mokutil disables KVM (keyboard/video/mouse, not kernel virtualization) AND refuses to run in a VM. Sure, if someone has penetrated my IPMI and/or virtualization management, I'm already in a world of hurt, but no physical presence is required. -- john r pierce, recycling bits in santa cruz