[CentOS] How to get UEFI setting by shell?

Fri Jan 22 21:56:09 UTC 2016
John R Pierce <pierce at hogranch.com>

On 1/22/2016 1:23 PM, Gordon Messmer wrote:
> On 01/22/2016 11:11 AM, John R Pierce wrote:
>> if you can insert a  custom Machine Owner Key into this keyring, then 
>> anyone with sufficient ingenuity can, too.   which renders the whole 
>> signature thing moot, other than as another step to be cracked. 
>
> I'm not sure you understand mokutil.  You do know that in order to 
> enroll a key you must be physically present at the console before the 
> kernel boots, right?  In order to enroll a key, you must have admin 
> access in the OS, and physical access to the hardware. 

in order to install a kernel module without signing, you still need root 
level access to the OS, so thats nothing new.

Most all servers I run have remote KVM via IPMI, or are VM's, so this 
can be done without physical presence, unless somehow mokutil disables 
KVM (keyboard/video/mouse, not kernel virtualization) AND refuses to run 
in a VM.   Sure, if someone has penetrated my IPMI and/or virtualization 
management, I'm already in a world of hurt, but no physical presence is 
required.



-- 
john r pierce, recycling bits in santa cruz