Conversation

Jarkko Sakkinen

Edited 5 months ago

Would it be unorthodox for sbsign to use kernel crypto API (optionally) instead of OpenSSL?

One use case for this would be MOK private key that is encrypted while at rest with TPM, and never exposed to CPU.

This would be a great application for the kernel feature that I’m working on i.e. an asymmetric TPM2 key (patch set is slowly getting together, right now at iteration seven).

Just to name an example, this is how Ubuntu manages that key as of today: https://wiki.ubuntu.com/UEFI/SecureBoot/Signing. [for the record, Ubuntu is not doing worse job in this than anyone else, they just have awesome documentation, thus the example]

#linux #kernel #tpm

0
1
1