A Modern Look at Secure Boot

The basic concept of Secure Boot is now well established (and widely used in Linux for nearly 15) years. Most people now decline to take ownership of their systems (by replacing the CA keys in the UEFI db variable) and instead pivot trust away from the UEFI variables to the MoK (Machine Owner Key) ones instead, which can be updated from the operating system. Thus if you want to secure boot your own kernel, you usually create a signing key and load that into MoK.

This talk will go quickly over the history, how you take ownership, what problems you encounter, how you create and install your own signing keys in MoK and how the kernel imports all these keys into the keyring system and uses them (verifying module signatures and IMA signed policy) including the differences betwen the machine and secondary_trusted keyrings. We'll also discuss some of the more recent innovations, like adding SBAT to the rather problematic UEFI revocation story and how it works.