[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Long] UEFI support

On Mon, Jan 09, 2012 at 08:01:00PM +0000, Philip Hands wrote:
> On Mon, 9 Jan 2012 14:04:15 +0000, Wookey <wookey@wookware.org> wrote:
> > * get our bootloaders signed by something like the 'linuxfoundation key'
> > if such a thing gets widely installed, 
> > * explain to users how to get the 'debian key' installed
> > * explain to users how to turn off secure boot.
> > * Get manufacturers to put the Debian key in machines for sale (or
> >   just make them with Debian(or a deriviative) pre-installed.
> Are we going to have a restricted-GRUB that is only willing to load
> kernels also signed by keys built into it, which in turn are configured
> not to do tricks like kexec, to ensure that one doesn't use linux as a
> bootloader?

I think we would have to provide both options: a signed GRUB that
only boots signed kernels, and an unsigned GRUB that is unrestricted.
(Similarly for other UEFI bootloaders.)  Don't ask me how we build the
signed binaries, though.

In any case, I wouldn't expect the public key (KEK) for the bootloader
to be preinstalled except on systems that ship with Debian.  But the
Linux Foundation proposal envisages that a fresh system should allow
the OS installer to install a KEK and the firmware should provide a
'reset to factory default' that allows this again.

> If not, then any signature on GRUB will just be an invitation to some
> scrote to use that signed GRUB as part of their rootkit to insert
> malware under windows, and give Microsoft a nice headline about us lot
> of pinko-commies being the cause of their latest security problems.

Exactly.  Indeed, I have heard that some Windows rootkits already use


Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
                                                              - Albert Camus

Reply to: