[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal for stage-1 boot loader for use with SecureBoot [Re: [Long] UEFI support]

On Fri, 2012-07-06 at 11:02 +0200, Bastian Blank wrote:
> On Thu, Jul 05, 2012 at 05:39:07PM -0700, Rick Thomas wrote:
> > The fundamental problem we must solve is allowing the *user* to
> > securely choose which OS she wants to install.
> No. The user can disable secure boot.
> >                                                 Whether that OS
> > follows thru and verifies all its parts is between the user and the
> > person or group who provided the OS (could be the user, herself, of
> > course!)
> No, this is not voluntary. If we get a loader signed by an external
> entity, it have to fulfill the requirements, aka no execution of
> unsigned code in the kernel.

That was my first reaction.  But I'm not sure it's correct.

> > Would this work?  What have I missed?
> You show a fundamental missinterpretation of the goals of secure boot. I
> see nothing worth commenting on.

The goal is to prevent malware from persistently subverting a legitimate
OS kernel, even if it tricks the user or the kernel into letting it
install a boot loader or kernel module.

So, if some hypothetical boot loader handles the appearance of some
unsigned boot payload by asking 'do you really want to boot this?', of
course the naive user will answer 'yes, I want to boot my computer'.
Malware will then use that boot loader as its first stage and it will
end up blacklisted.  However, if the process of making the hypothetical
boot loader trust new boot code involves a more active decision on the
user's part (and if that decision cannot be automated by malware), it
might possibly be sufficient to keep it from being exploited and
blacklisted.  But perhaps there are formal requirements that I'm not
aware of, that would still forbid this.


Ben Hutchings
When in doubt, use brute force. - Ken Thompson

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: