On Fri, 2012-07-06 at 11:02 +0200, Bastian Blank wrote: > On Thu, Jul 05, 2012 at 05:39:07PM -0700, Rick Thomas wrote: > > The fundamental problem we must solve is allowing the *user* to > > securely choose which OS she wants to install. > > No. The user can disable secure boot. > > > Whether that OS > > follows thru and verifies all its parts is between the user and the > > person or group who provided the OS (could be the user, herself, of > > course!) > > No, this is not voluntary. If we get a loader signed by an external > entity, it have to fulfill the requirements, aka no execution of > unsigned code in the kernel. That was my first reaction. But I'm not sure it's correct. > > Would this work? What have I missed? > > You show a fundamental missinterpretation of the goals of secure boot. I > see nothing worth commenting on. The goal is to prevent malware from persistently subverting a legitimate OS kernel, even if it tricks the user or the kernel into letting it install a boot loader or kernel module. So, if some hypothetical boot loader handles the appearance of some unsigned boot payload by asking 'do you really want to boot this?', of course the naive user will answer 'yes, I want to boot my computer'. Malware will then use that boot loader as its first stage and it will end up blacklisted. However, if the process of making the hypothetical boot loader trust new boot code involves a more active decision on the user's part (and if that decision cannot be automated by malware), it might possibly be sufficient to keep it from being exploited and blacklisted. But perhaps there are formal requirements that I'm not aware of, that would still forbid this. Ben. -- Ben Hutchings When in doubt, use brute force. - Ken Thompson
Attachment:
signature.asc
Description: This is a digitally signed message part