Re: the ghost of UEFI and Micr0$0ft

To: debian <debian-user@lists.debian.org>
Subject: Re: the ghost of UEFI and Micr0$0ft
From: "Christofer C. Bell" <christofer.c.bell@gmail.com>
Date: Fri, 8 Jun 2012 10:59:01 -0500
Message-id: <[🔎] CAOEVnYs2gpjOpLfjj8AjcOhUbnmCYNA_1fW_tMqyoN3ZEhMZQA@mail.gmail.com>
In-reply-to: <[🔎] 877gvisb1u.fsf@catnip.gol.com>
References: <[🔎] CAO4+coYHYAghvJ=DtQXzSyLRX7KkRDWEy6p4ktZtoZR=Nf4mUg@mail.gmail.com> <[🔎] 1338883289.3371.6.camel@precise> <[🔎] 4FCE2D01.1090906@optonline.net> <[🔎] 20120605182626.7f21d335@ares.home.chubig.net> <[🔎] 4FCE3B09.50104@optonline.net> <[🔎] 20120605191855.3d0611ad@ares.home.chubig.net> <[🔎] 20120605180127.GJ6442@n0nb.us> <[🔎] CAOEVnYss7mXb_jNzh+nYyGAQAXsthdziwP18_+Q8F_jiSYu_Gw@mail.gmail.com> <[🔎] 87sje9ulsb.fsf@catnip.gol.com> <[🔎] 4FCEE02E.30007@gmail.com> <[🔎] 878vfzty92.fsf@catnip.gol.com> <[🔎] CAOEVnYtS_aVJVS-2bkAkA5aACBLnaT4Cp0M_Ax9Y3C2JNmnyfQ@mail.gmail.com> <[🔎] 877gvisb1u.fsf@catnip.gol.com>

On Thu, Jun 7, 2012 at 11:05 PM, Miles Bader <miles@gnu.org> wrote:
> "Christofer C. Bell" <christofer.c.bell@gmail.com> writes:
>>> Would that mean anybody who wants to build their own kernel would need
>>> to buy a signing key?
>>
>> Not at all.  You can generate your own key and load it into your UEFI.
>>  It's no different a situation than using self-signed ssl certs
>> without buying one from a certificate authority.  There's no need to
>> pay any money to anyone to use the secure boot feature.  Is it a
>> hassle?  Sure, but you're not beholden to any 3rd party regardless.
>
> Er, wait, doesn't that mean a malware author could do the same thing?

Yes, any malware author would be able to generate a signing key and
sign their software as authentic genuine malware.  This does not mean
that you are compelled to trust that key.

> Or is entering a new key a "manual" process ("type in the 50 hex digit
> key")?

You would need to enter that key yourself into your UEFI indicating
that you trust the malware author's key.  If you do not enter it into
your system, you indicate that you do not trust the key and therefore
the malware will not be allowed to run on your machine.

> Can there be multiple keys (I vaguely recall the article saying there
> could only be one key [at MS's insistence]...but not sure if I really
> understood what it was saying)?

That depends on the UEFI implementation.  I would guess that mutliple
keys are possible.

-- 
Chris

Reply to:

References:
- the ghost of UEFI and Micr0$0ft
  - From: Harshad Joshi <firewalrus@gmail.com>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Doug <dmcgarrett@optonline.net>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Claudius Hubig <debian_1206@chubig.net>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Doug <dmcgarrett@optonline.net>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Claudius Hubig <debian_1206@chubig.net>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Nate Bargmann <n0nb@n0nb.us>
- Re: the ghost of UEFI and Micr0$0ft
  - From: "Christofer C. Bell" <christofer.c.bell@gmail.com>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Miles Bader <miles@gnu.org>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Miles Bader <miles@gnu.org>
- Re: the ghost of UEFI and Micr0$0ft
  - From: "Christofer C. Bell" <christofer.c.bell@gmail.com>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Miles Bader <miles@gnu.org>

Prev by Date: Re: the ghost of UEFI and Micr0$0ft
Next by Date: Re: postfix and hostname
Previous by thread: Re: the ghost of UEFI and Micr0$0ft
Next by thread: Re: the ghost of UEFI and Micr0$0ft
Index(es):
- Date
- Thread