Didier Gaumet, on 2019-09-17: > Le lundi 16 septembre 2019 21:00:04 UTC+2, Étienne Mollier a écrit : > [...] > > does someone know if UEFI > > prevents unsigned "driver" or "firmware" loading ? (or both?) > [...] > > it forbids it if SecureBoot is activated: > https://wiki.debian.org/SecureBoot#Secure_Boot_limitations Bonjour Didier, Merci pour le lien! So, as far as I understand, if Secure Boot is enabled, then Linux enters in a lockdown mode effectively preventing the use of third party drivers, as long as they are unsigned, or their signature is not validated by the firmware (as in "UEFI firmware of the motherboard"). Pushing further in the documentation, I haven't seen any mention of the signature of third party firmware (as in "CPU, or GPU, microcode" this time), so I /suppose/ that once the valid driver is loaded, it /might/ have enough permissions to proceed to a microcode upgrade of the component it is responsible for. Having had a look at the various capabilities being disabled, I haven't seen anything likely to prevent this particular kind of manipulation. Most entries seemed related to more or less direct interferences from user land to the hardware at run time. It is interesting to note that hibernation is not usable in conjunction with Secure Boot. I see there is a possibility to bring our own signing keys into the UEFI firmware using "mokutil", upper in the web page. It seems worth investigating, since I tend to play a lot with Frankenkernels. My current motherboard is a decade old (so, good old BIOS is still alone on the firmware), but I am slowly beginning to consider a refresh of my configuration, one day. In which case, I am seriously considering sticking to UEFI Secure Boot, not exactly for security, mostly to have a general idea of how things work, by practice. (Having to drop 16 GiB of RAM because of the general move do DDR4, or probably upper if I wait long enough, is kind of sad though; it can wait a few more years perhaps… ) With my apologies for the drift from the original thread… Kind Regards, :) -- Étienne Mollier <etienne.mollier@mailoo.org> Fingerprint: 5ab1 4edf 63bb ccff 8b54 2fa9 59da 56fe fff3 882d
Attachment:
signature.asc
Description: OpenPGP digital signature