UEFI Secure Boot lockdown effects (Was: Installation suitability for Dell laptop)

To: debian-user@lists.debian.org
Subject: UEFI Secure Boot lockdown effects (Was: Installation suitability for Dell laptop)
From: Étienne Mollier <etienne.mollier@mailoo.org>
Date: Tue, 17 Sep 2019 21:56:07 +0200
Message-id: <[🔎] 1e73e26c-0442-7247-aa56-35b1e2be2e08@mailoo.org>
In-reply-to: <[🔎] d60630f2-baa2-4d1c-8ab3-caeaa076df3c@googlegroups.com>
References: <[🔎] CA+8aVPPMSg6DO_GWoLGQm8JbBF9O-XUbf5Bd97YjQgdqHB=_tg@mail.gmail.com> <[🔎] e7ca6e13-b7fa-4db8-fd0c-d18e4c3404dc@earthlink.net> <[🔎] afc6b7a4-3252-ad8d-45d9-ba33be7f304c@mailoo.org> <[🔎] d60630f2-baa2-4d1c-8ab3-caeaa076df3c@googlegroups.com>

Didier Gaumet, on 2019-09-17:
> Le lundi 16 septembre 2019 21:00:04 UTC+2, Étienne Mollier a écrit :
> [...]
> > does someone know if UEFI
> > prevents unsigned "driver" or "firmware" loading ?  (or both?)
> [...]
>
> it forbids it if SecureBoot is activated:
>  https://wiki.debian.org/SecureBoot#Secure_Boot_limitations

Bonjour Didier,
Merci pour le lien!

So, as far as I understand, if Secure Boot is enabled, then
Linux enters in a lockdown mode effectively preventing the use
of third party drivers, as long as they are unsigned, or their
signature is not validated by the firmware (as in "UEFI firmware
of the motherboard").

Pushing further in the documentation, I haven't seen any mention
of the signature of third party firmware (as in "CPU, or GPU,
microcode" this time), so I /suppose/ that once the valid driver
is loaded, it /might/ have enough permissions to proceed to a
microcode upgrade of the component it is responsible for.
Having had a look at the various capabilities being disabled,
I haven't seen anything likely to prevent this particular kind
of manipulation.  Most entries seemed related to more or less
direct interferences from user land to the hardware at run
time.  It is interesting to note that hibernation is not usable
in conjunction with Secure Boot.

I see there is a possibility to bring our own signing keys into
the UEFI firmware using "mokutil", upper in the web page.  It
seems worth investigating, since I tend to play a lot with
Frankenkernels.  My current motherboard is a decade old
(so, good old BIOS is still alone on the firmware), but I am
slowly beginning to consider a refresh of my configuration, one
day.  In which case, I am seriously considering sticking to UEFI
Secure Boot, not exactly for security, mostly to have a general
idea of how things work, by practice.  (Having to drop 16 GiB of
RAM because of the general move do DDR4, or probably upper if I
wait long enough, is kind of sad though; it can wait a few more
years perhaps… )

With my apologies for the drift from the original thread…
Kind Regards,  :)
-- 
Étienne Mollier <etienne.mollier@mailoo.org>
Fingerprint:  5ab1 4edf 63bb ccff 8b54  2fa9 59da 56fe fff3 882d

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Installation suitability for Dell laptop
  - From: Thanos Katsiolis <kls.thanos@gmail.com>
- Re: Installation suitability for Dell laptop
  - From: Felix Miata <mrmazda@earthlink.net>
- Re: Installation suitability for Dell laptop
  - From: Étienne Mollier <etienne.mollier@mailoo.org>
- Re: Installation suitability for Dell laptop
  - From: didier.gaumet@gmail.com

Prev by Date: Re: confused, seems to be my normal state
Next by Date: Re: confused, seems to be my normal state
Previous by thread: Re: Installation suitability for Dell laptop
Next by thread: Re: UEFI Secure Boot lockdown effects (Was: Installation suitability for Dell laptop)
Index(es):
- Date
- Thread