| |||||||||||||
Garrett: UEFI secure bootingGarrett: UEFI secure bootingPosted Sep 20, 2011 20:01 UTC (Tue) by jhhaller (subscriber, #56103)Parent article: Garrett: UEFI secure booting If I were designing a BIOS, I would include the Microsoft key and my own key, and provide software signed by my key which could sign other software and install a key. That ensures that one can't update the list of keys except with signed software. Assuming that any signed software doesn't maliciously add new keys, its a reasonable security model. Of course, the first thing that will happen is that someone will crack Windows, and, since it is trusted, add their own signature for the rootkit they are installing to make the machine a zombie. The second thing is that someone will start cracking UEFI boot, since security is where people start attacking. Given some of the comments about BIOS authors, I'm not sure they are the people with which one wants to entrust security.
(Log in to post comments)
How to make a sane BIOS Posted Sep 22, 2011 16:30 UTC (Thu) by jmorris42 (subscriber, #2203) [Link]
Nope, I'd skip all that foolishness if I were designing a Free Software friendly firmware. It is this this simple:
Boot into the firmware with the install media inserted in the optical drive or USB port. Pick an option that says "I want to install from this media." It gives a warning asking if you trust this media abd then it looks on the media for a well publicised filename containing a public key and imports that to it's trusted key store and then proceeds to boot the signed installer.
That is simple, safe and allows any Linux distro to enjoy the benefits of secure booting without any centralized key authority beyond the distro's key management to add remove keys post install. So you would still need a method to add/revoke keys from within a secure OS.
|
|||||||||||||