LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Posted Jun 5, 2012 22:42 UTC (Tue) by slashdot (guest, #22014)
In reply to: Fedora, secure boot, and an insecure future by dashesy
Parent article: Fedora, secure boot, and an insecure future

I see a problem: before you revoke the certificate, the kernel must be updated, or the machine won't boot.

But if it is a dual-boot system, then either Windows Update can update Linux and apt-get/yum can update Windows, or the other system will be made unbootable once the CRL is applied.

I guess that in principle it should be possible to store the kernels as EFI applications along with an update URL and do exactly that (and then have the kernel alone be capable of updating the rest of the system before it loads it), but I wonder if anyone really thought about this.

In addition, it won't be possible to install operating systems from disk media without an Internet connection, since the kernel on the disk would be almost surely revoked, but that's probably not such a huge concern.

IMHO this whole mess will just get disabled by anyone tech-savvy.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds