No signed kernel, just a signed boot loader
Posted Jun 22, 2012 18:47 UTC (Fri) by mjw
Parent article: Details on Ubuntu's UEFI secure boot plan
We believe that the intention of secure boot is to protect against
malicious use or modification of pre-boot code, before the
ExitBootServices UEFI service is invoked. Currently, this call is
performed by the boot loader, before the kernel is executed.
Therefore, we will only be requiring authentication of boot loader
binaries. Ubuntu will not require signed kernel images or kernel
So that is a lot more flexible than the Fedora approach. What is the reason Fedora will lock down the kernel and modules that access hardware directly?
Is there a catch? Otherwise it seems it would be enough to just have one boot loader signed and with that people are free to install any kernel they want.
to post comments)