LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

No signed kernel, just a signed boot loader

No signed kernel, just a signed boot loader

Posted Jun 22, 2012 19:54 UTC (Fri) by dashesy (subscriber, #74652)
In reply to: No signed kernel, just a signed boot loader by cjb
Parent article: Details on Ubuntu's UEFI secure boot plan

I am no expert in this, but can the boot loader hide/protect the entire Windows partition so that kernel cannot access it, nor detect it's presence?

(Log in to post comments)

No signed kernel, just a signed boot loader

Posted Jun 22, 2012 20:04 UTC (Fri) by cjb (guest, #40354) [Link]

> I am no expert in this, but can the boot loader hide/protect the entire Windows partition so that kernel cannot access it, nor detect it's presence?

No, not with current technology. Linux can simply undo whatever the bootloader does.

With eMMC devices, there's a "power-on read-only" lock that makes the device read-only until the next time the MMC controller loses power. If that technology were included in hard disks, something like you describe might be possible.

The eMMC power-on read-only technique was used on the T-Mobile G2 cell phone, stopping rooting of the device by making the kernel and rootfs read only inside the bootloader, before booting the kernel. It didn't hold out against sustained effort -- someone found a GPIO that the eMMC reset line was hooked up to, wrote a kernel module that pulses the line and reinits the MMC host in read/write mode before the VFS notices that anything changed, and disables the lock. Security is hard.

No signed kernel, just a signed boot loader

Posted Jun 22, 2012 20:53 UTC (Fri) by marcH (subscriber, #57642) [Link]

http://www.schneier.com/blog/archives/2007/12/how_to_secu...

Computer security is hard. Software, computer and network security are all ongoing battles between attacker and defender. And in many cases the attacker has an inherent advantage: He only has to find one network flaw, while the defender has to find and fix every flaw.

Cryptography is an exception,...

No signed kernel, just a signed boot loader

Posted Jun 25, 2012 7:56 UTC (Mon) by jzbiciak (✭ supporter ✭, #5246) [Link]

Cryptography is an exception,...

That reminded me of this great chart Valerie Aurora once posted. Granted, that covers cryptographic hashes specifically, but I'd go so far as to suggest even cryptography is an arms race to some extent. Of course, practically, it's usually many orders of magnitude easier to attack the system around the cryptography than the cipher itself. (When it's not, it's because some genius decided to roll their own cipher, or someone installed a back door.)

A 256-bit AES key is theoretically secure beyond the heat-death of the universe, provided nobody finds a mathematical weakness in AES. But, if you can find a flaw in the key generation, an attack against the AES implementation, or some other flaw in the hardware, software or communication stack it's employed in, then you transform the problem back into a software/computer/network security problem and your point stands.

So don't mind me... I'm just being a little glib. Happens when I'm working overnight again. ;-)

No signed kernel, just a signed boot loader

Posted Jun 23, 2012 14:37 UTC (Sat) by salimma (subscriber, #34460) [Link]

Seems to me that that wouldn't be fine-grained enough to make one partition read only while other partitions remain read/write.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds