LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

No signed kernel, just a signed boot loader

No signed kernel, just a signed boot loader

Posted Jun 25, 2012 23:27 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)
In reply to: No signed kernel, just a signed boot loader by dashesy
Parent article: Details on Ubuntu's UEFI secure boot plan

>I am assuming Malware is running under a legitimate Linux kernel (with no bugs) messing with Windows partition with full access right. So something like DISABLE_INTEGRITY_CHECKS in boot.ini no longer works on Windows 8? Also root can no longer use CertMgr to add custom certificate for custom signed drivers?
Nope. Neither DDISABLE_INTEGRITY_CHECKS nor installing your own certificates will work if secure boot is enabled.

Drivers have to be signed by MS's certificate to be installable.

>My point is that, with the complexity of NT, by having root access to those bits and bytes the attack surface is so tremendous there is probably no need to have an unsigned Linux kernel
There will be vulnerabilities, of course. But MS took care to close all the obvious loopholes.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds