LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SUSE and Secure Boot: The Details (SUSE Blog)

SUSE and Secure Boot: The Details (SUSE Blog)

Posted Aug 12, 2012 17:00 UTC (Sun) by khim (subscriber, #9252)
In reply to: SUSE and Secure Boot: The Details (SUSE Blog) by geofft
Parent article: SUSE and Secure Boot: The Details (SUSE Blog)

Possibly having the BIOS cache the boot sector, and completely refuse to boot if the boot sector is modified, unless they go into the BIOS in advance to say "okay, boot any boot sector once", would be helpful.

This approach was tried more then decade ago. It does not work. Either user knows nothing about BIOS menus (that's the majority of them!) and only creates needless pressure on support channel or s/he have enough knowleadge to open BIOS menu and boot anyway — in this case they WILL open menu and boot anyway even on malware infected system.

You really don't want to give knobs to normal user. Knobs for some geeks (think ChromeOS devices with a switch under battery) are Ok and in fact can be considered security feature (it severely reduces pool of the people who want to crack your boot process), but normal user should never see “yes/no” message.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds