Weekly Edition
Return to the Front page
| |||||||||||||
Preparing the kernel for UEFI secure boot
UEFI secure boot is a much-discussed mechanism by which a system's firmware
will refuse to run a bootloader that is not signed with a recognized key.
Its stated purpose is to thwart boot-time malware; in the absence of
boot-time checks, it is said, suitably privileged code could hide itself
deeply within the system. In the real world, secure boot is also useful as
a platform lockdown mechanism. It now seems that secure boot will not be
used to lock down x86-based systems or to prevent them from running Linux;
the story on the ARM architecture is less encouraging. But, even on x86,
"running Linux" is not quite the same as running the Linux system you have
now; we are now beginning to see what kinds of changes will be needed to
fit Linux into the secure boot environment.
The problem, simply put, is this: the objective of secure boot is to prevent the system from running any unsigned code in a privileged mode. So, if one boots a Linux system that, in turn, gives access to the machine to untrusted code, the entire purpose has been defeated. The consequences could hurt both locally (bad code could take control of the machine) and globally (the signing key used to boot Linux could be revoked), so it is an outcome that is worth avoiding. Doing so, however, requires placing limitations in the kernel so that not even root can circumvent the secure boot chain of trust. The form of those limitations can now be seen in Matthew Garrett's secure boot support patch set. These patches may see some changes before finding their way into the mainline, but chances are that their overall form will not evolve that much. The first step is to add a new capability bit. Capabilities describe privileged operations that a given process can perform; they vary from CAP_DAC_OVERRIDE (able to override file permissions) to CAP_NET_BIND_SERVICE (can bind to a low-numbered TCP port) to CAP_SYS_ADMIN (can do a vast number of highly privileged things). The new capability, called CAP_SECURE_FIRMWARE, enables actions that are not allowed in the secure boot environment. Or, more to the point, its absence blocks actions that might otherwise enable the running of untrusted code. Naturally, the first thing reviewers complained about was the name. It describes actions that can be performed in the absence of "secure firmware"; some reviewers have also disputed whether it has anything to do with security in the first place. So the capability will probably be renamed, though nobody has come up with an obvious replacement yet. Whatever it is eventually called, this capability will normally be available to privileged processes. If the kernel determines (by asking the firmware) that it has been booted in the secure mode, though, this capability will be removed from the bounding set before init is run; once a capability is removed from that set, no process can ever obtain it. Matthew's patch set also adds a boot-time parameter (secureboot_enable=) that can be used to simulate a secure boot on hardware that lacks that feature. In the secure boot world, processes lacking the new capability can no longer access I/O memory or x86 I/O ports. Either of those could be used convince a device to overwrite the running kernel with hostile code using DMA, compromising the system, so they cannot be allowed. One consequence is that graphics cards without kernel mode setting (KMS) support cannot be used; fortunately, the number of systems with (1) UEFI firmware and (2) non-KMS graphics is probably countable using an eight-bit signed value. Other user-space device drivers will be left out in the cold as well. Someday, Matthew says, it may be possible to enable I/O access on systems where the I/O memory management unit can enforce restrictions on the range of DMA operations, but, for now, all such access is denied. Similarly, all write access to /dev/mem and /dev/kmem must be disabled, even if the kernel configuration would otherwise allow such access. The strongest comments came in response to another limitation — the disabling of the kexec() system call. This call replaces the running kernel with a new kernel and boots the result without going through the system's firmware. It can be used for extra-fast reboots, though the most common use, arguably, is to boot a special kernel to create a crash dump after a system failure. Booting an arbitrary kernel obviously goes against the spirit of secure boot, so it cannot be allowed. Eric Biederman, in particular, complained about this limitation, saying:
This is Unix. In Unix we give root rope and let him hang himself
or shoot himself in the foot (not that we encourage it). Why are
we now implementing a security model where we don't trust root?
Matthew responded that, in fact, we can't always trust root, and never have trusted it fully:
Because historically we've found that root is also often someone
who has determined a mechanism for running arbitrary code on your
machine, rather than someone you trust. Root and the kernel aren't
equivalent, otherwise root would just be able to turn off memory
protection in their userspace processes. This patchset merely
strengthens that existing dividing line.
In this case, the proper solution would appear to be to allow kexec() to succeed if the target kernel has been properly signed. That support has not yet been implemented, though. It's apparently on the to-do list, but, as Matthew said: "We ship with the code we have, not the code we want." One other important piece of the puzzle, of course, is module loading; if unsigned modules can be loaded into the kernel, the game is over. But, unlike kexec(), module loading cannot simply be turned off, so the implementation of some sort of signing mechanism cannot be put off. The module signing implementation is not part of Matthew's patch set, though; instead, David Howells has been working on the problem for some time now. This code has been delayed as the result of strong disagreements on how signing should be implemented; a solution was worked out at the 2012 Kernel Summit and this feature, in the form of a new patch set from Rusty Russell, should find its way into the mainline as soon as the 3.7 development cycle. The end result is that, by the time users have machines with UEFI secure boot capabilities, the kernel should be able to do its part. Whether users will like the result is another story. There is great value in knowing that the system is running the software you want it to be running, and many users will appreciate that. But others may find that the system is refusing to run the software they want; that is harder to appreciate. If things go well, the restrictions required by UEFI secure boot will come to be seen like other capability-based restrictions in Linux: occasionally obnoxious, but good for the long-term stability of the system and ultimately circumventable if need be. (Log in to post comments)
Preparing the kernel for UEFI secure boot Posted Sep 7, 2012 6:01 UTC (Fri) by kugel (subscriber, #70540) [Link]
I also highly dislike the idea that root isn't trusted anymore. That's not the spirit of unix/linux.
Instead, the bugs that allow malware to become root (or execute code with root privileges) should be fixed, then no harm can possibly result from root. Except user stupidity which UEFI secure boot is not made to protect against.
And reading that this prevents Linux to support some hardware setups makes me even more grumpy.
Preparing the kernel for UEFI secure boot Posted Sep 7, 2012 6:14 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]
>Instead, the bugs that allow malware to become root (or execute code with root privileges) should be fixed
So are you proposing a genocide? Or maybe simply the total ban of all computers?
Preparing the kernel for UEFI secure boot Posted Sep 13, 2012 22:20 UTC (Thu) by apollock (subscriber, #14629) [Link]
> I also highly dislike the idea that root isn't trusted anymore. That's not the spirit of unix/linux.
Isn't this the same as SELinux? root isn't particularly all-powerful there either.
Preparing the kernel for UEFI secure boot Posted Sep 7, 2012 8:25 UTC (Fri) by rvfh (subscriber, #31018) [Link]
As long as secure boot can be disabled in BIOS, I don't care all that much:
* buy machine * disable 'secure' boot * install favourite distribution's standard flavour
Preparing the kernel for UEFI secure boot Posted Sep 7, 2012 9:00 UTC (Fri) by etienne (subscriber, #25256) [Link]
IHMO if you cannot disable 'secure' boot in the beginning you will not be able to install Linux anyway, because you will not be able to boot the DVD containing the distribution (that would be an unverifiable/unsecured boot and no way to check El-Torito bootloader/kernel combined security); same for network booting (start/authorise the booting before receiving the kernel so no way to check it).
For sure you may be able to disable 'secure' boot using a PS2 keyboard (the USB stack will not be completely initialised in time for you to press the magic key on your USB keyboard), once you have guessed which magic key combination to press (displaying that key combination on the screen would not be secure). Unfortunately the PC motherboard manufacturer will remove the PS2 keyboard plug to save money, did you kept your soldering iron? Moreover, removing/untrusting root means that there is no more any way to debug/repair bad stuff happening, a failing hard disk, a signed but buggy driver on your hardware, a corrupted UEFI FLASH / bad UEFI FLASH checksum, a video card exchanged by the same one but with a different BIOS...
Preparing the kernel for UEFI secure boot Posted Sep 7, 2012 10:45 UTC (Fri) by wookey (subscriber, #5501) [Link]
That has two problems. 1) If your machine doesn't have an option to turn secure boot off you are knackered and 2) If you _want_ to be able to secure yourself against malware booting the wrong thing (which is a reasonable thing to want), just turning the feature off isn't ideal.
1) Will happen if your server is ARM-based and the vendor of the hardware wants to make it possible to run Windows. They are not _allowed_ to put the 'disable' feature in the BIOS if they want a 'certified for Windows' sticker. Are vendors going to supply two versions of the hardware - one certified, one not? (Maybe two BIOSes would suffice and you could choose to install the 'generally useful but not certified for Windows' version - so long as one is supplied).
2) Restricted boot is actually useful so long as you have control over which signing keys are accepted. They you can sign your kernels and protect against a set of attacks. It's the control of keys which is the important bit. For things like remote servers I can see this being quite a useful feature for some people, like selinux is.
I really don't know what's going to happen with that ARM restriction. It's not going to be popular with a good chunk of purchasers, especially of server-grade stuff. And it'll be a massive pain on mobile stuff too, although to be fair if you bought mobile hardware running Windows-anything over the last decade you were usually screwed when it cam to putting your own OS on there (for boring difficulty-of-reverse-engineering reasons), so maybe things won't change that much and it'll remain unpopular. The important bit is still 'who controls the keys in the bootloader'.
Preparing the kernel for UEFI secure boot Posted Sep 7, 2012 12:25 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
The Windows requirements only cover client, not server, and ARM is currently restricted to client.
Preparing the kernel for UEFI secure boot Posted Sep 7, 2012 13:15 UTC (Fri) by pboddie (subscriber, #50784) [Link]
That state of affairs will only last as long as (1) Microsoft remains aware that the regulatory authorities are still looking and can punish them, and (2) the case can still be made that servers can run different operating systems.
As we already know, Microsoft and others are effective at bamboozling the regulators, judges, the public with the fairy story that a phone or other mobile device, even a laptop, has been fashioned from raw minerals with the sole purpose of running Windows. We not only need to overturn this deception, but we also need to guard against it spreading.
Preparing the kernel for UEFI secure boot Posted Sep 7, 2012 13:26 UTC (Fri) by wookey (subscriber, #5501) [Link]
Sorry. I don't really understand that. A computer can be both client and server depending what software I run on it. Do you mean there are different versions of Windows called 'client' and 'server' and the certification requirement of 'cannot switch off restricted boot' only applies to the 'client' version?
Can't you run server software on 'Windows client'? How do they stop that happening? (can you tell I've not taken much notice of Windows for a really long time now)
Presumably they will want Windows to run on ARM server kit so there will be a version of 'Windows server' for ARM soon enough. If that won't have the 'you can't turn off resitricted boot' antifeature certification requirement then thats good.
Preparing the kernel for UEFI secure boot Posted Sep 7, 2012 13:35 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
The certification requirements that must be met depend on whether a hardware vendor deems their platform to be client or server, and there's a corresponding set of limitations on the supported versions of Windows. You could run a server on client editions of Windows, but you'd be missing any of the management tools that would make it a reasonable or pleasurable experience.
Preparing the kernel for UEFI secure boot Posted Sep 7, 2012 18:24 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]
If hardware vendors could designate their hardware as 'server' or 'client' and have this enforced, Linux would never have gotten started.
*nix manufacturers would have loved to be able to protect their expensive systems by preventing the cheap systems from running "server" OS versions
Microsoft also would have loved to be able to lock in the 'server' vs 'client' status of hardware
the losers of this are the users and owners of the systems
Preparing the kernel for UEFI secure boot Posted Sep 7, 2012 9:32 UTC (Fri) by juliank (subscriber, #45896) [Link]
I like these changes. It might even make sense for me to enable them on a system without secure boot, as I don't think I ever need the features disabled by them anyway.
Preparing the kernel for UEFI secure boot Posted Sep 7, 2012 15:01 UTC (Fri) by robertm (subscriber, #20200) [Link]
And so we see the tentacles of this control scheme worming their way deeper into (so-called) free software. Signed bootloaders, signed kernels, now killing useful functionality and forcing developers of kernel modules to jump through hoops just to run their own code? Where does this madness end?
And Red Hat and SuSE are just going along with it rather than standing up for their users' freedoms! The only correct response to this obvious corporate power-grab is to reject it utterly. If "secure boot" is not stopped before it takes hold, it is obvious that the fig-leaf of allowing users to install their own keys will eventually quietly disappear (as it already has on ARM) and it will be impossible to run software that has not been written by a company large enough to pay the holders of the root trust keys enough to make it worth their while to deign to make signatures.
Preparing the kernel for UEFI secure boot Posted Sep 7, 2012 16:21 UTC (Fri) by apoelstra (subscriber, #75205) [Link]
> And so we see the tentacles of this control scheme worming their way deeper into (so-called) free software. Signed bootloaders, signed kernels, now killing useful functionality and forcing developers of kernel modules to jump through hoops just to run their own code? Where does this madness end?
Suppose you replaced secure boot with physical keys, bootloaders and kernels with doors and windows, Microsoft with some popular lock company, manufacturers with locksmiths (who have a special relationship with lock companies), and attackers with burglars.
It would then be clear who the real enemies are, and why we can't stop them just by making stronger doors or crazier legislation.
Your statement would then become
Still correct, yet somehow life goes on, and few people argue that locks should be stopped.
Preparing the kernel for UEFI secure boot Posted Sep 7, 2012 22:54 UTC (Fri) by pboddie (subscriber, #50784) [Link]
Sometimes you can't just bring in an analogy and hope to make a point with it alone. This is all about removing the right of the end-user to install the software of their choosing, which is part of a trend to take away any ownership rights people have for the things they have paid for, claiming that the owner is really just renting or licensing everything and has no say over what they can do with their own property.
I think Wookey made the only good argument for having this kind of restriction: you could deploy something out of your own physical control and still hope that no-one could subvert that device by installing some other software on it. But the crucial point is this: *you* as the owner would decide which software can be installed on your property, not the device manufacturer.
That a company with at least two decades of experience of seeing one security scare line up after another around their products is pushing for technical measures of control in the name of security either shows the generosity of the media in accepting such a supposed solution in the face of that company's track record, or it shows the generosity of that company itself in cultivating such favourable opinion.
Preparing the kernel for UEFI secure boot Posted Sep 8, 2012 1:43 UTC (Sat) by robertm (subscriber, #20200) [Link] Suppose you replaced secure boot with physical keys, bootloaders and kernels with doors and windows, Microsoft with some popular lock company, manufacturers with locksmiths (who have a special relationship with lock companies), and attackers with burglars.No, I think a much better analogy would be the "votor ID" laws that several states have been enacting, which are supposedly to combat electoral fraud. In both cases, the threat (boot-time malware, non-registered people voting) is effectively nonexistent and, in view of that, the "protection" is clearly designed for some other purpose (preventing the owner of hardware from running software the vendor does not approve of on the one hand, suppressing "undesired" voters on the other).
Preparing the kernel for UEFI secure boot Posted Sep 8, 2012 12:15 UTC (Sat) by khim (subscriber, #9252) [Link] In both cases, the threat (boot-time malware, non-registered people voting) is effectively nonexistent I'm not sure about non-registered people voting, but boot-time malware is alive and well in Windows world. Is it the most common type of malware (as it was 20 years ago)? No, not anymore. Does is exit? Oh, yeah. It's no longer used as a sole distribution venue (in networked world it's not the most effective way), but it's regularly used to hide the rest of the stuff from AV software.
Preparing the kernel for UEFI secure boot Posted Sep 9, 2012 10:00 UTC (Sun) by kleptog (subscriber, #1183) [Link]
Dead people voting is absolutely an issue, although it's obviously dependant on how good the death records are maintained:
http://ballotpedia.org/wiki/index.php/Dead_people_voting
Boot time malware is also back from the dead:
http://www.f-secure.com/weblog/archives/00001393.html
I do agree the whole registration issue is weird and quite possibly typically American. Everyone over 18 should be registered automatically by virtue of being alive. In Australia prior to each election volunteers throughout the country go door to door to check everyone is registered correctly, providing all the necessary info/forms to fix any issues on the spot.
(I'm learning a lot about the American electoral systems in the Coursera Digital Democracy course. America definitely has enfranchisement problems in some areas.)
Anyway, back on topic: boot time signatures is something I'm definitely watching. We sometimes have to place machines in untrusted environments and it would be really nice to be able to ensure that no-one can boot the system from any other media.
Preparing the kernel for UEFI secure boot Posted Sep 8, 2012 10:09 UTC (Sat) by spaetz (subscriber, #32870) [Link]
> Suppose you replaced secure boot with physical keys,...
> Your statement would then become > > And so we see the tentacles of this control scheme worming their way deeper into (so-called) private property. Locked doors, locked windows, forcing builders of doorknobs to jump through hoops just to enter their own homes? Where does this madness end?
Right, but you forgot to mention, that you can only buy your keys from one vendor which might or not might sell you one, depending on if he likes your house. The key vendor also has the ability to revoke your keys validity anytime, because someone else (from a different house) lost his key somewhere.
You also neglected to mention that *all* houses need to be locked, and for some (ARM) he does not need to sell you a key at all. A tad annoying if you can't get into your office because you can't get a key for it.
Your analogy isn't really appropriate on so many levels :-)...
Preparing the kernel for UEFI secure boot Posted Sep 10, 2012 6:08 UTC (Mon) by eru (subscriber, #2753) [Link] Suppose you replaced secure boot with physical keys,You know, I would be happy to do this! Having the computer supplied with a physical lock that electrically prevents replacing the boot loader, unless the owner turns a key would keep the control with the owner of the machine!
Preparing the kernel for UEFI secure boot Posted Sep 10, 2012 8:27 UTC (Mon) by ekj (guest, #1524) [Link]
Indeed. "turn this key to automatically certify the next thing that boots" would be fine -- and I strongly suspect that if that was the mechanism, people *wouldn't* accept machines that where sold without keys, and for which MS and others hold keys, but where the owner does NOT get keys.
Preparing the kernel for UEFI secure boot Posted Sep 8, 2012 7:16 UTC (Sat) by dirtyepic (subscriber, #30178) [Link]
> One consequence is that graphics cards without kernel mode setting (KMS) support cannot be used; fortunately, the number of systems with (1) UEFI firmware and (2) non-KMS graphics is probably countable using an eight-bit signed value.
Wouldn't this be any new system with NVidia graphics? Even if I've missed something and the Nouveau driver has gotten somewhere near usable lately, I'm pretty sure it doesn't support the Quadro K1000M in my UEFI-enabled Thinkpad W530 (the Nouveau wiki is down at the moment but I checked it just last week).
Preparing the kernel for UEFI secure boot Posted Sep 8, 2012 14:38 UTC (Sat) by mjg59 (subscriber, #23239) [Link]
The binary nvidia driver doesn't use the KMS infrastructure but does do modesetting through the kernel.
Preparing the kernel for UEFI secure boot Posted Sep 10, 2012 12:18 UTC (Mon) by Aissen (subscriber, #59976) [Link]
Which means that the distro will have to provide pre-compiled per-kernel signed versions of the nvidia driver (for each version of the module). How does Fedora intend to do that, knowing that the proprietary nvidia drivers are managed over at rpm fusion?
Also, will Fedora do that, knowing the recent local-root exploit vulns ?
If Fedora refuses to provide signed nvidia drivers, it could also mean that one of the most expected, biggest "Linux Desktop advantage" will be annihilated: the ability to easily run games on Linux (i.e without fiddling with your BIOS). With the Steam beta around the corner, things coulnd't go more wrong.
Sure people could still run nouveau. Except they won't, if performance isn't on par with the proprietary driver.
Preparing the kernel for UEFI secure boot Posted Sep 10, 2012 12:25 UTC (Mon) by cortana (subscriber, #24596) [Link]
> Which means that the distro will have to provide pre-compiled per-kernel signed versions of the nvidia driver (for each version of the module).
Is this legal, what with nvidia.ko being a derived work of both the kernel and NVIDIA's proprietary driver?
Preparing the kernel for UEFI secure boot Posted Sep 10, 2012 12:28 UTC (Mon) by Aissen (subscriber, #59976) [Link]
> Is this legal, what with nvidia.ko being a derived work of both the kernel and NVIDIA's proprietary driver?
Oh yeah. It depends who you ask. It hasn't been taken to court yet.
Note that the nvidia module uses an GPL layer that then loads the nvidia binary and does the link between the two.
Preparing the kernel for UEFI secure boot Posted Sep 10, 2012 12:44 UTC (Mon) by cortana (subscriber, #24596) [Link]
It seems my assumption was wrong. Debian distributes a pre-built nvidia.ko for each of its stock kernels, and if the ftpmasters can be convinced that it's OK then it probably is OK. :)
Preparing the kernel for UEFI secure boot Posted Sep 10, 2012 16:26 UTC (Mon) by Aissen (subscriber, #59976) [Link]
Apparently there was some discussion on this subject over there:
https://lwn.net/Articles/515007/#Comments
Preparing the kernel for UEFI secure boot Posted Sep 11, 2012 2:59 UTC (Tue) by dirtyepic (subscriber, #30178) [Link]
The Steam beta was exactly what I had in mind when I was asking that question.
Now, that said, I imagine the intersection of Linux users wanting to do high-performance gaming and those needing secure-boot is a pretty small cross-section of the population. And really, who is more accustomed to fiddling with BIOS settings than gamers? It's another hoop, but let's not pretend there aren't already a dozen others set up.
Preparing the kernel for UEFI secure boot Posted Sep 11, 2012 16:00 UTC (Tue) by Aissen (subscriber, #59976) [Link]
> It's another hoop, but let's not pretend there aren't already a dozen others set up.
I didn't mean to. Doesn't mean it shouldn't be solved, otherwise people trying to remove the other hoops will encounter the same argument, and it will never be working out of the box.
Preparing the kernel for UEFI secure boot Posted Sep 10, 2012 15:01 UTC (Mon) by tmattox (subscriber, #4169) [Link]
Wow, this approach to UEFI would have derailed both my Masters and Ph.D. research work if it was the standard back then. To turn off x86 I/O instructions would have killed our OS-bypass low-latency parallel high speed interconnect research in the 1990's. The removal of kexec() functionality would have limited the functionality of Warewulf, the diskless beowulf cluster management tool I helped develop in the early 2000's. I could go on, but essentially, the list of things being disabled, was much of the things I've used to do HPC research work over the last 18 years!
Preparing the kernel for UEFI secure boot Posted Sep 11, 2012 8:46 UTC (Tue) by jpfrancois (subscriber, #65948) [Link]
So if you are developping an out of tree module, you have to tell the user of your hardware to disable secure boot ? Not every out of tree module distributor is a big corp shipping binary blobs. We are making 'custom webcam' and distributing a GPL out of tree module.
With UEFI enabled, it will be easier to ship a closed source signed binary driver for windows, than a open source out of tree module for Linux.
I hope ther will be a mechanism to :
Or get a "build farm + review mechanism" that allows you to ship a signed module for a particular distro.
Going mainline is not an option for low volume independent hardware vendor.
Preparing the kernel for UEFI secure boot Posted Sep 11, 2012 10:22 UTC (Tue) by intgr (subscriber, #39733) [Link]
> Going mainline is not an option for low volume independent hardware vendor.
I'm surprised to hear this from an LWN reader. Surely the cost of maintaining an out-of-tree driver for years to come is greater than spending the one-time effort to get it merged, and then minimal QA in the future to make sure it still works?
Greg Kroah-Hartman has been trying hard to dispel this myth for more than half a decade. Linux contains support for lots of exotic devices and that have maybe a dozen users worldwide.
See for example http://www.kroah.com/log/linux/ols_2006_keynote.html
> "My driver is only for an obscure piece of hardware, it would never be accepted
> This just is not true at all. We have a whole sub-architecture that only has 2 users in the world out there. We have drivers that I know have only one user, as there was only one piece of hardware ever made for it. It just isn't true, we will take drivers for anything into our tree, as we really want it.
Preparing the kernel for UEFI secure boot Posted Sep 11, 2012 11:21 UTC (Tue) by jpfrancois (subscriber, #65948) [Link]
This is not the cost of mainlining, but :
overlap with existing driver. inclusion of features that do not belong in the hardware.
For instance, I doubt you could convince a V4L2 maintainer that a driver doing BGGR to UYVY (ie format conversion) inside the driver is appropriate, and they would be right, this is not a good technical solution, the right thing to do is do the postprocessing in userspace.
However we have a customer with a lot of existing code using UYVY format, and for some reason, they don't think they can introduce soft debayering in these existing tools. So we provide a hack that as legitimately no place in mainline
Even without this unusual use case, not an option does not mean "won't be accepeted in mainline" but not interesting because :
In fact, distro balkanization is a problem that can be easily avoided by distributing the source instead of the binary. UEFI is potentially a huge hurdle to module source distribution. However according to M Garett :
"We're planning on using Suse's approach of permitting local key management at the shim level, and I spent some time discussing this with Vojtech last week. In combination with the above, this should provide a workable mechanism for permitting the end-user to install module signing keys. "
So it seems out of tree module will remain a possibility.
Naming proposal Posted Sep 14, 2012 2:19 UTC (Fri) by clemenstimpler (guest, #71914) [Link]
THWART_SECURE_FIRMWARE.
Maybe the first appearance of this beautiful verb in the linux kernel?
Naming proposal Posted Sep 16, 2012 13:56 UTC (Sun) by nix (subscriber, #2304) [Link]
It's the first reference outside documentation, certainly.
Naming proposal Posted Oct 4, 2012 8:47 UTC (Thu) by oak (guest, #2786) [Link]
The capability isn't about thwarting secure boot, but whether its enabled.
Maybe the name could be CAPS_UNSECURED_BOOT, CAPS_ALLOW_UNLOCK, CAPS_DRM_UNLOCKED...?
Btw. Regarding this comment in the article:
IMHO the most annoyingly ambivalent capability is CAP_SYS_PTRACE. Many low level developer tools need it, whether it's question of ptrace() calls (Gdb, strace...) which can modify the attached process *or* just reading process maps & smaps files from proc/ to find out processes real memory usage.
Latter restriction is especially frustrating because memory usage information is something that even normal user may need access to, to find out what process in his/her system is making it to crawl, or to provide information about that to a developer (using some tool suitable for that).
|
|||||||||||||