LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Preparing the kernel for UEFI secure boot

Preparing the kernel for UEFI secure boot

Posted Sep 8, 2012 1:43 UTC (Sat) by robertm (subscriber, #20200)
In reply to: Preparing the kernel for UEFI secure boot by apoelstra
Parent article: Preparing the kernel for UEFI secure boot

Suppose you replaced secure boot with physical keys, bootloaders and kernels with doors and windows, Microsoft with some popular lock company, manufacturers with locksmiths (who have a special relationship with lock companies), and attackers with burglars.
No, I think a much better analogy would be the "votor ID" laws that several states have been enacting, which are supposedly to combat electoral fraud. In both cases, the threat (boot-time malware, non-registered people voting) is effectively nonexistent and, in view of that, the "protection" is clearly designed for some other purpose (preventing the owner of hardware from running software the vendor does not approve of on the one hand, suppressing "undesired" voters on the other).

(Log in to post comments)

Preparing the kernel for UEFI secure boot

Posted Sep 8, 2012 12:15 UTC (Sat) by khim (subscriber, #9252) [Link]

In both cases, the threat (boot-time malware, non-registered people voting) is effectively nonexistent

I'm not sure about non-registered people voting, but boot-time malware is alive and well in Windows world. Is it the most common type of malware (as it was 20 years ago)? No, not anymore. Does is exit? Oh, yeah. It's no longer used as a sole distribution venue (in networked world it's not the most effective way), but it's regularly used to hide the rest of the stuff from AV software.

Preparing the kernel for UEFI secure boot

Posted Sep 9, 2012 10:00 UTC (Sun) by kleptog (subscriber, #1183) [Link]

Dead people voting is absolutely an issue, although it's obviously dependant on how good the death records are maintained:

http://ballotpedia.org/wiki/index.php/Dead_people_voting

Boot time malware is also back from the dead:

http://www.f-secure.com/weblog/archives/00001393.html

I do agree the whole registration issue is weird and quite possibly typically American. Everyone over 18 should be registered automatically by virtue of being alive. In Australia prior to each election volunteers throughout the country go door to door to check everyone is registered correctly, providing all the necessary info/forms to fix any issues on the spot.

(I'm learning a lot about the American electoral systems in the Coursera Digital Democracy course. America definitely has enfranchisement problems in some areas.)

Anyway, back on topic: boot time signatures is something I'm definitely watching. We sometimes have to place machines in untrusted environments and it would be really nice to be able to ensure that no-one can boot the system from any other media.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds