LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

LSS: Secure Boot

LSS: Secure Boot

Posted Sep 13, 2012 18:23 UTC (Thu) by hummassa (subscriber, #307)
In reply to: LSS: Secure Boot by pjones
Parent article: LSS: Secure Boot

> You still have all the freedoms you had before, including the freedom to have malware install "bootkits, if you want them.

IOW: NOTHING will, in the end, impede malware to install bootkits/jailbreaks. :-D

This way, people are doing all this work to appease Microsoft, under risk of making people think that Secure Boot (TM) is actually secure, which will after all DIMINISH the security status of potential-botnet-drones around the world. Ah, let's not forget the privacy/liberty implications. Hmm...

(Log in to post comments)

LSS: Secure Boot

Posted Sep 13, 2012 19:04 UTC (Thu) by pjones (subscriber, #31722) [Link]

Well, it's certainly not secure if you turn it off. I don't think anybody is under that illusion. But the issue you're taking here is that the status quo remains: if you do something your OS doesn't support, your OS vendor isn't going to support you. You're still free to do it, and can even do it securely - though it will require more effort from you. If you choose to disable security features instead of putting that effort in, you'll not be able to take advantage of the added security.

LSS: Secure Boot

Posted Sep 13, 2012 23:51 UTC (Thu) by hummassa (subscriber, #307) [Link]

> If you choose to disable security features instead of putting that effort in, you'll not be able to take advantage of the added security.

You know, you kind of proved my point. There is NO added security, because you can always find another vulnerability in the kernel, and use that to escalate past the bootloader (like creating crafted restore-from-hibernation images) and people will act under the illusion that their systems have "added security" when they aren't, which, as I mentioned, diminishes the overall security. For instance, the crafted restore image could allow running unsigned or signed-by-the-malware-author executables or substitute key libraries.

And again, that is my point: "Secure Boot" == "fake security", which is far worse than "no security".

And worse yet: "Secure Boot" == "you are running a signed O.S. (with Defective by Design implications and I Can Phone Home and invade your privacy implications)" OR "you are running a signed (bla bla) but COMPROMISED by malware O.S."...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds