Weekly Edition
Return to the Kernel page
| |||||||||||||
UEFI secure boot kernel restrictionsThe UEFI secure boot "problem" spans multiple levels in a Linux system. There are the actual "getting Linux to boot" issues, which have mostly been addressed by the two signed bootloaders that are available for distributions and users. Beyond that, though, are a set of kernel features that have the potential to subvert secure boot. Depending on one's perspective, those features either need to be configurable in the kernel—so some distributions can turn them off in their signed kernels—or they pose little risk beyond that of existing (but unknown) kernel bugs. As might be guessed, both sides of that argument can be heard in a recent linux-kernel thread. The root problem, so to speak, is that the root user on Linux systems is trusted by the kernel. That means root can make all sorts of temporary—or permanent—changes to the state of the system. Those changes include things like using kexec() to boot a different operating system, or writing a hibernation image to the swap partition for use in a resume. But both of those things could be used by an attacker to circumvent the protections that secure boot is meant to enforce. If, for example, a user were to boot using one of the Microsoft-signed Linux bootloaders—"shim" or "pre-bootloader"—into a kernel that didn't restrict root's powers, that kernel could arrange to execute a different kernel, perhaps one that has been compromised. Worse yet, from the perspective of those worried about Microsoft blacklisting bootloaders or keys, that second kernel could actually be a malicious version of Windows. So, a secure-boot-protected system would end up booting mal-Windows, which is precisely the scenario secure boot is supposed to prevent. If that occurs in the wild, various folks believe that Microsoft will blacklist the bootloader that was used in the attack. If that's the same bootloader used to boot Linux, new systems, as well as old systems that get the blacklist update, will no longer boot Linux. Matthew Garrett (at least) is concerned about that scenario, so he has proposed kernel changes that would prevent suitably configured kernels from using kexec() among a handful of other restrictions that could be used to circumvent secure boot. That was back in early September, and those changes were relatively uncontroversial except for the capability name Garrett chose (CAP_SECURE_FIRMWARE) and the kexec() restriction. In mid-September, he followed up with a set of patches that were substantially the same, though the kexec() patch was removed and the capability was renamed to CAP_COMPROMISE_KERNEL. In the patch, he noted that "if anyone wants to deploy these then they should disable kexec until support for signed kexec payloads has been merged". Things went quiet for more than a month, but have since erupted into a rather large thread. A query from Jiri Kosina about loading firmware into a secure boot kernel led to a discussion of the threat model that is being covered by Garrett's patch set. While Garrett agreed that firmware loading should eventually be dealt with via signatures, it is not as high on his priority list. An automated attack using crafted firmware would be very hardware-specific, requiring reverse engineering, and "we'd probably benefit from them doing that in the long run". Garrett's focus on automated attacks makes it clear what threat models he is trying to thwart, so Kosina's next query, about resuming from hibernation, is an issue that Garrett believes should be addressed. It turns out that Josh Boyer has a patch to disable hibernation for secure boot systems, but that, like disabling kexec(), was not overwhelmingly popular. There are other ways to handle resuming from hibernation, for example by creating keys at boot time that get stored in UEFI boot variables and that the kernel uses to sign hibernation images. But it is clear that some kernel developers are starting (or continuing) to wonder if the kernel secure boot support isn't going a bit—or far more than a bit—overboard. For one thing, as James Bottomley pointed out, there will always be kernel bugs that allow circumvention of these restrictions (e.g. by root reading the hibernation signing key or flipping the capability bit):
[...] a local privilege elevation attack
usually exploits some bug (classically a buffer overflow) which executes
arbitrary code in kernel context. In that case, the same attack vector
can be used to compromise any in-kernel protection mechanism including
turning off the secure boot capability and reading the in-kernel private
signing key.
[...] The point I'm making is that given that the majority of exploits will already be able to execute arbitrary code in-kernel, there's not much point trying to consider features like this as attacker prevention. We should really be focusing on discussing why we'd want to prevent a legitimate local root from writing to the suspend partition in a secure boot environment. But kernel exploits appear to be "off the table", at least in terms of the secure boot circumvention that Garrett and others are concerned about. Kosina said:
My understanding is that we are not trying to protect against root
exploiting the kernel. We are trying to protect against root tampering
with the kernel code and data through legitimate use of kernel-provided
[facilities] (/dev/mem, ioperm, reprogramming devices to DMA to arbitrary
memory locations, resuming from hibernation image that has been tampered
with, etc).
It's not exactly clear why Microsoft would make a distinction between a kernel exploit and using legitimate kernel services when making a blacklisting decision, though. But, for distributions that do ship signed kernels, they can reduce the attack surface substantially: to only those kernels that they have signed, with whatever vulnerabilities are present in those particular versions. Eric Paris detailed one possible attack that installs a crafted Linux boot environment (with a legitimately signed bootloader and kernel), which sleeps after setting up a trojaned Windows hibernation image. Users would need to wake the machine twice, but would end up running malware in a secure boot system. Bottomley and others are, at the very least, uncomfortable with the idea of an "untrusted root". At the heart of the kernel changes for secure boot is removing the ability for root to make persistent changes to the boot environment. The patches that Garrett has proposed close many of the known holes that would allow root to make those kinds of changes, but the argument is that there are likely to be others. As Alan Cox put it:
With all the current posted RH patches I can still take over
the box as root trivially enough and you seem to have so far abolished
suspend to disk, kexec and a pile of other useful stuff. To actually lock
it down you'll have to do a ton more of this.
Another possible way to handle Linux being used as an attack vector against Windows (which is how keys are likely to get blacklisted) is to change the behavior of the Linux bootloaders. Bottomley suggested that a "present user" test on the first boot of the bootloader, which could be detected because the UEFI key database and the "machine owner key" database do not contain the proper keys, would alleviate the problem. Garrett pointed out that the shim bootloader does not do this because it needs to be able to boot unattended, even on first boot. But, Bottomley saw that as unfortunate:
[...] what I'm telling you is that by deciding to allow automatic
first boot, you're causing the windows attack vector problem. You could
easily do a present user test only on first boot which would eliminate
it. Instead, we get all of this.
Garrett, though, sees unattended first boot as an absolute requirement, especially for those who are trying to do automated installations for Linux systems. Others disagreed, not surprisingly, and the discussion still continues. It should be noted that the pre-bootloader that Bottomley released does do a present user test on first boot (and beyond, depending on whether the user changes the secure boot configuration). There does seem to be something of whack-a-mole problem here in terms of finding all of the ways that this "untrusted root" might be able to impact secure boot. In addition, new kernel features will have to also be scrutinized to see whether they need to be disabled depending on CAP_COMPROMISE_KERNEL. Not trusting root is a very different model than kernel developers (and users) are accustomed to. One can imagine that all of the different problem areas will be tracked down eventually, but it will be a fair amount of work. Whether that work is truly justified in support of a feature that is largely (though not completely) only useful for protecting Windows is a big question. On the other hand, not being able to [easily] boot Linux on x86 hardware because of key blacklisting would be problematic too. This one will take some time to play out. (Log in to post comments)
UEFI secure boot kernel restrictions Posted Nov 8, 2012 4:18 UTC (Thu) by raven667 (subscriber, #5198) [Link]
I have great respect for mjg59's work and intelligence but I too think that this might be introducing far more restrictions than can be supported and more than the threat model warrants. The only thing that is checked by UEFI is the shim, correct? Therefore that is the only thing that can be blacklisted, if it can be used to silently compromise an OS on boot, the rest is just our own leveraging of the Secure Boot feature for our own use. Secure Boot offers very limited protection on boot, nothing after boot and nothing in a virtualized environment IIUC. It doesn't protect the kernel from being compromised and it's not intended to, it's not intended to prevent a compromised kernel from suspending/hibernating and resuming either.
If one is looking for more general ways to secure a running system then there are probably other better places to look like LSM modules or grsecurity.
UEFI secure boot kernel restrictions Posted Nov 8, 2012 5:29 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
What's the point in securing a bootloader if it will then boot an arbitrary kernel? What's the point in only booting a signed kernel if it's trivial to runtime-patch it to do anything you want?
UEFI secure boot kernel restrictions Posted Nov 8, 2012 13:52 UTC (Thu) by foom (subscriber, #14868) [Link]
Indeed!
This whole "secure boot" exercise is indeed...pointless. :)
UEFI secure boot kernel restrictions Posted Nov 8, 2012 15:04 UTC (Thu) by raven667 (subscriber, #5198) [Link]
But you aren't booting an arbitrary kernel, a cold boot will get you a verified kernel image and modules off disk. As far as the kernel being modified after boot, that's outside the scope of this protection and annother matter entirely. I've worked in security for much of my career, one of the hardest things is knowing when enough is enough, when adding more protections, restrictions and security is counter productive. I think that's the case here.
If we want to work on other kernel security measures then I don't think it should be in the context of Secure Boot as that has been pushed as far as it will go and will take a few years of operational use to cool down. You can start a new project to help prevent unauthorized entry into the kernel, making kexec do signature checking maybe, but you can't _fundamentally_ prevent code from being loaded into the kernel after users pace is started, there are too many holes for that. The kernel team does their level best to plug holes as fast as they can and that's what we have to rely on for now.
UEFI secure boot kernel restrictions Posted Nov 8, 2012 15:22 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
If you're not worried about the kernel being modified at runtime, why are you worried about whether the on-disk copy is verified?
UEFI secure boot kernel restrictions Posted Nov 8, 2012 16:25 UTC (Thu) by raven667 (subscriber, #5198) [Link]
Verifying the on-disk copy allows one to cold boot into a known good state, without re-imaging their machine from read-only media, at least until the point where arbitrary, user-supplied code can be run, then you are boned again. You can also safely update the trusted base even on a compromised system, knowing that it hasn't been modified in transit, closing extant holes. You can't prevent the kernel from having holes though so you have no protections after you exit your trusted base, the best you can do is have some scanning as part of your trusted, verified base and run it early enough to catch known malware. This does nothing for zero-day exploits and new malware though.
This is a problem with no easy answers and might not even be a solvable problem given the complexity needed for modern systems. Have you ever read Verner Vinge "Deepness in the Sky"?
UEFI secure boot kernel restrictions Posted Nov 8, 2012 16:33 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
The point where arbitrary, user-supplied code can be run is the moment you transition into the initramfs - ie, before you can do anything with your known-good kernel. There's zero benefit in verifying the kernel if you're going to permit arbitrary userspace code to rewrite it.
UEFI secure boot kernel restrictions Posted Nov 8, 2012 16:56 UTC (Thu) by raven667 (subscriber, #5198) [Link]
That's a good point, there is no benefit if the rootkit runs in the initramfs. The only way I can see to solve that is to make the initramfs only run validated, signed code and not arbitrary code.
UEFI secure boot kernel restrictions Posted Nov 8, 2012 23:26 UTC (Thu) by hummassa (subscriber, #307) [Link]
And *that* is the *impossible* proposition, because to do anything useful the initramfs has to has *some* vulnerability. And *that* is what I have been saying all along: secure boot is only a market-locking weapon and NOT AT ALL secure or security-oriented.
UEFI secure boot kernel restrictions Posted Nov 9, 2012 18:41 UTC (Fri) by mathstuf (subscriber, #69389) [Link]
> And *that* is the *impossible* proposition, because to do anything useful the initramfs has to has *some* vulnerability.
I'd like a clarification here: initramfs has to have a vulnerability because of:
- what it does; or
This seems like an important distinction to me, but I'm also unfamiliar with what initramfs actually does or needs to do at a detailed level.
UEFI secure boot kernel restrictions Posted Nov 10, 2012 1:34 UTC (Sat) by hummassa (subscriber, #307) [Link]
> - it does so much that *something* it calls is ~100% likely to have *some* vulnerability; or
that's the one :-D
UEFI secure boot kernel restrictions Posted Nov 10, 2012 2:04 UTC (Sat) by raven667 (subscriber, #5198) [Link]
Well you have to presume the kernel has some vulnerabilities but you can control what code calls into the kernel, at least for very early boot when the system is still being set up. Anything that has a fixed function can get signatures and be solidified, the problems come in when you have to run arbitrary code which is outside the users ability to audit.
UEFI secure boot kernel restrictions Posted Nov 8, 2012 9:18 UTC (Thu) by mjw (subscriber, #16740) [Link]
What treat does closing these "holes" fix that wouldn't also be holes in booting a "mal-Windows" under say qemu? The mal-Windows is still not able to change any of the secure boot UEFI parameters without user intervention is it? Maybe I am not inventive/imaginative enough, but it seems there is no difference between this and running any Windows (or other OS) version under "normal" emulation. Or is there?
UEFI secure boot kernel restrictions Posted Nov 8, 2012 9:33 UTC (Thu) by paulj (subscriber, #341) [Link]
I like the idea of having a secure boot. However, having a secure boot where the trust anchor is an entity that has radically different, if not conflicting goals and requirements to those of Linux users is a risky proposition. I fear there are only 2 stable, extreme outcomes to this:
a) Linux becomes a heavily locked down software eco-system.
b) Linux becomes non-bootable on common hardware.
The middle-ground some seek, I'm not sure is achievable by accepting a scheme that has such an other entity as trust anchor.
UEFI secure boot kernel restrictions Posted Nov 12, 2012 7:33 UTC (Mon) by Seegras (subscriber, #20463) [Link]
> b) Linux becomes non-bootable on common hardware.
I don't consider any of this UEFI-locking to be a technical problem. It's an antitrust-problem.
Because the reason Microsoft does it is obviously because it tries to lock out competition.
So the first thing needed to combat this, is to abolish any law that protects this kind of shenanigans, namely the DRM anti-circumvention provisions of the DMCA and similar laws. And the second step is to go in with anitrust law. hard.
UEFI secure boot kernel restrictions Posted Nov 8, 2012 10:49 UTC (Thu) by nathan (subscriber, #3559) [Link]
Isn't it just as likely that windows itself can be compromised to make permanent changes to the boot process?
If Microsoft fails to treat the keys involved in such an attack in the same way that it treats the keys used in a linux-vectored attack, I smell antitrust lawsuit.
UEFI secure boot kernel restrictions Posted Nov 8, 2012 13:50 UTC (Thu) by pjones (subscriber, #31722) [Link]
Yes, in fact it's probably more likely. But we've got every reason to believe they *will* treat them the same - they've revoked their own signatures (and even keys) before for windows drivers, for example.
UEFI secure boot kernel restrictions Posted Nov 8, 2012 13:16 UTC (Thu) by Trou.fr (subscriber, #26289) [Link]
I find it weird that all the discussion is going around Microsoft. Secure boot can be a very cool thing to have even in a pure-Linux world : making sure even root cannot compromise the kernel (as in executing arbitrary code using features) is a good security property.
Sure, there is a lot of work required to reach such a goal and kernel vulnerabilities will still exists (ah no, sorry, bugs...) but seccomp-bpf and others mechanisms are here to help. So why not focus on the benefits and stop refering to Windows all the time ?
UEFI secure boot kernel restrictions Posted Nov 8, 2012 13:54 UTC (Thu) by pjones (subscriber, #31722) [Link] The discussion often involves Windows simply because the Windows 8 logo certification rules are the carrot that's forcing us to move forward on this. You're right that there are numerous benefits, and we're trying to take advantage of them - see this blog post for example.We're not myopically focusing on MS and Windows, but since they are the de facto CA in charge of revocation, we do need to make sure that they are satisfied that our implementation isn't a danger to Windows security as well.
UEFI secure boot kernel restrictions Posted Nov 8, 2012 13:54 UTC (Thu) by etienne (subscriber, #25256) [Link]
> making sure even root cannot compromise the kernel
Shall root be able to modify the restore image, so that at least root can check that this modified image is not restored because the "boot time protections" works?
UEFI secure boot kernel restrictions Posted Nov 8, 2012 17:49 UTC (Thu) by apoelstra (subscriber, #75205) [Link]
> Shall root be able to modify the restore image, so that at least root can check that this modified image is not restored because the "boot time protections" works?
>If not, how are you proposing to test things? Create a super-root?
If you needed to modify a restore image, or kernel, or bootloader, you would need to disable the security mechanism. (In a dream world, by a hardware switch, but more likely through some BIOS setting.)
Presumably you'd need to do such dramatic things only infrequently, so the security would be worth the inconvenience.
UEFI secure boot kernel restrictions Posted Nov 9, 2012 7:54 UTC (Fri) by ekj (subscriber, #1524) [Link]
But if that's all, then what is the benefit of this scheme over simply having a small area of storage that has a hardware-read-only switch, and booting from that ?
SD-cards already have hardware-write-protect switches on them, why not just put your kernel there, and set the bios to boot from the SD-card ?
UEFI secure boot kernel restrictions Posted Nov 9, 2012 12:05 UTC (Fri) by anselm (subscriber, #2796) [Link] AFAIK the switch on an SD card doesn't actually physically prevent writing to the card; if engaged it's really more like a suggestion to the kernel to not allow writing to the card, so it wouldn't gain you additional security.
UEFI secure boot kernel restrictions Posted Nov 9, 2012 12:28 UTC (Fri) by ekj (subscriber, #1524) [Link]
Yeah okay, in that case secure boot is as useful as making a sd-card where the write-protect physical switch actually physically prevents writing to the card. I can't imagine that is difficult to do.
No changes to hardware or software beyond the SD-card itself needed.
So what is the point of secure boot ? Why make something so simple (and so useless) so complicated ? What's the point of the crypto and the checksums and all the mumble-jumble ?
UEFI secure boot kernel restrictions Posted Nov 9, 2012 15:45 UTC (Fri) by apoelstra (subscriber, #75205) [Link]
> AFAIK the switch on an SD card doesn't actually physically prevent writing to the card; if engaged it's really more like a suggestion to the kernel to not allow writing to the card, so it wouldn't gain you additional security.
This is correct, unfortunately. I don't know of any consumer media with hardware write protection (other than compact discs, which can be written only once..).
UEFI secure boot kernel restrictions Posted Nov 9, 2012 23:45 UTC (Fri) by nix (subscriber, #2304) [Link]
Floppy disks!
(You didn't say the consumer media couldn't be decades obsolete...)
UEFI secure boot kernel restrictions Posted Nov 10, 2012 1:56 UTC (Sat) by ABCD (subscriber, #53650) [Link]
There are USB thumb drives out there with write-protect switches that (at least supposedly) prevent the computer from writing to the drive. I don't know what would happen if the OS decided to ignore the write-protect switch and write anyway, though.
UEFI secure boot kernel restrictions Posted Nov 10, 2012 0:32 UTC (Sat) by bjencks (subscriber, #80303) [Link]
This allows you to have a trusted source of updates, and easily install new kernels signed by that source without having to jump through the physical presence proof hoops every time.
UEFI secure boot kernel restrictions Posted Nov 10, 2012 1:36 UTC (Sat) by hummassa (subscriber, #307) [Link]
IOW: trust Microsoft, they know what they're doing.
HAAHAHAHAHAHAHA
UEFI secure boot kernel restrictions Posted Nov 11, 2012 20:50 UTC (Sun) by bjencks (subscriber, #80303) [Link]
I was actually thinking of trusting Red Hat or Canonical, or maybe (hypothetically) my own internal trust anchor installed in my desktop or server fleet.
And if you do use Windows (which several hundred million people do), trusting Microsoft is pretty sensible.
UEFI secure boot kernel restrictions Posted Nov 8, 2012 15:10 UTC (Thu) by raven667 (subscriber, #5198) [Link]
I too find it weird, is there something going on behind the scenes that I'm not aware of that would make sense? As far as I can see our obligations for microsoft end at the shim, making sure it can't transparently load unsigned or modified code and interjected into the boot process by malware. As far as I can see that obligation has been met so there is nothing more to discuss with Microsoft.
Linux NOT bootable???? Posted Nov 8, 2012 15:26 UTC (Thu) by faramir (subscriber, #2327) [Link]
At the end of the article is the line:
"On the other hand, not being able to boot Linux on x86 hardware because of key blacklisting would be problematic too."
As I understand it, all UEFI systems must have the ability to disable secure boot enforcement in order to get Microsoft certification. Is this correct? I've read the arguments about how hardware manufacturers will screw this up and I even agree that this is likely to happen with some systems at some point. And maybe this line was intended as shorthand for that possibility. However, (as written), I think that line smells an awful lot like FUD (fear, uncertainty, doubt).
Linux NOT bootable???? Posted Nov 8, 2012 15:44 UTC (Thu) by jake (editor, #205) [Link]
It certainly wasn't meant as FUD, but it is a bit unclear. Perhaps a correction like:
not being able to _easily_ boot Linux on x86 hardware
would help. If the bootloader keys get blacklisted, users will have to go into their BIOS and disable secure boot before being able to boot Linux. That's all I was trying to say.
jake
Linux NOT bootable???? Posted Nov 8, 2012 16:46 UTC (Thu) by mirabilos (subscriber, #84359) [Link]
Or use another bootloader, signed and not revoked, that allows unsigned images to be booted after a User Present check.
People wanting to do unattended stuff better buy some machine with a real BIOS or at least disable Restricted Boot.
Linux NOT bootable???? Posted Nov 8, 2012 15:56 UTC (Thu) by eparis (guest, #33060) [Link]
Not FUD. It will be on by default and we don't want users to have to go into BIOS and turn off 'security' in order to boot a livecd, or install a Linux distro. No one is saying they can't, and if they do it will work just fine without anything special, but we don't think users want to or know how to turn off 'security'.
Linux NOT bootable???? Posted Nov 8, 2012 18:42 UTC (Thu) by faramir (subscriber, #2327) [Link]
"No one is saying they can't ..."
Actually that is exactly what the article said. Someone who just read the article and hadn't spent as much time following the issue as I (or you) would be misinformed.
I was surprised to read that as I was pretty sure that it was wrong, but then again this was an actual LWN article so maybe I was wrong. That's why I asked for clarification. I'm perfectly willing to accept that this was an error on the part of the original author and not an attempt at FUD. I do, however, see it as problem in that makes it too easy for people who say that UEFI security is not an issue to easily discount the more subtle arguments about LiveCDs etc.
Linux NOT bootable???? Posted Nov 14, 2012 14:44 UTC (Wed) by Lennie (subscriber, #49641) [Link]
Windows 8 hardware on ARM has EUFI secure boot enabled, as demanded by Microsoft on the OEMs and there is no off switch.
Currently they can't force that on the x86/amd64 desktop market, because of anti-trust issues.
But maybe they can force it on the server market ?
Also if Windows 8 would be unpopulair on x86/amd64 and Microsoft lost a large share of the desktop market. In that case they could force it on their desktop market OEMs too.
So if the Year of the Linux desktop ever happend, they have a weapon ready ?
I'm very unhappy with this situation.
Linux NOT bootable???? Posted Nov 15, 2012 19:15 UTC (Thu) by ccurtis (guest, #49713) [Link] Windows 8 hardware on ARM has EUFI secure boot enabled, as demanded by Microsoft on the OEMs and there is no off switch. Currently they can't force that on the x86/amd64 desktop market, because of anti-trust issues. But maybe they can force it on the server market ? I'm not sure anti-trust is the reason, but this does raise an interesting thought. It seems that AMD may be looking to drive ARM processors into the server market[1]. The future may very well be ARM hardware instead of x86 -- already netbooks and laptops, etc. are going ARM. Is this an attempt to lock out Linux from the future computing markets if x86 wanes? And what about hybrid cores? Like big.LITTLE or the PS/3 but maybe instead x86 with a dozen ARM coprocessors (or v/v)? [1] AMD promises 64-bit ARM-based Opteron server CPUs coming in 2014
Linux NOT bootable???? Posted Nov 15, 2012 19:36 UTC (Thu) by raven667 (subscriber, #5198) [Link]
Linux can't be locked out of the server space in any foreseeable future, it is far too dominant, not even MS billions has been able to change that.
UEFI secure boot kernel restrictions Posted Nov 8, 2012 16:13 UTC (Thu) by alonz (subscriber, #815) [Link] > It's not exactly clear why Microsoft would make a distinction between a> kernel exploit and using legitimate kernel services when making a > blacklisting decision [...] Actually the explanation is quite simple: if a compromise is the result of a kernel exploit, Microsoft can expect (and/or demand) a bug fix – and revoke the key only if the vendor misbehaves. If the compromise is a "feature" of the product, this is vendor misbehavior by definition. (I see the same at work, quite a lot—I architect security systems; this kind of behavior is built-in into the legalese of many certification processes.)
UEFI secure boot kernel restrictions Posted Nov 8, 2012 16:25 UTC (Thu) by jake (editor, #205) [Link]
> if a compromise is the result of a kernel exploit, Microsoft can
> expect (and/or demand) a bug fix
and that's fine from a certification standpoint, i suppose, but i don't really see how it changes the attack picture. that signed kernel with a known exploit still exists, so it can still be used as an attack vector.
jake
UEFI secure boot kernel restrictions Posted Nov 8, 2012 16:33 UTC (Thu) by pjones (subscriber, #31722) [Link]
No - in the case that it's being exploited, they'll issue DBX updates that ban that specific kernel's hash, and shim will honor DBX.
UEFI secure boot kernel restrictions Posted Nov 8, 2012 18:46 UTC (Thu) by faramir (subscriber, #2327) [Link]
The whole idea of UEFI secure boot and Linux seems to have started as an ease (possibility?) of use issue rather then due to a strong desire to improve Linux security. That's not to say that people working on this don't also desire to improve Linux security. Just that that might not be their primary concern.
UEFI secure boot kernel restrictions Posted Nov 8, 2012 20:23 UTC (Thu) by pjones (subscriber, #31722) [Link]
Yeah, it's fair to say we weren't planning on spending the 5 or so man-years we've spent on Secure Boot implementing it until we found out that we absolutely had to.
|
|||||||||||||