LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Multipath TCP: an overview

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Garrett: Secure Boot and Restricted Boot

Garrett: Secure Boot and Restricted Boot

Posted Apr 7, 2013 13:31 UTC (Sun) by hummassa (subscriber, #307)
In reply to: Garrett: Secure Boot and Restricted Boot by kleptog
Parent article: Garrett: Secure Boot and Restricted Boot

> I don't understand your argument about DRM, since a system cannot determine whether it was booted securely or not. That makes it kinda pointless for DRM. All secure boot can do is refuse to boot if it finds something wrong.

Your argument is inconsistent. At the point where you restrict the boot, the system can determine that it was booted securely by the simple fact that it is running.

(Log in to post comments)

Garrett: Secure Boot and Restricted Boot

Posted Apr 7, 2013 15:42 UTC (Sun) by raven667 (subscriber, #5198) [Link]

No, I don't think it works that way because the verification is done in the previous layer of code and there is no reliable signalling to the next layer signifying whether it did any checks at all.

Anything that can be booted in Secure Boot mode can also be booted without Secure Boot enabled and it won't know the difference. Your Secure Boot capable bootloader/kernel can't refuse to start on a non-Secure Boot enabled system, or one that is faking Secure Boot checking. For example a VM.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds