User: Password:
|
|
Subscribe / Log in / New account

Implementing UEFI Secure Boot in Fedora

Implementing UEFI Secure Boot in Fedora

Posted Jun 4, 2012 19:00 UTC (Mon) by raven667 (subscriber, #5198)
In reply to: Implementing UEFI Secure Boot in Fedora by hummassa
Parent article: Implementing UEFI Secure Boot in Fedora

I'm not sure how security is implemented in iOS and whether or not it is directly comparable to this scheme. UEFI secure boot only validates the bootloader, everything beyond that is going to be OS specific and out of scope of UEFI. Other systems have implemented this kind of cryptographically protected security, such as the Sony PS3, and have been very resilient in the face of persistant attack. AFAIK the PS3 has only had one successful attack in 5+ years, and that wasn't able to persist on the system, the secure update mechanism remained intact and was able to clean off the exploit and prevent re-exploitation. I would hope that our rockstar Linux devs could build a system at least as resistant to attack as that, if not more so.


(Log in to post comments)

Implementing UEFI Secure Boot in Fedora

Posted Jun 4, 2012 19:21 UTC (Mon) by hummassa (subscriber, #307) [Link]

> I'm not sure how security is implemented in iOS and whether or not it is directly comparable to this scheme. UEFI secure boot only validates the bootloader, everything beyond that is going to be OS specific and out of scope of UEFI.

That is *exactly* how iOS boot security works. It only loads cryptographically-signed OS images. I. e., except when it's exploited and then it does not.

> Other systems have implemented this kind of cryptographically protected security, such as the Sony PS3, and have been very resilient in the face of persistant attack. AFAIK the PS3 has only had one successful attack in 5+ years, and that wasn't able to persist on the system, the secure update mechanism remained intact and was able to clean off the exploit and prevent re-exploitation. I would hope that our rockstar Linux devs could build a system at least as resistant to attack as that, if not more so.

Nobody told that to my (still using Linux) PS3.

I repeated over and over, I really don't think that writing a general-purpose OS and computer that resists to attacks and that not would run *any* unsigned code in the time-frame of two years or more is a possible goal.

The timeframe for iDevices jailbreak is usually at most two months after a new version of the bootloader is out (the developers usually keep some of the vulnerabilities on the bootloader secret so when Apple plugs a hole, they have another to exploit). This is exactly what will happen in the case of OS-locked general-purpose computers, if they are as popular as iDevices...

Implementing UEFI Secure Boot in Fedora

Posted Jun 4, 2012 19:49 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

Until you run out of bugs.

Boot protection on iDevices is half-hearted at best. Apple doesn't really care about you jailbreaking their hardware.

Now, try to jailbreak XBox360 hypervisor - it's impossible or very close to it.

Implementing UEFI Secure Boot in Fedora

Posted Jun 4, 2012 20:13 UTC (Mon) by raven667 (subscriber, #5198) [Link]

> That is *exactly* how iOS boot security works. It only loads cryptographically-signed OS images. I. e., except when it's exploited and then it does not

I don't think either of us have enough details to speak intelligently on the subject of iOS boot security, the details matter.

> Nobody told that to my (still using Linux) PS3.

So you are both running Linux and recent games, PSN, etc. or did you just stop updating your machine?


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds