|
|
Subscribe / Log in / New account

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Posted Jun 5, 2012 23:02 UTC (Tue) by russell (guest, #10458)
Parent article: Fedora, secure boot, and an insecure future

Let's assume that I have a dual boot machine ( I don't ), then after running windows I find that the fedora key has been revoked. So that now means I must get an updated boot chain installed. How am I going to do that? I can't boot into linux to run yum update? Am I supposed to do that from windows? Downloading a livecd or temporarily disabling secure boot is just as confusing for "the fedora userbase" as disabling secure boot in the first place.

I wish fedora would figure out who their users are. You can't be bleeding edge and for newbies all at the same time. In my opinion, it's just not working.

to post comments

Fedora, secure boot, and an insecure future

Posted Jun 5, 2012 23:19 UTC (Tue) by dashesy (guest, #74652) [Link]

If any key, I guess it would be the boot loader key that is revoked, assuming that it is the actual Fedora key purchased for 99$. In that case once a Windows security update is applied (changing BIOS perhaps) boot loader signature will not be valid anymore. If this is true, you cannot run Windows either (or maybe chainload is automatically triggered in such scenario ?). Unless the revocation is only applied to newly manufactured hardware.

I am reading this, and Samsung is one of the best hardware manufactures anyways, so if they apply "Your Freedom Respected" sticker suggested above, I do not need any other option.

Fedora, secure boot, and an insecure future

Posted Jun 6, 2012 6:15 UTC (Wed) by smurf (subscriber, #17840) [Link] (4 responses)

Why would anybody revoke Fedora's UEFI bootloader signature? Presumably it's small and simple enough not to be exploitable itself.

One needs to distinguish between the initiall small bootloader, signed by M$/Verisign, and everything else, which will be signed by Fedora.
If some security-circumventing bug is found, there are a couple of options:

* store a list of hashes in the kernel, modules having that hash being forbidden to load.

* Use a sub-key for signing modules / the kernel; if buggy, revoke that subkey, distribute another one, distribute new signatures for non-affected parts of the system. This probably boils down to "don't trust any subkey created before <date>".

* Build a new mini-bootloader that only knows a new Fedora key, and install that. Ship new signatures for GRUB, the kernel, and all modules.

In none of these scenarios is there any possibility of the system being non-bootable – the running system can easily verify that there signature chain is unbroken before rebooting.

Fedora, secure boot, and an insecure future

Posted Jun 6, 2012 6:51 UTC (Wed) by neilbrown (subscriber, #359) [Link] (3 responses)

> Why would anybody revoke Fedora's UEFI bootloader signature? Presumably it's small and simple enough not to be exploitable itself.

Because the bootloader would have to contain Fedora's key, so it could verify the kernel that it was loading.

If the kernel is exploitable, then anything which trusts the key is exploitable, so the bootloader containing the key is exploitable, so the key which verifies it must be revoked.

Is that right?

Fedora, secure boot, and an insecure future

Posted Jun 6, 2012 18:46 UTC (Wed) by pjones (subscriber, #31722) [Link] (2 responses)

No, that doesn't follow. If a signed kernel is exploitable, that kernel needs to be prevented from being used (using whatever mechanism). Other things signed by that key may still be trusted, depending on the circumstances.

Fedora, secure boot, and an insecure future

Posted Jun 14, 2012 5:07 UTC (Thu) by kevinm (guest, #69913) [Link] (1 responses)

It doesn't matter if you release an update for the signed bootloader that refuses to boot the known-buggy kernel, because the original signed bootloader that *doesn't* have that update is still out in the wild. Malware that wants to take over Windows machines will simply use the un-updated signed bootloader together with the signed buggy kernel.

Fedora, secure boot, and an insecure future

Posted Jun 14, 2012 12:03 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

That's why you're able to revoke binaries at the firmware level.

Fedora, secure boot, and an insecure future

Posted Jun 6, 2012 19:03 UTC (Wed) by daniels (subscriber, #16193) [Link] (2 responses)

Yes, in that case things are a serious pain to get working. I assume they'd quite widely ship a live USB image (perhaps even a Windows executable) to update the bootloader.

The option you always have is disabling secure boot, which means that in its very very worst case it's no better than not doing anything at all. In its best (and presumably overwhelmingly dominant) case then it's infinitely better.

I'm struggling to see the downside.

Fedora, secure boot, and an insecure future

Posted Jun 9, 2012 0:28 UTC (Sat) by wookey (guest, #5501) [Link] (1 responses)

Except on ARM where you don't get the option of disabling it.

Fedora, secure boot, and an insecure future

Posted Jun 9, 2012 1:27 UTC (Sat) by raven667 (subscriber, #5198) [Link]

Yep, Fedora is not playing that game, they aren't going to to ship for Win8 logo ARM machines for this very reason.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds