Fedora, secure boot, and an insecure future
Fedora, secure boot, and an insecure future
Posted Jun 6, 2012 6:15 UTC (Wed) by smurf (subscriber, #17840)In reply to: Fedora, secure boot, and an insecure future by russell
Parent article: Fedora, secure boot, and an insecure future
One needs to distinguish between the initiall small bootloader, signed by M$/Verisign, and everything else, which will be signed by Fedora.
If some security-circumventing bug is found, there are a couple of options:
* store a list of hashes in the kernel, modules having that hash being forbidden to load.
* Use a sub-key for signing modules / the kernel; if buggy, revoke that subkey, distribute another one, distribute new signatures for non-affected parts of the system. This probably boils down to "don't trust any subkey created before <date>".
* Build a new mini-bootloader that only knows a new Fedora key, and install that. Ship new signatures for GRUB, the kernel, and all modules.
In none of these scenarios is there any possibility of the system being non-bootable – the running system can easily verify that there signature chain is unbroken before rebooting.
Posted Jun 6, 2012 6:51 UTC (Wed)
by neilbrown (subscriber, #359)
[Link] (3 responses)
Because the bootloader would have to contain Fedora's key, so it could verify the kernel that it was loading.
If the kernel is exploitable, then anything which trusts the key is exploitable, so the bootloader containing the key is exploitable, so the key which verifies it must be revoked.
Is that right?
Posted Jun 6, 2012 18:46 UTC (Wed)
by pjones (subscriber, #31722)
[Link] (2 responses)
Posted Jun 14, 2012 5:07 UTC (Thu)
by kevinm (guest, #69913)
[Link] (1 responses)
Posted Jun 14, 2012 12:03 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link]
Fedora, secure boot, and an insecure future
Fedora, secure boot, and an insecure future
Fedora, secure boot, and an insecure future
Fedora, secure boot, and an insecure future