Fedora, secure boot, and an insecure future

Posted Jun 6, 2012 6:51 UTC (Wed) by neilbrown (subscriber, #359)
In reply to: Fedora, secure boot, and an insecure future by smurf
Parent article: Fedora, secure boot, and an insecure future

> Why would anybody revoke Fedora's UEFI bootloader signature? Presumably it's small and simple enough not to be exploitable itself.

Because the bootloader would have to contain Fedora's key, so it could verify the kernel that it was loading.

If the kernel is exploitable, then anything which trusts the key is exploitable, so the bootloader containing the key is exploitable, so the key which verifies it must be revoked.

Is that right?

Fedora, secure boot, and an insecure future

Posted Jun 6, 2012 18:46 UTC (Wed) by pjones (subscriber, #31722) [Link] (2 responses)

No, that doesn't follow. If a signed kernel is exploitable, that kernel needs to be prevented from being used (using whatever mechanism). Other things signed by that key may still be trusted, depending on the circumstances.

Fedora, secure boot, and an insecure future

Posted Jun 14, 2012 5:07 UTC (Thu) by kevinm (guest, #69913) [Link] (1 responses)

It doesn't matter if you release an update for the signed bootloader that refuses to boot the known-buggy kernel, because the original signed bootloader that *doesn't* have that update is still out in the wild. Malware that wants to take over Windows machines will simply use the un-updated signed bootloader together with the signed buggy kernel.

Fedora, secure boot, and an insecure future

Posted Jun 14, 2012 12:03 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

That's why you're able to revoke binaries at the firmware level.