User: Password:
|
|
Subscribe / Log in / New account

Details on Ubuntu's UEFI secure boot plan

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 0:16 UTC (Sat) by jspaleta (subscriber, #50639)
In reply to: Details on Ubuntu's UEFI secure boot plan by raven667
Parent article: Details on Ubuntu's UEFI secure boot plan

the gpl3 license interpretation aside......

I simply do not understand the rationale for not requiring signed kernels and kernel drivers. This seems to defeat the whole point of secureboot. As soon as a signed bootloader allows you to load an unsigned blob..game over.

This is sort of the whole point of the revocation process isn't it? Once a signed bootloader is compromised to allow it to run verified blobs..you revoke the key and prevent the signed bootloader from operating on that system.

You might as well just disable secureboot and be done with it if you are going to use a Microsoft signed bootloader that allows anything to be loaded.

-jef


(Log in to post comments)

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 0:19 UTC (Sat) by dlang (subscriber, #313) [Link]

the issue is the fear that trying to tell users how to disable this will make it too hard for them to install linux.

the linux distros aren't doing this because they are trying to lock the system down and make it safer, they are just trying to make it not noticably harder to install their distro on a new machine than it is today.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 0:43 UTC (Sat) by jspaleta (subscriber, #50639) [Link]

I do not thing you can lump all distros and distro vendors together as to whether or not they see value in secureboot as a feature. There are recognized limitations of the specification that make it more painful than it should be, but some do see value in the secureboot goal. And I bet vendors who understand how to run a profitable software business will find customers who understand the security value and will produce a solution that exposes the value. Other vendors, who continue to do the least amount of effort possible, will continue to fail to attract paying customers and will continue to bleed money. To those vendors, this is just an engineer resources drain.. not an opportunity to upsell a security feature.

But more specifically....If Canonical is going to be using a MS signed bootloader... it seems to me what MS considers what secureboot enabled implies is going to matter a lot. So Canonical does this... MS revokes their key...and we are back to square one with Ubuntu users having to disable secureboot to work with Ubuntu. Except now its users with already installed dual-boot Ubuntu/Windows who find they can't load their Ubuntu bootloader because of a key revocation from MS.

Here's to hoping MS doesn't see Canonical cavalier attitude towards signed kernels as a security threat to windows installs. I really really hope that MS considers any dual boot situation as a non-starter for enforcement and ignores anything involving an alternative bootloader unless a request comes in from the entity who controls the bootloader's signature to revoke a key. Hope for the best... plan for the worst.

-jef

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 0:54 UTC (Sat) by dlang (subscriber, #313) [Link]

the two vendors who have spoken up so far (canonical and Fedora) both seem primarily worried about the difficulty in installing the distro on new hardware.

so I think it's fair to use those statements to say what the main concern seems to be.

There may be other distros in the future that try to use this for security, but that's not the situation right now.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 4:39 UTC (Sat) by bgilbert (✭ supporter ✭, #4738) [Link]

Dual-boot systems are not the problem. A worm targeting Windows-only systems could install the Ubuntu bootloader and use that to chainload itself at boot.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 4:47 UTC (Sat) by mjg59 (subscriber, #23239) [Link]

Or use the Ubuntu bootloader to target non-Ubuntu Linuxes.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 2:21 UTC (Sat) by dmaxwell (guest, #14010) [Link]

I use Linux based netboot solutions to install images and I often do this remotely. In particular, I'm currently using FOG to install XP and Win7 images and I've triggered this remotely more than once. As an added wrinkle, I also use Linux to remotely image both OS X and Windows to Intel Macs.

I absolutely have to have machines able to boot in Linux, install the OS images required, then boot into the non-Linux OS that the end user is going to use. Vendor centric Secureboot could really mess me up.

At a minimum, I need to be able to add keys to the BIOS on these machines that allow both my imaging infrastructure and Windows to boot. We are phasing the Macs out by attrition for other reasons.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 23:13 UTC (Sat) by debacle (subscriber, #7114) [Link]

> I simply do not understand the rationale for not requiring signed kernels and kernel drivers.

As long as I can easily and without any financial cost use kernel and drivers signed by myself, this would be OK. All this "open source" and "free software" stuff is about being able to change the software. If I understood Fedora's plan correctly, their solution implies that I cannot change the kernel or drivers without sacrificing secure boot, contrary Ubuntu's approach, right? PCMIIW.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 23:19 UTC (Sat) by mjg59 (subscriber, #23239) [Link]

Just add new keys to the firmware database. Any machine with a Windows logo will let you do that.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 23:22 UTC (Sat) by AndreE (guest, #60148) [Link]

No. You can add your own key to the UEFI and sign your kernels with that


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds