User: Password:
|
|
Subscribe / Log in / New account

Details on Ubuntu's UEFI secure boot plan

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 12:45 UTC (Thu) by gerv (subscriber, #3376)
Parent article: Details on Ubuntu's UEFI secure boot plan

"and the UEFI specification only allows an image to be signed by a single key"

That seems to be the flaw at the heart of it all. Is there any possibility of that ever being fixed?

Gerv


(Log in to post comments)

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 14:33 UTC (Thu) by dashesy (guest, #74652) [Link]

I was wondering exactly the same; that why no body asked for this. Then I (as a normal desktop) could just avoid buying hardware that does not have Linux keys I care (Fedora Certified, Ubuntu Certified, ...).

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 14:37 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

Yes. It turns out that the specification actually permits it, but doesn't describe what the semantics of having multiple keys should be. Further, the only implementation ignores any key after the first.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 14:50 UTC (Thu) by gerv (subscriber, #3376) [Link]

Surely the semantics of multiple signatures is "attempt to validate them all, in order, and proceed if any of them validate"? What are the other options? "Proceed if all of them validate"?

Can we fix the existing implementation? (Who wrote it?) And encourage BIOS authors (is that right? I'm sure there's more than one of them) who are still implementing to get this right?

Gerv

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 14:56 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

And blacklisting? There are Obviously Correct interpretations, but since they're not written down it's well within the realms of possibility that people would screw this up. There's ongoing work to rectify this, but it's not going to happen in time for the first wave of machines.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 28, 2012 15:11 UTC (Thu) by gerv (subscriber, #3376) [Link]

Good point about blacklisting. I'm really glad to hear there's ongoing work to fix this; it gives me hope that in 5 years time, the situation may not be as bad as it looks now.

Gerv


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds