User: Password:
|
|
Subscribe / Log in / New account

A UEFI secure boot and TianoCore info page

From:  James Bottomley <James.Bottomley-AT-HansenPartnership.com>
To:  linux-efi-AT-vger.kernel.org
Subject:  Web page about current virtual environment uefi secure booting up
Date:  Sat, 30 Jun 2012 13:33:37 +0100
Message-ID:  <1341059617.3136.20.camel@dabdike.int.hansenpartnership.com>
Cc:  linux-kernel <linux-kernel-AT-vger.kernel.org>
Archive-link:  Article

I've put together a web page here:

http://blog.hansenpartnership.com/uefi-secure-boot/

To keep track of all the stuff I had to know to get UEFI secure boot
working under qemu with TianoCore.  I'll update it as things change (or
as I find out more).

James




(Log in to post comments)

A UEFI secure boot and TianoCore info page

Posted Jul 17, 2012 16:42 UTC (Tue) by Baylink (guest, #755) [Link]

It's likely I'm missing something...

but if you can make UEFI boot under a virtualization environment, doesn't that completely obviate the security it was supposed to provide in the first place?

A UEFI secure boot and TianoCore info page

Posted Jul 17, 2012 17:43 UTC (Tue) by Lennie (guest, #49641) [Link]

One thing it is useful for, as I understand it, is as a UEFI developer environment.

Also, we have 2 siutations:

The BIOS/firmware checks the OS-kernel, bootloader and driver at boot to see if they have not been tempered with.

The hypervisor or similair software running the VM checks the OS-kernel, bootloader and drivers of the VM at startup of the VM to see if they have not been tempered with.

How would it be less secure ?

I'm not aware of the OS (running on the bare metal or in the VM) checking the firmware and bootloader too. If that was true, then yes the VM could probably be fooled.

If there was some mechanism for the VM to check it's environment. You could obviously sign the firmware/BIOS, OS-kernel, bootloader, drivers and the hypervisor and the OS-kernel, drivers and bootloader of the VM too.

In that case I wouldn't be surprised if some vendor would eventually do it, maybe even with TPM-support who knows.


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds