|
|
Subscribe / Log in / New account

LSS: Secure Boot

LSS: Secure Boot

Posted Sep 13, 2012 14:44 UTC (Thu) by robertm (subscriber, #20200)
In reply to: LSS: Secure Boot by pjones
Parent article: LSS: Secure Boot

Hey look at that, more features gone in this rush to bend over backwards to accommodate Microsoft's anti-software-freedom initiative.

to post comments

LSS: Secure Boot

Posted Sep 13, 2012 17:48 UTC (Thu) by pjones (subscriber, #31722) [Link] (3 responses)

If there's something we're not building in to that grub2 image that you actually need for something supported by our OS, then it's perfectly reasonable to file a bug to include that module so it'll be fixed. If you want more modules for something that's not supported by our OS, you have several options. They include: 1) paying VeriSign $99 to get your own access to the signing service, 2) putting your own keys in the firmware and signing your own build yourself, and 3) disabling secure boot, which will allow grub2 to load modules again. Any inconvenience is unfortunate, but any of these should be sufficient to avoid whatever problem you may have. You still have all the freedoms you had before, including the freedom to have malware install "bootkits, if you want them.

LSS: Secure Boot

Posted Sep 13, 2012 18:23 UTC (Thu) by hummassa (subscriber, #307) [Link] (2 responses)

> You still have all the freedoms you had before, including the freedom to have malware install "bootkits, if you want them.

IOW: NOTHING will, in the end, impede malware to install bootkits/jailbreaks. :-D

This way, people are doing all this work to appease Microsoft, under risk of making people think that Secure Boot (TM) is actually secure, which will after all DIMINISH the security status of potential-botnet-drones around the world. Ah, let's not forget the privacy/liberty implications. Hmm...

LSS: Secure Boot

Posted Sep 13, 2012 19:04 UTC (Thu) by pjones (subscriber, #31722) [Link] (1 responses)

Well, it's certainly not secure if you turn it off. I don't think anybody is under that illusion. But the issue you're taking here is that the status quo remains: if you do something your OS doesn't support, your OS vendor isn't going to support you. You're still free to do it, and can even do it securely - though it will require more effort from you. If you choose to disable security features instead of putting that effort in, you'll not be able to take advantage of the added security.

LSS: Secure Boot

Posted Sep 13, 2012 23:51 UTC (Thu) by hummassa (subscriber, #307) [Link]

> If you choose to disable security features instead of putting that effort in, you'll not be able to take advantage of the added security.

You know, you kind of proved my point. There is NO added security, because you can always find another vulnerability in the kernel, and use that to escalate past the bootloader (like creating crafted restore-from-hibernation images) and people will act under the illusion that their systems have "added security" when they aren't, which, as I mentioned, diminishes the overall security. For instance, the crafted restore image could allow running unsigned or signed-by-the-malware-author executables or substitute key libraries.

And again, that is my point: "Secure Boot" == "fake security", which is far worse than "no security".

And worse yet: "Secure Boot" == "you are running a signed O.S. (with Defective by Design implications and I Can Phone Home and invade your privacy implications)" OR "you are running a signed (bla bla) but COMPROMISED by malware O.S."...

LSS: Secure Boot

Posted Sep 14, 2012 12:05 UTC (Fri) by jeroen (guest, #12372) [Link] (2 responses)

The only reason GRUB 2 actually has loadable modules is that it is very difficult to load a big binary reliably with MBR booting. With UEFI that problem is gone and we can just load a monolithic GRUB. There is no reason left to keep using loadable modules with its error-prone selecting of which modules are needed at boot time to load the other modules.

LSS: Secure Boot

Posted Sep 14, 2012 14:49 UTC (Fri) by BenHutchings (subscriber, #37955) [Link] (1 responses)

Right, I have seen the 'grub rescue>' prompt on UEFI way too many times already. (GRUB still looks up GPT partitions by index, not UUID, but repartitioning tools - or at least parted - don't seem to maintain numbering in GPTs.)

LSS: Secure Boot

Posted Sep 14, 2012 20:50 UTC (Fri) by idupree (guest, #71169) [Link]

gdisk (gptfdisk) maintains partition numbering. It's parted that likes to change it.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds