User: Password:
Subscribe / Log in / New account

Signing ELF binaries

Signing ELF binaries

Posted Jan 17, 2013 8:41 UTC (Thu) by kugel (subscriber, #70540)
Parent article: Signing ELF binaries

I'm probably overlooking something totally obvious, but...

how can kexec trick Windows into believing it's in secure boot environment (SBE) while it's not?

If Linux boots in SBE, then Windows is also in the SBE (Windows will verify this, no?). If Linux boots in non-SBE and kexecs Windows, then Windows verification fails and it knows it's in non-SBE.

(Log in to post comments)

Signing ELF binaries

Posted Jan 17, 2013 10:48 UTC (Thu) by keeperofdakeys (subscriber, #82635) [Link]

Secure boot works a bit differently to what you think. The purpose of secure boot is to check the cryptographic hash of a binary, and if it's not trusted, then it isn't executed. Beyond this, there are no other protections. If you only sign pieces of code that you trust, and these only execute (privileged) pieces of code that you trust, you can ensure you are protected. So a signed, malicious binary can emulate a SBE environment, then boot the SBE enabled Windows.

Signing ELF binaries

Posted Jan 17, 2013 12:42 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

What do you mean, "In the SBE"? Windows can only verify itself if everything that's executed before it is trusted. If you can (via kexec) end up executing a modified Windows kernel, you've violated that expectation.

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds