Garrett: Secure Boot and Restricted Boot [LWN.net]

Garrett: Secure Boot and Restricted Boot

Posted Apr 9, 2013 5:26 UTC (Tue) by paulj (subscriber, #341)
In reply to: Garrett: Secure Boot and Restricted Boot by raven667
Parent article: Garrett: Secure Boot and Restricted Boot

Oh, on sand-boxing. Fully agreed with such technologies. These seem to be the best way we have to secure our software - by limiting and controlling the environment it is run on.

However, clearly, this does NOT require that the main OS environment be the one that is restricted, limited, sand-boxed, etc.. through things like Secure Boot.

to post comments

Garrett: Secure Boot and Restricted Boot

Posted Apr 9, 2013 15:24 UTC (Tue) by raven667 (subscriber, #5198) [Link] (1 responses)

I'm not sure I'd use the words restriction, limitation or sand-box, as it can't prevent you from using the machine in any way you want, it just defines a signature checking and validation like Tripwire but with a way to update the database securely and a policy to not load files that haven't come through the owner's defined process.

Garrett: Secure Boot and Restricted Boot

Posted Apr 9, 2013 15:51 UTC (Tue) by paulj (subscriber, #341) [Link]

The Secure Boot code, and the signing infrastructure brought in for Secure Boot can become Restricted Boot, if some platform flips the equivalent of a bit of information (see, e.g., the MS Surface ARM "Secure Boot", or future platforms), do you agree on that?

If that abstract bit is flipped, it will be the "Secure Boot" code that stops you booting your own software, and restricts you to approved software. (Unless you have the expertise handy to the exploit the software - I don't).

And still I havn't seen any convincing explaination for how this code helps protect me against those who /do/ exploit software regularly, for fun & profit.