[Ksummit-2012-discuss] [ATTEND] ACPI, UEFI, kernel security
Matthew Garrett
mjg59 at srcf.ucam.org
Wed Jun 27 18:41:46 UTC 2012
On Wed, Jun 27, 2012 at 07:39:26PM +0100, James Bottomley wrote:
> On Wed, 2012-06-27 at 18:58 +0100, Matthew Garrett wrote:
> > If I can boot a signed Linux kernel and then use that to launch a
> > trojaned Linux or Windows kernel then that signed kernel is likely to be
> > blacklisted.
>
> That's an extreme interpretation. We can debate this at the kernel
> summit, but it's my belief that no-one, least of all Microsoft, the only
> possible CA for UEFI keys, is going to blacklist a Linux Key on the
> grounds that there's a possible trojan vector.
Sure, it's unlikely that anything will be blacklisted on a hypothetical.
But it's not like writing winkexec would be difficult.
> Just look at Ubuntu's current secure boot plans: They're going to do a
> winqual signed elilo that will initially boot unsigned kernels.
> Microsoft seems to be happy with that
(Citation needed)
--
Matthew Garrett | mjg59 at srcf.ucam.org
More information about the Ksummit-2012-discuss
mailing list