[Ksummit-2012-discuss] [ATTEND] ACPI, UEFI, kernel security

Matthew Garrett mjg59 at srcf.ucam.org
Wed Jun 27 18:41:46 UTC 2012


On Wed, Jun 27, 2012 at 07:39:26PM +0100, James Bottomley wrote:
> On Wed, 2012-06-27 at 18:58 +0100, Matthew Garrett wrote:
> > If I can boot a signed Linux kernel and then use that to launch a 
> > trojaned Linux or Windows kernel then that signed kernel is likely to be 
> > blacklisted.
> 
> That's an extreme interpretation.  We can debate this at the kernel
> summit, but it's my belief that no-one, least of all Microsoft, the only
> possible CA for UEFI keys, is going to blacklist a Linux Key on the
> grounds that there's a possible trojan vector.

Sure, it's unlikely that anything will be blacklisted on a hypothetical. 
But it's not like writing winkexec would be difficult.

> Just look at Ubuntu's current secure boot plans: They're going to do a
> winqual signed elilo that will initially boot unsigned kernels.
> Microsoft seems to be happy with that

(Citation needed)

-- 
Matthew Garrett | mjg59 at srcf.ucam.org


More information about the Ksummit-2012-discuss mailing list