[Ksummit-2012-discuss] [ATTEND] ACPI, UEFI, kernel security
James Bottomley
James.Bottomley at HansenPartnership.com
Wed Jun 27 18:59:17 UTC 2012
On Wed, 2012-06-27 at 19:41 +0100, Matthew Garrett wrote:
> On Wed, Jun 27, 2012 at 07:39:26PM +0100, James Bottomley wrote:
> > On Wed, 2012-06-27 at 18:58 +0100, Matthew Garrett wrote:
> > > If I can boot a signed Linux kernel and then use that to launch a
> > > trojaned Linux or Windows kernel then that signed kernel is likely to be
> > > blacklisted.
> >
> > That's an extreme interpretation. We can debate this at the kernel
> > summit, but it's my belief that no-one, least of all Microsoft, the only
> > possible CA for UEFI keys, is going to blacklist a Linux Key on the
> > grounds that there's a possible trojan vector.
>
> Sure, it's unlikely that anything will be blacklisted on a hypothetical.
> But it's not like writing winkexec would be difficult.
>
> > Just look at Ubuntu's current secure boot plans: They're going to do a
> > winqual signed elilo that will initially boot unsigned kernels.
> > Microsoft seems to be happy with that
>
> (Citation needed)
It's
https://lists.ubuntu.com/archives/ubuntu-devel/2012-June/035445.html
Kernel Signing: ... "Therefore, we will only be requiring authentication
of boot loader binaries. Ubuntu will not require signed kernel images
or kernel modules."
Or did you mean citation of "Microsoft seems happy with it"? I was just
taking that from the fact that there's been no negative Redmond reaction
to the publicly posted plans.
James
More information about the Ksummit-2012-discuss
mailing list