[Ksummit-2012-discuss] [ATTEND] ACPI, UEFI, kernel security

James Bottomley James.Bottomley at HansenPartnership.com
Wed Jun 27 18:59:17 UTC 2012

On Wed, 2012-06-27 at 19:41 +0100, Matthew Garrett wrote:
> On Wed, Jun 27, 2012 at 07:39:26PM +0100, James Bottomley wrote:
> > On Wed, 2012-06-27 at 18:58 +0100, Matthew Garrett wrote:
> > > If I can boot a signed Linux kernel and then use that to launch a 
> > > trojaned Linux or Windows kernel then that signed kernel is likely to be 
> > > blacklisted.
> > 
> > That's an extreme interpretation.  We can debate this at the kernel
> > summit, but it's my belief that no-one, least of all Microsoft, the only
> > possible CA for UEFI keys, is going to blacklist a Linux Key on the
> > grounds that there's a possible trojan vector.
> Sure, it's unlikely that anything will be blacklisted on a hypothetical. 
> But it's not like writing winkexec would be difficult.
> > Just look at Ubuntu's current secure boot plans: They're going to do a
> > winqual signed elilo that will initially boot unsigned kernels.
> > Microsoft seems to be happy with that
> (Citation needed)



Kernel Signing: ... "Therefore, we will only be requiring authentication
of boot loader binaries.  Ubuntu will not require signed kernel images
or kernel modules."

Or did you mean citation of "Microsoft seems happy with it"?  I was just
taking that from the fact that there's been no negative Redmond reaction
to the publicly posted plans.


More information about the Ksummit-2012-discuss mailing list