[Ksummit-2012-discuss] [ATTEND] ACPI, UEFI, kernel security

James Bottomley James.Bottomley at HansenPartnership.com
Thu Jun 28 15:24:57 UTC 2012


On Thu, 2012-06-28 at 14:48 +0100, Stefano Stabellini wrote:
> On Wed, 27 Jun 2012, James Bottomley wrote:
> > On Wed, 2012-06-27 at 19:41 +0100, Matthew Garrett wrote:
> > > On Wed, Jun 27, 2012 at 07:39:26PM +0100, James Bottomley wrote:
> > > > On Wed, 2012-06-27 at 18:58 +0100, Matthew Garrett wrote:
> > > > > If I can boot a signed Linux kernel and then use that to launch a 
> > > > > trojaned Linux or Windows kernel then that signed kernel is likely to be 
> > > > > blacklisted.
> > > > 
> > > > That's an extreme interpretation.  We can debate this at the kernel
> > > > summit, but it's my belief that no-one, least of all Microsoft, the only
> > > > possible CA for UEFI keys, is going to blacklist a Linux Key on the
> > > > grounds that there's a possible trojan vector.
> > > 
> > > Sure, it's unlikely that anything will be blacklisted on a hypothetical. 
> > > But it's not like writing winkexec would be difficult.
> > > 
> > > > Just look at Ubuntu's current secure boot plans: They're going to do a
> > > > winqual signed elilo that will initially boot unsigned kernels.
> > > > Microsoft seems to be happy with that
> > > 
> > > (Citation needed)
> > 
> > It's 
> > 
> > https://lists.ubuntu.com/archives/ubuntu-devel/2012-June/035445.html
> > 
> > Kernel Signing: ... "Therefore, we will only be requiring authentication
> > of boot loader binaries.  Ubuntu will not require signed kernel images
> > or kernel modules."
> > 
> > Or did you mean citation of "Microsoft seems happy with it"?  I was just
> > taking that from the fact that there's been no negative Redmond reaction
> > to the publicly posted plans.
> 
> I doubt that Microsoft is actually aware of Ubuntu's plans, even if they
> have been posted to a mailing list that has public archives.

Actually, parts of Microsoft are fully aware of Ubuntu's plans.  The
Linux response to UEFI secure boot is being co-ordinated with the UEFI
Forum which Microsoft is also watching closely.

> It would be nice to have a real confirmation.

Well, Matthew has been asking for that as well.  What are the
expectations on efi programmes signed with the Microsoft key (the only
possible key currently)?  Particularly when they're loading non-windows
operating systems.  I suspect Microsoft really doesn't want to get into
clarifying this for all sorts of reasons, so notice is equivalent to
acquiescence in my book.

James




More information about the Ksummit-2012-discuss mailing list