Plan of action for Secure Boot support

Ben Hutchings ben at decadent.org.uk
Mon Dec 9 13:45:06 UTC 2013


On Tue, 2013-08-13 at 22:54 +0200, Ben Hutchings wrote:
[...]
> Apparently, the Secure Boot spec requires each stage of the boot code to
> validate signatures only until ExitBootServices() is called.  (At this
> point the firmware makes some parts of its non-volatile configuration
> inaccessible.)
[...]

However, there is now a blog post from Microsoft that supports what
Matthew Garrett has been saying for a while - they may revoke the
signature on a boot loader if signature verification is not extended to
the kernel, including any mechanism to chain-load another kernel:

http://blogs.msdn.com/b/windows_hardware_certification/archive/2013/12/03/microsoft-uefi-ca-signing-policy-updates.aspx
(specifically point 5(b))

This implies that when Secure Boot is enabled, only signed kernels and
modules can be loaded and other features that allow code injection such
as kexec, hibernation and /dev/mem must be disabled.

Or we cross our fingers and hope no-one uses Debian's shim in a Windows
boot kit.

(There is work on a new kexec interface which could include signature
verification.  I think there is a theoretical solution for hibernation
but I don't think it has been implemented.)

Ben.

-- 
Ben Hutchings
One of the nice things about standards is that there are so many of them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-grub-devel/attachments/20131209/d9b3238e/attachment.sig>


More information about the Pkg-grub-devel mailing list