[Discuss] UEFI secure boot pre-loader security considered further Re: Fwd: [linux_forensics] Did you see this ? - Linux Foundation Announces Secure Boot Solution ....

Bill Ricker bill.n1vux at gmail.com
Fri Nov 2 08:59:08 EDT 2012


On Thu, Nov 1, 2012 at 4:02 PM, Rich Pieri <richard.pieri at gmail.com> wrote:
> This is a lie.

Harsh.
Not all errors are lies.
Sometimes people are just wrong without malice.

Writing is an inexact science.
Sometimes editing for style destroys accuracy,
even with formerly technical people doing it.

The statement is closer to the UEFI's (failed) intent than it's
(actual) result, but is not phrased thus, so it is false in detail.

> I didn't read the rest of the article.

Your loss.

If your point is it only prevents execution of unsigned bootloaders,
you are correct.
The rest of the article explains that.
Since you already knew that, no loss to you perhaps.

The intent of course is to prevent installing malware, Hackintosh,
Linux, and *BSD.
But no one expects it will prevent VMware, IBM, HP, Oracle from
shipping ESX RHEL OEL Solaris86 to their commercial server customers.

So far I've seen PLANS by top distros and the Foundation to buy a Key from M$.
I will be happy when i see evidence they've received the goods.
Will MS accept their money, or make some excuse to defend their monopoly?

The wrong sentence we should take exception to is
   Bottomley noted that this pre-bootloader
   “provides no security enhancements over booting linux with UEFI secure
   boot turned off,”
This does not seem true, since it will require a user acceptance of an
unsigned 2nd load, it will provide a bar to programatic reboot to
elevate privilege by starting unattended install or installing a
malware hypervisor when rebooting with a USB/DVD mounted.
I won't call that a lie either, it's just sloppy thinking.

Sounds like for SERVERS (that we often want to reboot remotely or
automatically)
we either need to turn UEFI SecureBoot off in the mobi FLASH UEFI settings
OR stick to distros that have their own purchased signatures.
Servers mostly use the big three or their derivatives anyway,
but Debian still has some % of server share,
this may push them to Ubutu's Server spin.

-- 
Bill
@n1vux bill.n1vux at gmail.com



More information about the Discuss mailing list