[Discuss] UEFI secure boot pre-loader security considered further Re: Fwd: [linux_forensics] Did you see this ? - Linux Foundation Announces Secure Boot Solution ....
Jerry Feldman
gaf at blu.org
Fri Nov 2 10:17:21 EDT 2012
The bottom line here is that UEFI will prevent some Linux users from
installing Linux, especially in the near future. I suspect that all
major distros will be able to install on a UEFI system with very little
user interaction. However, we also need to gain some knowledge so that
when we do encounter UEFI at installfests, we know what to do.
On 11/02/2012 08:59 AM, Bill Ricker wrote:
> On Thu, Nov 1, 2012 at 4:02 PM, Rich Pieri <richard.pieri at gmail.com> wrote:
>> This is a lie.
> Harsh.
> Not all errors are lies.
> Sometimes people are just wrong without malice.
>
> Writing is an inexact science.
> Sometimes editing for style destroys accuracy,
> even with formerly technical people doing it.
>
> The statement is closer to the UEFI's (failed) intent than it's
> (actual) result, but is not phrased thus, so it is false in detail.
>
>> I didn't read the rest of the article.
> Your loss.
>
> If your point is it only prevents execution of unsigned bootloaders,
> you are correct.
> The rest of the article explains that.
> Since you already knew that, no loss to you perhaps.
>
> The intent of course is to prevent installing malware, Hackintosh,
> Linux, and *BSD.
> But no one expects it will prevent VMware, IBM, HP, Oracle from
> shipping ESX RHEL OEL Solaris86 to their commercial server customers.
>
> So far I've seen PLANS by top distros and the Foundation to buy a Key from M$.
> I will be happy when i see evidence they've received the goods.
> Will MS accept their money, or make some excuse to defend their monopoly?
>
> The wrong sentence we should take exception to is
> Bottomley noted that this pre-bootloader
> “provides no security enhancements over booting linux with UEFI secure
> boot turned off,”
> This does not seem true, since it will require a user acceptance of an
> unsigned 2nd load, it will provide a bar to programatic reboot to
> elevate privilege by starting unattended install or installing a
> malware hypervisor when rebooting with a USB/DVD mounted.
> I won't call that a lie either, it's just sloppy thinking.
>
> Sounds like for SERVERS (that we often want to reboot remotely or
> automatically)
> we either need to turn UEFI SecureBoot off in the mobi FLASH UEFI settings
> OR stick to distros that have their own purchased signatures.
> Servers mostly use the big three or their derivatives anyway,
> but Debian still has some % of server share,
> this may push them to Ubutu's Server spin.
>
--
Jerry Feldman <gaf at blu.org>
Boston Linux and Unix
PGP key id:3BC1EB90
PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66 C0AF 7CEA 30FC 3BC1 EB90
More information about the Discuss
mailing list