executive summary:

Story: Details on Ubuntu's UEFI secure boot planTotal Replies: 5
Author Content
tuxchick

Jun 22, 2012
3:21 PM EDT
More lunatic hassles for a false sense of additional security. They keep nattering about pre-boot malware-- has there ever been any for Linux or Windows? Real malware, and not proof-of-concept. I don't recall any. You don't need fancy hard stuff like pre-boot malware to infect Windows, as it offers multiple points of entry that are much easier. However, there have been multiple failures in the root CAs and signing keys, like the fun Windows Flame malware. Those are real and proven, not theoretical.

How is the Windows signing system going to keep up with Linux? Linux does not stand still and kernel updates are frequent. Why would anyone even want this on a Linux system, what are the benefits? Real and not theoretical.

The only value I see in this is using your own personal PKI and not relying on an external signing system. And then figuring out a way to keep up with updates and changes without going mad.

This is a big not-funny joke.
BernardSwiss

Jun 22, 2012
7:29 PM EDT
Quoting:They keep nattering about pre-boot malware-- has there ever been any for Linux or Windows?


Mebromi: the first BIOS rootkit in the wild

http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-ro...

Not that you don't make some good points.

But as the Linux side points out often enough in the FUD wars, "Security Is A Process". The boot-chain is just one more target, and Secure Boot is just one more defence. Bad Guys (tm) will, just like Data Execution Prevention and Address Space Layout Randomization, and code signing, eventually find ways to avoid -- perhaps even exploit -- this mechanism.

So I figure there are really two over-arching questions:

(1) Do the benefits out-weigh the costs?

Secure Boot could be a boondoggle, but opinions among very qualified people differ.

(2) Will the implementation be a sensible one -- one which spreads the benefits and costs equitably, rather than effectively serves as a tool for covertly and anti-competitively tilting the hardware market in favour of the dominant desktop-OS distributor (ie. Microsoft/Windows), and in active hindrance to the alternatives (ie. generally Linux and BSD)?
BernardSwiss

Jun 22, 2012
7:49 PM EDT
Quoting:

Kernel signing ==============

We believe that the intention of secure boot is to protect against malicious use or modification of pre-boot code, before the ExitBootServices UEFI service is invoked. Currently, this call is performed by the boot loader, before the kernel is executed.

Therefore, we will only be requiring authentication of boot loader binaries. Ubuntu will not require signed kernel images or kernel modules.


Have I got this straight? Does this section indicate an important difference from RedHat's approach -- one that RedHat considered not tenable?

tuxchick

Jun 22, 2012
11:57 PM EDT
Good questions all, and there are many more. Too dang many to foist this half-baked mess on the world.
helios

Jun 23, 2012
9:45 AM EDT
to foist this half-baked mess on the world.

They got their unspiration from KDE and Gnome Devs........

Unspiration....my Yogi Berra-ism for the week
albinard

Jun 23, 2012
10:39 AM EDT
May I suggest de-inspiration, which shortens to the more probable cause of Microsoft's effort, desperation.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!