On Tuesday 27 Sep 2011 13:11:30 Jonas de Buhr wrote: > >On Monday, September 26, 2011 10:26:03 PM Jonas de Buhr wrote: > >> >I am assuming that unlike the old days when I used to boot Linux on > >> >PCs using a floppy with SmartBootManager, now we'll need to generate > >> >some key/hash for our freshly compiled kernel, then add it to the > >> >BIOS firmware and flash the BIOS with it before we are able to boot > >> >into it? > >> > > >> >Is it more complicated than that? > >> > >> how are you going to write to the bios if it doesn't let you? > >> > >> maybe you are determined enough to manually flash the chip every time > >> you update grub but i think thats a buzzkill for >90% of the users ;) > > > >Eerhm... > >If Grub is the bootloader, wouldn't we just need to have a "signed" > >version of Grub? > > depends if we are talking about hashes being saved in the bios or > signatures being checked by the bios. > > hashes would have to be written to the bios everytime the binary of the > bootloader changes. > > signatures would have to be renewed everytime the binary changes. this > is even worse because you will most likely need the some private key to > do that which you will not get your hands on. if anyone can create the > signature, it's pointless. > so you would have to rely on your bios vendor to sign every possible > binary of the bootloader. and then you're still locked out.
Unless ... you could create or set up such signature upon your first boot up and secure it with a new passphrase/token/what have you. I'm thinking that it could become part of the first OS installation, just like you set up a root/user passwd. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
