Am 03.06.2012 01:36, schrieb Michael Mol: > On Sat, Jun 2, 2012 at 6:50 PM, pk <pete...@coolmail.se> wrote: >> On 2012-06-02 22:10, Michael Mol wrote: > > [snip] > [...] > > The BIOS will only load a signed bootloader. The signed bootloader > will only load a signed kernel. The signed kernel will...do whatever > you tell it to do. >
According to Matthew's blog post, Fedora patched Grub2 and the kernel to avoid loading custom code into them: - Deactivate grub2 plugins - Sign all kernel modules and disallow unsigned ones - Prevent access to PCI through userland - Sanitize the kernel command line >> What does that mean to a source based "distro"? > > It's going to make building and installing grub and the kernel > trickier; you'll have to get them signed. And that's going to be a > PITA for anyone who does developers. > > What it *really* means is that someone who wants to run Linux as a > hobbyist or developer is going to disable "SecureBoot", and then fall > back to business as usual. > Yeah, the only way for Gentoo to have secure boot is a) let each user register with Microsoft, b) provide a binary kernel and boot loader. >> Also, I would assume a legitimate key would be able to >> sign pretty much any binary so a key that Fedora uses could be used to >> sign malware for Windows, which then would be blacklisted by >> Microsoft... > > If Fedora allows their key to sign crap, then their key will get revoked. > > What I hope (I don't know) is whether or not the signing system > involved allows chaining. i.e., with SSL, I can generate my own key, > get it signed by a CA, and then bundle the CA's public key and my > public key when I go on to sign _another_ key. > > So, could I generate a key, have Fedora sign it, and then use my key > to sign my binaries? If my key is used to do malicious things, > Fedora's off the hook, and it's only my key which gets revoked. > Consider the exact approach Fedora takes: They've only made a certified stage-1 boot loader. This boot loader then loads grub2 (signed with a custom Fedora key, nothing chained back to MS) which then loads a custom-signed kernel. This allows them to avoid authenticating against MS every time they update grub or the kernel. This means if you want to certify with Fedora, you don't need to chain up to MS as long as you use their stage-1 boot loader. However, if I was part of Fedora, I wouldn't risk my key by signing other people's stuff. Mainboard makers won't look twice when they see rootkits with Fedora boot loaders. >> and how is malware defined? Anything that would be >> detrimental to Microsoft? > > Dunno. I imagine it comes down to whatever the chief key's owner > doesn't want running on the same hardware while SecureBoot is enabled. > Rootkits come to mind. > To quote Matthew: > If I take a signed Linux bootloader and then use it to boot something > that looks like an unsigned Linux kernel, I've instead potentially > just booted a piece of malware. And if that malware can attack > Windows then the signed Linux bootloader is no longer just a signed > Linux bootloader, it's a signed Windows malware launcher and that's > the kind of thing that results in that bootloader being added to the > list of blacklisted binaries and suddenly your signed Linux > bootloader isn't even a signed Linux bootloader. Regards, Florian Philipp
signature.asc
Description: OpenPGP digital signature
