On Wed, Nov 07, 2012 at 09:19:35AM +0100, Olivier Galibert wrote: > On Tue, Nov 6, 2012 at 11:47 PM, Matthew Garrett <mj...@srcf.ucam.org>wrote: > > > Sure, and scripts run as root can wipe your files too. That's really not > > what this is all about. > > What it is about then? What is secure boot supposed to do for the owner of > the computer in a linux context? I've not been able to understand it > through this discussion.
It provides a chain of trust that allows you to ensure that a platform boots a trusted kernel. That's a pre-requisite for implementing any kind of fully trusted platform, but it's not sufficient in itself. One of those additional requirements is ensuring that the kernel *stays* trusted - in the past an attacker could just replace the kernel on disk and so there was little incentive to engage in more subtle attacks, but now that's impossible we need to care about them. -- Matthew Garrett | mj...@srcf.ucam.org -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
