Skribent: Simon Hobson Dato: Til: dng@lists.dyne.org Emne: Re: [DNG] ..another new(?) step towards Debian systemd:
linux-image-4.6.0-1[-rt]-amd-signed, with MSTF keys...
Edward Bartolo <edbarx@???> wrote:
> But I still am convinced with a signed kernel one can still use it to
> boot any installed OS. My reasoning goes like this: once the signed
> kernel boots, it would be in control of the machine. A running kernel
> can be used to run any executable provided the latter is coded for the
> same machine architecture. So, the boot procedure would first consist
> of UEFI loading the signed kernel, the kernel then loads a bootloader
> like GRUB*.
>
> What do you think?
Yes, it can be done. No it's not something your average user could do on his own.
What you point out is the weakness of signing code - if that code isn't itself "secure" then it defeats the point of signing anything.
So long term, not this year, probably not next year, but sometime ... expect some pressure to extend the signing. The first step will be signing of kernel binaries in distros, then some extra code in Grub to only load signed kernels - and only versions of Grub built that way will get signed. So now we've reached the point of only being able to use a Grub that will only load signed kernels. And only 'clean' kernel binaries will get signed - so no "non-approved" drivers.
And if that bit of wedge gets hammered in without too much pushback ... The next step will be to add kernel code to only run signed binaries - but it'll be OK for the likes of RH because you'll have no reason to run anything other than the binaries they supply for packages.
Yes, you can build a Grub that will load any kernel - but the EFI won't load it as it won't be signed.
And expect it to get harder to add your own sigs to EFI systems as well.