:: Re: [DNG] ..another new(?) step tow…
Top Page
Delete this message
Reply to this message
Author: dr.klepp
Date:  
To: dng
Subject: Re: [DNG] ..another new(?) step towards Debian systemd: linux-image-4.6.0-1[-rt]-amd-signed, with MSTF keys...
Am Montag, 13. Juni 2016 schrieb Adam Borowski:
> On Mon, Jun 13, 2016 at 09:14:00PM +0200, Edward Bartolo wrote:
> > But I still am convinced with a signed kernel one can still use it to
> > boot any installed OS. My reasoning goes like this: once the signed
> > kernel boots, it would be in control of the machine. A running kernel
> > can be used to run any executable provided the latter is coded for the
> > same machine architecture. So, the boot procedure would first consist
> > of UEFI loading the signed kernel, the kernel then loads a bootloader
> > like GRUB*.
>
> Not anymore. Any syscalls and devices that can be used to subvert the
> system by its owner, even as root, are disabled when Secure Boot is in
> use. So sorry, no kexec or loading a bootloader module unless the kernel
> being kexeced is itself signed.
>


Broken computers for a broken world.


--
Please do not email me anything that you are not comfortable also sharing with the NSA.