:: Re: [DNG] ..another new(?) step tow…
Página Principal
Delete this message
Reply to this message
Autor: Adam Borowski
Data:  
Para: dng
Assunto: Re: [DNG] ..another new(?) step towards Debian systemd: linux-image-4.6.0-1[-rt]-amd-signed, with MSTF keys...
On Mon, Jun 13, 2016 at 09:14:00PM +0200, Edward Bartolo wrote:
> But I still am convinced with a signed kernel one can still use it to
> boot any installed OS. My reasoning goes like this: once the signed
> kernel boots, it would be in control of the machine. A running kernel
> can be used to run any executable provided the latter is coded for the
> same machine architecture. So, the boot procedure would first consist
> of UEFI loading the signed kernel, the kernel then loads a bootloader
> like GRUB*.


Not anymore. Any syscalls and devices that can be used to subvert the
system by its owner, even as root, are disabled when Secure Boot is in
use. So sorry, no kexec or loading a bootloader module unless the kernel
being kexeced is itself signed.

--
An imaginary friend squared is a real enemy.