Author: dr.klepp Date: To: dng Subject: Re: [DNG] ..another new(?) step towards Debian systemd:
linux-image-4.6.0-1[-rt]-amd-signed, with MSTF keys...
Am Montag, 13. Juni 2016 schrieb Adam Borowski: > On Mon, Jun 13, 2016 at 09:14:00PM +0200, Edward Bartolo wrote:
> > But I still am convinced with a signed kernel one can still use it to
> > boot any installed OS. My reasoning goes like this: once the signed
> > kernel boots, it would be in control of the machine. A running kernel
> > can be used to run any executable provided the latter is coded for the
> > same machine architecture. So, the boot procedure would first consist
> > of UEFI loading the signed kernel, the kernel then loads a bootloader
> > like GRUB*.
>
> Not anymore. Any syscalls and devices that can be used to subvert the
> system by its owner, even as root, are disabled when Secure Boot is in
> use. So sorry, no kexec or loading a bootloader module unless the kernel
> being kexeced is itself signed.
>
Broken computers for a broken world.
--
Please do not email me anything that you are not comfortable also sharing with the NSA.