Skribent: marc Dato: Til: dng Emne: Re: [DNG] UEFI and Secure Boot
> katolaz@??? writes: > >And what if you want to use your own unsigned bootloader? Why should
> >you ask someone else the permission to boot your own machine? o_O
>
> Because I want deny people with physical access the ability to boot unsigned
> bootloaders.
>
> I am both the owner of my hardware and the person who usually has physical
> access. Requiring signed boot loaders is way to transfer rights from latter
> role to someone else ??? in my case I'd prefer to transfer them to the
> former for all portable hardware, so for my next laptop I'm going to do the
> MOK stuff described on this list last week.
So I might be missing something, but I really don't get the point of
having a signed boot infrastructure for the technically competent
computer owner.
If you want to prevent somebody from booting some random unsigned
code, then a BIOS from 1999 will do: You just configure the
BIOS to boot your selected internal disk only and then set a password on
the BIOS and the bootloader. Then nobody can insert a memory stick and boot
their evil code.
If your threat model includes somebody who is capable of opening
your computer and messing with its internals, then no amount
of EFI will protect you - the bad guy can just replace your
entire motherboard. If you are worried that somebody who has
compromised your OS remotely will hack your bootloader, then
reconsider their motives: They are already on a running host OS
as root and can look inside your encrypted disk volumes too -
you have lost already.
As far as I can tell, signed bootloaders have advantages
for people who need to roll out images to remote PCs via
untrusted channels, and are worried that the people sitting
in front of their PCs will install the "wrong" kernel. In other
words, microsoft, large corporates and maybe even some linux
distributions. However, for those weirdos who like to own the computer
they sit in front of, there is no benefit. Only downside:
The kernel that enthusiasts build themselves is the "wrong" one to
those who wish to lock down the computing world with DRM and
related nonsense.