Author: John Morris Date: To: dng Subject: Re: [DNG] UEFI and Secure Boot
On Tue, 2017-10-24 at 09:01 +0200, marc wrote:
> Secureboot is designed for them, not for you. You might come
> up with a really exotic use case, where it might help you. But
> if you look at it carefully enough, it relies on secureboot
> redefining root to something weaker than what we want, and
> running some complex infrastructure which you are unaware
> of behind it. If you want a weak root, run a virtual machine
> instead.
Not at all. Right now if you install Fedora or Ubuntu you get the
protection of secure boot. You already trust them if you are installing
their OS, correct? Everyone signs the kernel package at the package
manager stage so we can all use untrusted mirrors. So now they also put
a signature on a grub-efi package with a key signed by the UEFI CA that
embeds their company keys. Now your system validates that GRUB is clean
and it checks the kernel hasn't been tampered with before executing
either of them,
Eventually Debian will begin shipping signed grub-efi and kernel
packages. Devuan would have to pay $100 to get a signed grub-efi of its
own (with a Devuan kernel signing key embedded) to ship kernels built by
them if they don't just pass on the Debian grub and kernel packages
unmodified. That is it, one can argue how much security benefit it
brings but it is non-zero and requires minimal effort to achieve. I
think you have to pay again if your grub-efi package changes but it
doesn't seem to churn much.