:: Re: [DNG] UEFI and Secure Boot
Top Page
Delete this message
Reply to this message
Author: Dr. Nikolaus Klepp
Date:  
To: dng
Subject: Re: [DNG] UEFI and Secure Boot
Am Donnerstag, 26. Oktober 2017 schrieb John Morris:
> On Tue, 2017-10-24 at 09:01 +0200, marc wrote:
>
> > Secureboot is designed for them, not for you. You might come
> > up with a really exotic use case, where it might help you. But
> > if you look at it carefully enough, it relies on secureboot
> > redefining root to something weaker than what we want, and
> > running some complex infrastructure which you are unaware
> > of behind it. If you want a weak root, run a virtual machine
> > instead.
>
> Not at all. Right now if you install Fedora or Ubuntu you get the
> protection of secure boot. You already trust them if you are installing
> their OS, correct? Everyone signs the kernel package at the package
> manager stage so we can all use untrusted mirrors. So now they also put
> a signature on a grub-efi package with a key signed by the UEFI CA that
> embeds their company keys. Now your system validates that GRUB is clean
> and it checks the kernel hasn't been tampered with before executing
> either of them,
>
> Eventually Debian will begin shipping signed grub-efi and kernel
> packages. Devuan would have to pay $100 to get a signed grub-efi of its
> own (with a Devuan kernel signing key embedded) to ship kernels built by
> them if they don't just pass on the Debian grub and kernel packages
> unmodified. That is it, one can argue how much security benefit it
> brings but it is non-zero and requires minimal effort to achieve. I
> think you have to pay again if your grub-efi package changes but it
> doesn't seem to churn much.
>


Maybe I did get something wrong, but some years ago the lin foundation provided a sined bootloader for secure boot:
https://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/

There's also a signed "shim.efi" and some others, that boots any kernel you like: https://www.rodsbooks.com/efi-bootloaders/secureboot.html

Just neither debian nor devuan provide an installer image, that uses these.

But the fundamental problem of secure boot persists: do you trust your bios vendor? (I don't.)

Nik

--
Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ...