-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Management of UEFI secure booting
,----[ Quote ]
| The FSF have released a statement on UEFI secure boot. It explains the
| fundamental issue here, which isn't something as simple as "will OEMs let me
| install Linux". It's "Does the end user have the ability to manage their own
| keys".
|
| Secure boot is a valuable feature. It does neatly deal with the growing threat
| of pre-OS malware. There is an incentive for it to be supported under Linux. I
| discussed the technical aspects of implementing support for it here - it's not
| a huge deal of work, and it is being worked on. So let's not worry about that
| side of things. The problem is with the keys.
|
| Secure boot is implemented in a straightforward way. Each section of a PE-COFF
| file is added together and a hash taken[1]. This hash is signed with the
| private half of a signing key and embedded into the binary. When you attempt
| to execute a file under UEFI, the firmware attempts to decrypt the embedded
| hash. This requires that the firmware have a either a copy of the public half
| of the signing key in its key database, or for there to be a chain of trust
| from the signing key to a key in its key database. Once it has the decrypted
| hash, it generates its own hash of the binary and compares them. If they
| match, the binary is executed.
|
| What happens if it doesn't match? Per the UEFI specification, the firmware can
| then prompt the user and ask if they want to execute it anyway. If the user
| accepts then the hash of the binary is remembered[4] and can continue to be
| executed in future. This is similar to what you get when you visit a self-
| signed https site, or when you connect to an ssh server for the first time -
| the user must explicitly state that they trust the software that is being
| booted.
`----
http://mjg59.dreamwidth.org/6503.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk6f9jAACgkQU4xAY3RXLo5jsQCgq6ih3Aime6b5XX0VuwV792h9
0JMAnik3DPupVdu2Iu+TCrTHCUEypyNc
=n/Zo
-----END PGP SIGNATURE-----
|
|
