Language Selection

English French German Italian Portuguese Spanish

Why UEFI secure boot is difficult for Linux

Filed under

I wrote about the technical details of supporting the UEFI secure boot specification with Linux. Despite me pretty clearly saying that this was ignoring issues of licensing and key distribution and the like, people are now using it to claim that Linux could support secure boot with minimal effort. In a sense, they're right. The technical implementation details are fairly straightforward. But they're not the difficult bit.

Secure boot requires that all code that can touch hardware be trusted

Right now, if you can run unstrusted code before the OS then you can subvert the OS. Secure boot gives you a mechanism for making sure you only run trusted code, which protects against that. So your UEFI drivers have to be signed, your bootloader has to be signed, and your bootloader must only load a signed kernel. If you've only booted trusted code then you know that your OS is safe. But, unlike trusted boot, secure boot provides no way for you to know that only trusted code was executed. That has to be ensured by OS policy.

Rest here

More in Tux Machines

Huawei Watch Review: Best Android Wear Smartwatch Available

The Huawei Watch currently offers the best option on the Android Wear platform. The Huawei Watch looks elegant and offers great design as well as multiple attractive style options depending on the buyer’s cash flow. Even iPhone owners can take a look. If an iPhone owner prefers a stainless steel round watch, then the Huawei Watch is a usable option at a lower price than the Stainless Steel Apple Watch. Android Wear works well on iPhone, but does not give users the same level of integration. The most important features work fine, including notifications and fitness tracking. We give the Huawei Watch a hearty recommendation. It is worth paying a little more for this attractive and well-designed Android Wear smartwatch. Read more

Linux Kernel 4.1.10 LTS Is Now Available for Download with Networking Fixes

After announcing the release of the Linux 4.2.3 kernel, Greg Kroah-Hartman has informed the world today, October 3, about the release and immediate availability for download of the tenth maintenance version of the Linux 4.1 LTS kernel series. Read more Also: Linux 4.3-rc4 Kernel Released: Adds A New & Better String Copy Function Linus Torvalds Announces Linux Kernel 4.3 RC4 on the Eve of the Project's 24th Birthday

How Debian managed the systemd transition

Debian's decision to move to systemd as the default init system was a famously contentious (and rather public) debate. Once all the chaos regarding the decision itself had died down, however, it was left to project members to implement the change. At DebConf 2015 in Heidelberg, Martin Pitt and Michael Biebl gave a down-to-earth talk about how that implementation work had gone and what was still ahead. Pitt and Biebl are the current maintainers of the systemd package in Debian, with Pitt also maintaining the corresponding Ubuntu package. The pair began with a brief recap of the init-replacement story, albeit one that steered mercifully clear of the quarrels and stuck to the technical side. Initial discussions for replacing the System V init system began as far back as 2007, but pressure grew in recent years, included considerable demand from system administrators and upstream projects (typically wanting specific features like support for logind or journald). Once the Technical Committee had made its decision to adopt systemd as the default, Pitt said, "the real work" began. Read more (paywalled before)

Linux 4.3-rc4

You all know the drill by now. It's Sunday, and there is a new release candidate out there. Things look fairly normal. We have noticeably fewer commits than rc3 (which was fairly big), and I don't see anything unusually alarming. The statistics look pretty normal too: just under half of the patch is drivers (drm continues to be noticeable, but there's infiniband, mmc, input layer etc). About a quarter is arch updates (m68k, MIPS, x86) and the final quarter is solidly "misc" (doc updates, tools, scripts, scheduler, mm..). The appended shortlog gives a flavor of the details. Linus Read more