Language Selection

English French German Italian Portuguese Spanish

Why UEFI secure boot is difficult for Linux

Filed under
Linux

I wrote about the technical details of supporting the UEFI secure boot specification with Linux. Despite me pretty clearly saying that this was ignoring issues of licensing and key distribution and the like, people are now using it to claim that Linux could support secure boot with minimal effort. In a sense, they're right. The technical implementation details are fairly straightforward. But they're not the difficult bit.

Secure boot requires that all code that can touch hardware be trusted

Right now, if you can run unstrusted code before the OS then you can subvert the OS. Secure boot gives you a mechanism for making sure you only run trusted code, which protects against that. So your UEFI drivers have to be signed, your bootloader has to be signed, and your bootloader must only load a signed kernel. If you've only booted trusted code then you know that your OS is safe. But, unlike trusted boot, secure boot provides no way for you to know that only trusted code was executed. That has to be ensured by OS policy.

Rest here




More in Tux Machines

Games for GNU/Linux

Security News

Tablet review: BQ Aquaris M10 Ubuntu Edition

The Aquaris M10 is very much a first attempt for BQ and you would expect future iterations to have some significant improvements. It’s also hard to find compelling reasons why iOS or Android fans would want to switch over to an Ubuntu tablet, but those familiar with the operating system should be excited to finally have their needs met in the tablet market. One positive factor is that switching between tablet and desktop mode works very well for the most part, so can definitely fulfill professional needs as much as casual ones. This could be a viable option for someone who wants that flexibility and isn’t too fussed about some of the more superficial features. Read more

CORD is Growing