Language Selection

English French German Italian Portuguese Spanish

Why UEFI secure boot is difficult for Linux

Filed under
Linux

I wrote about the technical details of supporting the UEFI secure boot specification with Linux. Despite me pretty clearly saying that this was ignoring issues of licensing and key distribution and the like, people are now using it to claim that Linux could support secure boot with minimal effort. In a sense, they're right. The technical implementation details are fairly straightforward. But they're not the difficult bit.

Secure boot requires that all code that can touch hardware be trusted

Right now, if you can run unstrusted code before the OS then you can subvert the OS. Secure boot gives you a mechanism for making sure you only run trusted code, which protects against that. So your UEFI drivers have to be signed, your bootloader has to be signed, and your bootloader must only load a signed kernel. If you've only booted trusted code then you know that your OS is safe. But, unlike trusted boot, secure boot provides no way for you to know that only trusted code was executed. That has to be ensured by OS policy.

Rest here




More in Tux Machines

Top Web Browsers for Linux

No matter which Linux distro you prefer, I believe the web browser remains the most commonly used software application. In this article, I'll share the best browsers available to Linux users. Chrome – No matter how you feel about the Chrome browser, one only need to realize the following: Local news still streams in Flash and Chrome supports this. Netflix is supported using Chrome. And of course, Chrome is faster than any other browser out there. Did I mention the oodles of Chrome extensions available including various remote desktop solutions? No matter how you slice it, Chrome is king of the jungle. Read more

Linux Kernel 4.4.22 LTS Brings ARM and EXT4 Improvements, Updated Drivers

Immediately after announcing the release of Linux kernel 4.7.5, renowned kernel developer and maintainer Greg Kroah-Hartman informed the community about the availability of Linux kernel 4.4.22 LTS Read more

Tor Project Releases Tor (The Onion Router) 0.2.8.8 with Important Bug Fixes

The Tor Project announced recently the release of yet another important maintenance update to the stable Tor 0.2.8.x series of the open-source and free software to protect your anonymity while surfing the Internet. Read more

SODIMM-style i.MX7 COM features dual GbE, WiFi/BT, eMMC

Variscite’s Linux-driven “VAR-SOM-MX7” COM is shipping with an i.MX7 Dual SoC, WiFi and BLE, dual GbE, and optional eMMC and extended temp. support. Variscite’s VAR-SOM-MX7 follows many other Linux-ready computer-on-modules based on NXP’s i.MX7 SoC, which combines one or two power-stingy, 1GHz Cortex-A7 cores with a 200MHz Cortex-M4 MCU for real-time processing. While most of these offer a choice of a Solo or Dual model, and the NXP/Element14 WaRP7 offers only the Solo, the SODIMM-style VAR-SOM-MX7 taps the dual-core Dual. Unlike most of these modules, but like the WaRP7 and the CompuLab CL-SOM-iMX7, Variscite’s entry offers onboard WiFi and Bluetooth, in this case Bluetooth 4.1 with BLE. Read more