Language Selection

English French German Italian Portuguese Spanish

Supporting third-party keys in a Secure Boot world

Filed under
Linux

It's fairly straightforward to boot a UEFI Secure Boot system using something like Shim or the Linux Foundation's loader, and for distributions using either the LF loader or the generic version of Shim that's pretty much all you need to care about. The physically-present end user has had to explicitly install new keys or hashes, and that means that you no longer need to care about Microsoft's security policies or (assuming there's no exploitable flaws in the bootloader itself) fear any kind of revocation.

But what about if you're a distribution that cares about booting without the user having to install keys? There's several reasons to want that (convenience for naive users, ability to netboot, that kind of thing), but it has the downside that your system can now be used as an attack vector against other operating systems. Do you care about that? It depends how you weigh the risks. First, someone would have to use your system to attack another. Second, Microsoft would have to care enough to revoke your signature.

rest here




More in Tux Machines

Chalet OS is a Modern Distro With a Slightly Reworked Xfce DE – Now on 16.04 LTS

ChaletOS, which “came from the style of the mountain houses in Switzerland” is a beautifully-crafted Linux distro that aims to ease the transition of users from other operating systems (specifically Windows) to Linux. While this concept is not new, it has been one of the things that drives the Linux industry towards usability, user-friendliness and perfection. Read more

Phoronix on Graphics

OpenWRT Gets Forked By Some Of Its Own Developers As LEDE Project

While the OpenWRT project is a very well known embedded Linux distribution primarily for network devices, a number of their own developers have decided to fork away from the project. In what appears to be a move to have new project leaders, a group of OpenWRT developers announced LEDE, their fork of the project. LEDE considers itself a spin-off of OpenWRT with many of the same goals. LEDE is short for the Linux Embedded Development Environment. Read more

Leftovers: Ubuntu

  • How to Install Cinnamon 3.0 Desktop Environment in Ubuntu 16.04 LTS
  • Canonical Patches Multiple OpenSSL Vulnerabilities in All Supported Ubuntu OSes
    Today, May 3, 2016, Canonical has issued a new Ubuntu security notice to inform the community about the availability of new OpenSSL versions that patch various vulnerabilities discovered upstream by various developers. The OpenSSL security notice is valid for the Ubuntu 16.04 LTS (Xenial Xerus), Ubuntu 15.10 (Wily Werewolf), Ubuntu 14.04 LTS (Trusty Tahr), and Ubuntu 12.04 LTS (Precise Pangolin). It details a total of five security issues that have been fixed in OpenSSL, which contains the Secure Socket Layer (SSL) cryptographic library and tools.
  • Ubuntu In The Wild: April 2016
    You might not have noticed, but it’s been a wee while since we last featured an ‘Ubuntu in the Wild’ spot (excusing my little editorial last month). The gap isn’t because Ubuntu isn’t being spotlighted in projects. It was more that a couple of readers were vocal in telling us such articles were trivial and didn’t call for a post. So, for the past year or two we’ve been tweeting the odd Ubuntu in the Wild spot rather than posting a blog post about it.
  • Why Your Next Ubuntu Download Could Be a Lot Larger
    Expect to see a larger Ubuntu desktop installation image size by the time the Yakkety Yak is released later this year. Ubuntu Developers are currently discussing a new size limit for the main distribution image, as well those of the distribution’s official flavours.