Language Selection

English French German Italian Portuguese Spanish

Supporting third-party keys in a Secure Boot world

Filed under
Linux

It's fairly straightforward to boot a UEFI Secure Boot system using something like Shim or the Linux Foundation's loader, and for distributions using either the LF loader or the generic version of Shim that's pretty much all you need to care about. The physically-present end user has had to explicitly install new keys or hashes, and that means that you no longer need to care about Microsoft's security policies or (assuming there's no exploitable flaws in the bootloader itself) fear any kind of revocation.

But what about if you're a distribution that cares about booting without the user having to install keys? There's several reasons to want that (convenience for naive users, ability to netboot, that kind of thing), but it has the downside that your system can now be used as an attack vector against other operating systems. Do you care about that? It depends how you weigh the risks. First, someone would have to use your system to attack another. Second, Microsoft would have to care enough to revoke your signature.

rest here




More in Tux Machines

Graphics: AMDGPU, Radeon, Intel DRM

  • AMDGPU DC Code Lands For Linux 4.15 Kernel
    Linus Torvalds has accepted the AMDGPU DC display code pull request for the Linux 4.15 kernel. AMD Linux users can now rejoice! Overnight David Airlie sent in the AMDGPU DC pull request for Linux 4.15 and since then Linus Torvalds was active on the kernel mailing list ranting about AMD header files and other unrelated to DC code. He was also pulling in other PRs... It was getting a bit worrisome, given the DC code not being in pristine shape, but it was exciting as heck to see this evening that he did go ahead and pull in the 132 thousand lines of new kernel code to land this AMDGPU DC. Linus hasn't provided any commentary about DC on the kernel mailing list as of writing.
  • Radeon VCN Encode Support Lands In Mesa 17.4 Git
    It's an exciting day for open-source Radeon Linux users today as besides the AMDGPU DC pull request (albeit still unmerged as of writing), Radeon VCN encoding support has landed in Mesa Git.
  • The - Hopefully - Final Stab At Intel Fastboot Support
    Intel's Maarten Lankhorst has sent out what could be the final patches for enabling "fastboot" support by default within their DRM graphics driver.

Raspberry Digital Signage 10

It shows web pages from Internet, LAN or internal sources (a WordPress installation comes already installed by default on the SD card); there is no way to escape this view but rebooting the machine. Marco Buratto has released Raspberry Digital Signage 10.0 today, which comes with the latest and greatest Chromium build (featuring advanced HTML5 capabilities, Adobe Flash support and H264/AVC video acceleration), so you can display more attractive resources, more easily. Read more

Red Hat Leftovers

Latest Openwashing