Language Selection

English French German Italian Portuguese Spanish

Supporting third-party keys in a Secure Boot world

Filed under
Linux

It's fairly straightforward to boot a UEFI Secure Boot system using something like Shim or the Linux Foundation's loader, and for distributions using either the LF loader or the generic version of Shim that's pretty much all you need to care about. The physically-present end user has had to explicitly install new keys or hashes, and that means that you no longer need to care about Microsoft's security policies or (assuming there's no exploitable flaws in the bootloader itself) fear any kind of revocation.

But what about if you're a distribution that cares about booting without the user having to install keys? There's several reasons to want that (convenience for naive users, ability to netboot, that kind of thing), but it has the downside that your system can now be used as an attack vector against other operating systems. Do you care about that? It depends how you weigh the risks. First, someone would have to use your system to attack another. Second, Microsoft would have to care enough to revoke your signature.

rest here




More in Tux Machines

today's leftovers

Ninja Blocks prepares to begin shipping, announces major Ubuntu IoT deal

Ninja Blocks has begun shipping the Ninja Sphere and announced it has signed up as a key partner for Canonical’s Ubuntu Core embedded device operating system, as it opens its first office in the US. The startup launched in 2012, when it was selected to participate the Startmate accelerator program, and also smashed a Kickstarter campaign for its first product, which was also called Ninja Blocks. Read more

Netrunner 14.1 – Main Edition (Frontier)

The “14.1” indicates an updated and polished release of Netrunner 14 LTS on the same underlying base. Since 14.1 is using the same base “trusty” like Netrunner 14, there is no need for users of 14 to migrate: Simply updating from the shared backports ppa of the Frontier release cycle should give the same result, while keeping customizations in place. Read more

Wayland 1.6.1 & Weston 1.6.1 Released

Bryce Harrington, the former Canonical employee part of Ubuntu's X/Mir team turned Samsung open-source employee, has issued the first maintenance update for Wayland 1.6. Wayland 1.6.1 and the reference compositor Weston 1.6.1 were released on Friday night by Harrington. The Wayland 1.6.1 stable update has just over a dozen changes and they're mostly tiny bug-fixes/corrections but there is also improved handling for some error situations between servers and clients. The brief Wayland 1.6.1 release announcement can be read on the Wayland mailing list. Read more