Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Rich Freeman <rich0@g.o>
Subject: Re: Re: UEFI secure boot and Gentoo
Date: Sun, 17 Jun 2012 19:07:44 -0400
On Sun, Jun 17, 2012 at 4:30 PM, Florian Philipp <lists@...> wrote:
> Am 17.06.2012 20:56, schrieb Sascha Cunz:
>> I was under the impression that it should at least help in that scenario.
>> OTOH, if it takes a compromised system or physical access to the machine in
>> order to manipulate the boot sequence, then I no longer understand what the
>> boot sequence in such a system must be protected against (Assuming that the
>> primary reason for boot sequence manipulation is to later on compromise the
>> system).
>>
>
> Well, it does help, especially when you also prevent changing UEFI
> settings with a password. However, there are so many variables and
> possibilities when talking about attacks on physically accessible
> systems, that you're usually screwed anyway.

I'd view secure boot as complementary to TPM.

TPM keeps somebody with physical access from being able to access
important information on your computer, since that data would be
encrypted and the keys would not be surrendered by the TPM module
without a proper chain of trust.

TPM is potentially more secure, although it has a fatal flaw in that
if the OS is compromised then the keys can be obtained (since the OS
needs the keys to access the disk) and a trojan can be installed on
the bootloader.  That trojan is difficult to remove or even detect
even if you update your virus scanners/etc.  Secure boot keeps trojans
out of the early boot chain, making them easier to clean up once your
system is further updated.

Secure boot is also somewhat easier to implement, and a bit more
recoverable if things go wrong.  If you're using TPM and trusted grub
and all that, then if you mess up your trusted boot chain then you may
never get back the contents of your drive, unless you kept a copy of
various keys elsewhere.

Rich


Replies:
Re: Re: UEFI secure boot and Gentoo
-- George Prowse
References:
UEFI secure boot and Gentoo
-- Greg KH
Re: Re: UEFI secure boot and Gentoo
-- Sascha Cunz
Re: Re: UEFI secure boot and Gentoo
-- Florian Philipp
Re: Re: UEFI secure boot and Gentoo
-- Sascha Cunz
Re: Re: UEFI secure boot and Gentoo
-- Florian Philipp
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Re: UEFI secure boot and Gentoo
Next by thread:
Re: Re: UEFI secure boot and Gentoo
Previous by date:
Re: About what would be included in EAPI5
Next by date:
Automated Package Removal and Addition Tracker, for the week ending 2012-06-17 23h59 UTC


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.