1 |
On Sat, Jun 16, 2012 at 12:22:24PM +0300, Maxim Kammerer wrote: |
2 |
> On Fri, Jun 15, 2012 at 3:01 PM, Rich Freeman <rich0@g.o> wrote: |
3 |
> > I think that anybody that really cares about security should be |
4 |
> > running in custom mode anyway, and should just re-sign anything they |
5 |
> > want to run. Custom mode lets you clear every single key in the |
6 |
> > system from the vendor on down, and gives you the ability to ensure |
7 |
> > the system only boots stuff you want it to. |
8 |
> |
9 |
> I have several questions, that hopefully someone familiar with UEFI |
10 |
> Secure Boot is able to answer. If I understand UEFI correctly, the |
11 |
> user will need to not just re-sign bootloaders, but also the |
12 |
> OS-neutral drivers (e.g., UEFI GOP), which are hardware-specific, and |
13 |
> will be probably signed with Microsoft keys, since the hardware vendor |
14 |
> would otherwise need to implement expensive key security measures — is |
15 |
> that correct? |
16 |
|
17 |
Huh? No, why would a user need to resign the UEFI drivers? Those |
18 |
"live" in the BIOS and are only used to get the machine up and running |
19 |
in UEFI space, before UEFI hands the control off to the bootloader it |
20 |
has verified is signed with a correct key. |
21 |
|
22 |
> If the user does not perform this procedure (due to its |
23 |
> complexity and/or lack of tools automating the process), is it |
24 |
> possible for an externally connected device to compromise the system |
25 |
> by supplying a Microsoft-signed blob directly to the UEFI firmware, |
26 |
> circumventing the (Linux) OS? |
27 |
|
28 |
Again, what? Please explain. |
29 |
|
30 |
> Is it possible to develop an automatic |
31 |
> re-signing tool — i.e., does the API support all needed features |
32 |
> (listing / extracting drivers, revoking keys, adding keys, etc.)? |
33 |
|
34 |
What API? The signing tool is public, and no, it doesn't add keys, |
35 |
that's up to the BIOS to do, not the userspace tool. |
36 |
|
37 |
confused, |
38 |
|
39 |
greg k-h |