1 |
Am 03.06.2012 01:36, schrieb Michael Mol: |
2 |
> On Sat, Jun 2, 2012 at 6:50 PM, pk <peterk2@××××××××.se> wrote: |
3 |
>> On 2012-06-02 22:10, Michael Mol wrote: |
4 |
> |
5 |
> [snip] |
6 |
> |
7 |
[...] |
8 |
> |
9 |
> The BIOS will only load a signed bootloader. The signed bootloader |
10 |
> will only load a signed kernel. The signed kernel will...do whatever |
11 |
> you tell it to do. |
12 |
> |
13 |
|
14 |
According to Matthew's blog post, Fedora patched Grub2 and the kernel to |
15 |
avoid loading custom code into them: |
16 |
- Deactivate grub2 plugins |
17 |
- Sign all kernel modules and disallow unsigned ones |
18 |
- Prevent access to PCI through userland |
19 |
- Sanitize the kernel command line |
20 |
|
21 |
>> What does that mean to a source based "distro"? |
22 |
> |
23 |
> It's going to make building and installing grub and the kernel |
24 |
> trickier; you'll have to get them signed. And that's going to be a |
25 |
> PITA for anyone who does developers. |
26 |
> |
27 |
> What it *really* means is that someone who wants to run Linux as a |
28 |
> hobbyist or developer is going to disable "SecureBoot", and then fall |
29 |
> back to business as usual. |
30 |
> |
31 |
|
32 |
Yeah, the only way for Gentoo to have secure boot is a) let each user |
33 |
register with Microsoft, b) provide a binary kernel and boot loader. |
34 |
|
35 |
>> Also, I would assume a legitimate key would be able to |
36 |
>> sign pretty much any binary so a key that Fedora uses could be used to |
37 |
>> sign malware for Windows, which then would be blacklisted by |
38 |
>> Microsoft... |
39 |
> |
40 |
> If Fedora allows their key to sign crap, then their key will get revoked. |
41 |
> |
42 |
> What I hope (I don't know) is whether or not the signing system |
43 |
> involved allows chaining. i.e., with SSL, I can generate my own key, |
44 |
> get it signed by a CA, and then bundle the CA's public key and my |
45 |
> public key when I go on to sign _another_ key. |
46 |
> |
47 |
> So, could I generate a key, have Fedora sign it, and then use my key |
48 |
> to sign my binaries? If my key is used to do malicious things, |
49 |
> Fedora's off the hook, and it's only my key which gets revoked. |
50 |
> |
51 |
|
52 |
Consider the exact approach Fedora takes: They've only made a certified |
53 |
stage-1 boot loader. This boot loader then loads grub2 (signed with a |
54 |
custom Fedora key, nothing chained back to MS) which then loads a |
55 |
custom-signed kernel. This allows them to avoid authenticating against |
56 |
MS every time they update grub or the kernel. |
57 |
|
58 |
This means if you want to certify with Fedora, you don't need to chain |
59 |
up to MS as long as you use their stage-1 boot loader. However, if I was |
60 |
part of Fedora, I wouldn't risk my key by signing other people's stuff. |
61 |
Mainboard makers won't look twice when they see rootkits with Fedora |
62 |
boot loaders. |
63 |
|
64 |
>> and how is malware defined? Anything that would be |
65 |
>> detrimental to Microsoft? |
66 |
> |
67 |
> Dunno. I imagine it comes down to whatever the chief key's owner |
68 |
> doesn't want running on the same hardware while SecureBoot is enabled. |
69 |
> Rootkits come to mind. |
70 |
> |
71 |
|
72 |
To quote Matthew: |
73 |
> If I take a signed Linux bootloader and then use it to boot something |
74 |
> that looks like an unsigned Linux kernel, I've instead potentially |
75 |
> just booted a piece of malware. And if that malware can attack |
76 |
> Windows then the signed Linux bootloader is no longer just a signed |
77 |
> Linux bootloader, it's a signed Windows malware launcher and that's |
78 |
> the kind of thing that results in that bootloader being added to the |
79 |
> list of blacklisted binaries and suddenly your signed Linux |
80 |
> bootloader isn't even a signed Linux bootloader. |
81 |
|
82 |
Regards, |
83 |
Florian Philipp |