| 1 |
On Tuesday 27 Sep 2011 13:11:30 Jonas de Buhr wrote: |
| 2 |
> >On Monday, September 26, 2011 10:26:03 PM Jonas de Buhr wrote: |
| 3 |
> >> >I am assuming that unlike the old days when I used to boot Linux on |
| 4 |
> >> >PCs using a floppy with SmartBootManager, now we'll need to generate |
| 5 |
> >> >some key/hash for our freshly compiled kernel, then add it to the |
| 6 |
> >> >BIOS firmware and flash the BIOS with it before we are able to boot |
| 7 |
> >> >into it? |
| 8 |
> >> > |
| 9 |
> >> >Is it more complicated than that? |
| 10 |
> >> |
| 11 |
> >> how are you going to write to the bios if it doesn't let you? |
| 12 |
> >> |
| 13 |
> >> maybe you are determined enough to manually flash the chip every time |
| 14 |
> >> you update grub but i think thats a buzzkill for >90% of the users ;) |
| 15 |
> > |
| 16 |
> >Eerhm... |
| 17 |
> >If Grub is the bootloader, wouldn't we just need to have a "signed" |
| 18 |
> >version of Grub? |
| 19 |
> |
| 20 |
> depends if we are talking about hashes being saved in the bios or |
| 21 |
> signatures being checked by the bios. |
| 22 |
> |
| 23 |
> hashes would have to be written to the bios everytime the binary of the |
| 24 |
> bootloader changes. |
| 25 |
> |
| 26 |
> signatures would have to be renewed everytime the binary changes. this |
| 27 |
> is even worse because you will most likely need the some private key to |
| 28 |
> do that which you will not get your hands on. if anyone can create the |
| 29 |
> signature, it's pointless. |
| 30 |
> so you would have to rely on your bios vendor to sign every possible |
| 31 |
> binary of the bootloader. and then you're still locked out. |
| 32 |
|
| 33 |
Unless ... you could create or set up such signature upon your first boot up |
| 34 |
and secure it with a new passphrase/token/what have you. I'm thinking that it |
| 35 |
could become part of the first OS installation, just like you set up a |
| 36 |
root/user passwd. |
| 37 |
-- |
| 38 |
Regards, |
| 39 |
Mick |
Archives