1 |
On Tuesday 27 Sep 2011 13:11:30 Jonas de Buhr wrote: |
2 |
> >On Monday, September 26, 2011 10:26:03 PM Jonas de Buhr wrote: |
3 |
> >> >I am assuming that unlike the old days when I used to boot Linux on |
4 |
> >> >PCs using a floppy with SmartBootManager, now we'll need to generate |
5 |
> >> >some key/hash for our freshly compiled kernel, then add it to the |
6 |
> >> >BIOS firmware and flash the BIOS with it before we are able to boot |
7 |
> >> >into it? |
8 |
> >> > |
9 |
> >> >Is it more complicated than that? |
10 |
> >> |
11 |
> >> how are you going to write to the bios if it doesn't let you? |
12 |
> >> |
13 |
> >> maybe you are determined enough to manually flash the chip every time |
14 |
> >> you update grub but i think thats a buzzkill for >90% of the users ;) |
15 |
> > |
16 |
> >Eerhm... |
17 |
> >If Grub is the bootloader, wouldn't we just need to have a "signed" |
18 |
> >version of Grub? |
19 |
> |
20 |
> depends if we are talking about hashes being saved in the bios or |
21 |
> signatures being checked by the bios. |
22 |
> |
23 |
> hashes would have to be written to the bios everytime the binary of the |
24 |
> bootloader changes. |
25 |
> |
26 |
> signatures would have to be renewed everytime the binary changes. this |
27 |
> is even worse because you will most likely need the some private key to |
28 |
> do that which you will not get your hands on. if anyone can create the |
29 |
> signature, it's pointless. |
30 |
> so you would have to rely on your bios vendor to sign every possible |
31 |
> binary of the bootloader. and then you're still locked out. |
32 |
|
33 |
Unless ... you could create or set up such signature upon your first boot up |
34 |
and secure it with a new passphrase/token/what have you. I'm thinking that it |
35 |
could become part of the first OS installation, just like you set up a |
36 |
root/user passwd. |
37 |
-- |
38 |
Regards, |
39 |
Mick |