1 |
>On Monday, September 26, 2011 10:26:03 PM Jonas de Buhr wrote: |
2 |
>> >I am assuming that unlike the old days when I used to boot Linux on |
3 |
>> >PCs using a floppy with SmartBootManager, now we'll need to generate |
4 |
>> >some key/hash for our freshly compiled kernel, then add it to the |
5 |
>> >BIOS firmware and flash the BIOS with it before we are able to boot |
6 |
>> >into it? |
7 |
>> > |
8 |
>> >Is it more complicated than that? |
9 |
>> |
10 |
>> how are you going to write to the bios if it doesn't let you? |
11 |
>> |
12 |
>> maybe you are determined enough to manually flash the chip every time |
13 |
>> you update grub but i think thats a buzzkill for >90% of the users ;) |
14 |
> |
15 |
>Eerhm... |
16 |
>If Grub is the bootloader, wouldn't we just need to have a "signed" |
17 |
>version of Grub? |
18 |
|
19 |
depends if we are talking about hashes being saved in the bios or |
20 |
signatures being checked by the bios. |
21 |
|
22 |
hashes would have to be written to the bios everytime the binary of the |
23 |
bootloader changes. |
24 |
|
25 |
signatures would have to be renewed everytime the binary changes. this |
26 |
is even worse because you will most likely need the some private key to |
27 |
do that which you will not get your hands on. if anyone can create the |
28 |
signature, it's pointless. |
29 |
so you would have to rely on your bios vendor to sign every possible |
30 |
binary of the bootloader. and then you're still locked out. |