| 1 |
>On Monday, September 26, 2011 10:26:03 PM Jonas de Buhr wrote: |
| 2 |
>> >I am assuming that unlike the old days when I used to boot Linux on |
| 3 |
>> >PCs using a floppy with SmartBootManager, now we'll need to generate |
| 4 |
>> >some key/hash for our freshly compiled kernel, then add it to the |
| 5 |
>> >BIOS firmware and flash the BIOS with it before we are able to boot |
| 6 |
>> >into it? |
| 7 |
>> > |
| 8 |
>> >Is it more complicated than that? |
| 9 |
>> |
| 10 |
>> how are you going to write to the bios if it doesn't let you? |
| 11 |
>> |
| 12 |
>> maybe you are determined enough to manually flash the chip every time |
| 13 |
>> you update grub but i think thats a buzzkill for >90% of the users ;) |
| 14 |
> |
| 15 |
>Eerhm... |
| 16 |
>If Grub is the bootloader, wouldn't we just need to have a "signed" |
| 17 |
>version of Grub? |
| 18 |
|
| 19 |
depends if we are talking about hashes being saved in the bios or |
| 20 |
signatures being checked by the bios. |
| 21 |
|
| 22 |
hashes would have to be written to the bios everytime the binary of the |
| 23 |
bootloader changes. |
| 24 |
|
| 25 |
signatures would have to be renewed everytime the binary changes. this |
| 26 |
is even worse because you will most likely need the some private key to |
| 27 |
do that which you will not get your hands on. if anyone can create the |
| 28 |
signature, it's pointless. |
| 29 |
so you would have to rely on your bios vendor to sign every possible |
| 30 |
binary of the bootloader. and then you're still locked out. |
Archives