Re: [RFC] Second attempt at kernel secure boot support

From: Alan Cox
Date: Thu Nov 08 2012 - 06:14:32 EST

Next message: pkill.2012: "SR-IOV problem with Intel 82599EB (not enough MMIO resources for SR-IOV)"
Previous message: Alan Cox: "Re: [PATCH] raid5: panic() on dma_wait_for_async_tx() error"
In reply to: James Courtier-Dutton: "Re: [RFC] Second attempt at kernel secure boot support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> You have a fair chance of protecting via physical means (Locked rooms,
> Background checks on users etc.) of preventing a user with malicious intent
> to access the local machine.

So called "secure boot" doesn't deal with any kind of physical access,
which also means its useless if a device is lost and returned and you
don't know if it was in the hands of a third party.

> The first thing a computer does when switched on is run its first code
> instructions. Commonly referred to as the BIOS.

A good deal more complicated than that. However the signing in hardware
and early boot up on a lot of devices already goes as far as the BIOS if
the system has BIOS or EFI if it doesn't. You also have all the devices
to deal with.

> Normally digital signatures would examine the binary, ensure the signature
> matches, and then run the code contained in it.

No - it's a good deal more complicated than that too.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: pkill.2012: "SR-IOV problem with Intel 82599EB (not enough MMIO resources for SR-IOV)"
Previous message: Alan Cox: "Re: [PATCH] raid5: panic() on dma_wait_for_async_tx() error"
In reply to: James Courtier-Dutton: "Re: [RFC] Second attempt at kernel secure boot support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]