Re: [GIT PULL] Load keys from signed PE binaries

From: David Howells
Date: Tue Feb 26 2013 - 10:11:58 EST


Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:

> > (6) To maintain secure boot mode, the kernel must be signed and the boot
> > loader must check the signature on it. The key must be either compiled
> > into the bootloader (and thus validated by the bootloader signature) or
> > must reside in the UEFI database.
> >
> > [*] Note: This step is simplified a bit.
>
> That's all fine, and now your machine can boot both Linux and Windows
> wonderfully. Distros have shipped code doing this for a short while now
> thanks to Matthew's and other developer's effort in writing a UEFI
> bootloader / shim that Microsoft has signed.
>
> > (7) To maintain secure boot mode, the kernel modules must be signed and the
> > kernel must check the signature on them. The key must be compiled into
> > the kernel or the bootloader or must reside in the UEFI database.
>
> Wait right here. This is NOT mandated by UEFI, nor by anyone else. It
> might be a nice thing that some people and companies want to implement,
> but please don't think that some external entity is requiring that Linux
> implement this, that is not true.

What's the point in having the bootloader check the signature on a kernel
(which you say is fine) if you then permit it to be modified arbitrarily once
it is running? If you don't have signed modules then there's no point having
signed kernels (assuming you don't disable module loading).

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/