Re: [GIT PULL] Load keys from signed PE binaries

From: Matthew Garrett
Date: Thu Feb 28 2013 - 14:30:42 EST

Next message: Eduardo Valentin: "Re: [PATCH 3/8] Thermal: Add APIs to bind cdev to new zone structure"
Previous message: Eduardo Valentin: "Re: [PATCH 2/8] Thermal: Create zone level APIs"
In reply to: Florian Weimer: "Re: [GIT PULL] Load keys from signed PE binaries"
Next in thread: Florian Weimer: "Re: [GIT PULL] Load keys from signed PE binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 28, 2013 at 09:43:10AM -0600, Chris Friesen wrote:
> On 02/28/2013 01:57 AM, Florian Weimer wrote:
>
> >In any case, there's another reading of the UEFI Secure Boot
> >requirements: you may run any code you wish after calling
> >ExitBootServices(). That could be an unsigned, traditional GRUB. But
> >this will not generally address the issue of dual-booting Windows 8 in
> >such a way that Windows sees that the device has enabled Microsoft
> >Secure Boot.
>
> Would it be possible to have a signed bootloader that allows booting
> Win8 from within the secure environment, or it could exit the secure
> environment and run unsigned grub?

What would stop the unsigned grub from installing a firmware hook that
lies about whether or not Secure Boot is enabled, and then booting
Windows?

--
Matthew Garrett | mjg59@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eduardo Valentin: "Re: [PATCH 3/8] Thermal: Add APIs to bind cdev to new zone structure"
Previous message: Eduardo Valentin: "Re: [PATCH 2/8] Thermal: Create zone level APIs"
In reply to: Florian Weimer: "Re: [GIT PULL] Load keys from signed PE binaries"
Next in thread: Florian Weimer: "Re: [GIT PULL] Load keys from signed PE binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]