secure boot and kernel module signing test?

[Roderick W. Smith]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/16/2015 10:56 AM, Blibbet wrote:
> Hi,
> 
> I recently got a comment from a UEFI security researcher:
> 
> "Ubuntu appears to have shim and do secure boot but not enforce
> kernel module signing."
> 
> The person in question had just made a liveboot USB for an EFI
> training class with ubuntu so you can run some UEFI security tools
> on with secure boot and no signatures.
> 
> Sorry, I don't have any more information. One sentence I think I
> am reading between the lines was that Fedora did things differently
> than Ubuntu, perhaps it was enforcing kernel module signing?

Yes, that's correct. Ubuntu's kernel doesn't attempt to enforce Secure
Boot policy beyond the main kernel file; once the kernel's loaded,
it's possible to load an unsigned kernel module. Fedora, as you
inferred, does require signing of kernel modules. Fedora's approach is
arguably more secure, since an attacker can't load a malicious kernel
module once the system has booted, but leads to problems with
third-party kernel modules, like the in-kernel portions of nVidia and
ATI/AMD video drivers.

FWIW, the decision to do it this way was made before I joined
Canonical, so I'm not sure who made the decision.

- -- 
Rod Smith
Server and Cloud Certification Engineer
rod.smith at canonical.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVp8yOAAoJEFgyRI+V0FjmP3AIAI3DXl2tCtQpxjQz5xGGGO19
fie4sJMNNJZY++as1x/07Fu8ndj/sFXa92uOvLC7up49b8g7XxHf7b6lCPWby2EW
qGVsU/ZDYkD7VbvKiEjL8GvZU3QzikrE1xV3VgZzvk+768CAdyaizE7EsjPsdCYh
bk28FoLOU35I2rtC1o2BvkuHID8XTtba7nMBhbaYMThZYyNS+hg9A7QY8YzrIOX/
c1tFPASqm4HRJRX8ikes37U7+mOjxVz+p35YYShuglgVfqe5jDBDrWSmnWU1fjLJ
ttzp4mOUoEplSug8QL56eRmPahKlbvOQnWuMeEkw+mvMkVNRqjXoFoxkUCRa6E0=
=aVTV
-----END PGP SIGNATURE-----