secure boot and kernel module signing test?
ivanhu
ivan.hu at canonical.com
Fri Jul 17 03:18:40 UTC 2015
On 2015年07月17日 00:13, Blibbet wrote:
> On 07/16/2015 08:23 AM, Roderick W. Smith wrote:
>> Yes, that's correct. Ubuntu's kernel doesn't attempt to enforce Secure
>> Boot policy beyond the main kernel file; once the kernel's loaded,
>> it's possible to load an unsigned kernel module. Fedora, as you
>> inferred, does require signing of kernel modules. Fedora's approach is
>> arguably more secure, since an attacker can't load a malicious kernel
>> module once the system has booted, but leads to problems with
>> third-party kernel modules, like the in-kernel portions of nVidia and
>> ATI/AMD video drivers.
> Thanks very much, excellent insight.
>
> I wonder if this difference in behavior is part of UEFI spec, or undefined.
>
> Even though current Ubuntu behavior is based on policity decision,
> perhaps a new test still might be useful, so user can determine this
> level of information about the distro's Secure Boot implementation. FWTS
> isn't only going to be used on Ubuntu sysetms, my main use of FWTS is
> via Yocto-based LUV-live distro.
>
> New test aside, is there an easy way to determine if a distro's kernel
> supports one behavior or another, such as a kernel build prepreproc
> directive or variable, or does it vary by distro? I'd like to
> investigate behaviour of some of the other distros.
>
> Thanks,
> Lee
> RSS: http://firmwaresecurity.com/feed
>
>
On Linux, two stage booting has implemented for secureboot.
First stage is firmware boot to shim and then shim will take care to
check signature and boot with grub and kernel.
Booting with/without kernel signed is under shim and grub
implementation, Ubuntu provides the singed kernel in official releases,
and would like to keep the flexibility for user to build their kernel,
so Ubuntu doesn't block booting when user uses unsigned kernel.
Not quiet sure the test you are referring to, fwts does have a test for
secure boot, securebootcert.
The securebootcert test simply checks if the firmware has ability to
boot with secureboot enabled under linux, i.e.. secureboot variables and
certificates existence.
Best Regards
Ivan
More information about the fwts-devel
mailing list