secure boot and kernel module signing test?

[Blibbet]

On 07/16/2015 08:18 PM, ivanhu wrote:
>
> On Linux, two stage booting has implemented for secureboot.
> First stage is firmware boot to shim and then shim will take care to
check signature and boot with grub and kernel.
> Booting with/without kernel signed is under shim and grub
implementation, Ubuntu provides the singed kernel in official releases,
> and would like to keep the flexibility for user to build their kernel,
so Ubuntu doesn't block booting when user uses unsigned kernel.

Ivan: thanks for the information!

http://firmwaresecurity.com/2015/07/17/secure-boot-strength-varies-by-linux-implementation/

> Not quiet sure the test you are referring to, fwts does have a test
for secure boot, securebootcert.
> The securebootcert test simply checks if the firmware has ability to
boot with secureboot enabled under linux, i.e.. secureboot variables and
certificates existence.

It seems that there should be a test in FWTS and/or CHIPSEC to clarify
the implementation strength of Secure Boot on a random Linux distro.

Running test on Fedora and Ubuntu should report that unsigned kernel
drivers can be loaded on one kernel with SB enabled, but not on another.

Perhaps additional tests beyond ability to load unsigned kernel drivers?
I'm not sure of the attack surface delta between Fedora and Ubuntu at
the moment.

Maybe a UEFI Forum plugfest test case is needed, with the Linux OSVs? Or
if no test is necessary, just a web page table comparing the distros.
LUV-live nor FWTS-live can't help the strength of their livecd doesn't
matter, it's the strength of the SB on installed OS that matters.

Thanks,
Lee
RSS: http://firmwaresecurity.com/feed