Unsigned kernel boot

Andy Whitcroft apw at canonical.com
Tue Nov 12 10:40:17 UTC 2013

I think you are miss characterising Secure Boot as something which makes
your machine secure end-to-end. Secure boot is designed to ensure the
firmware does not load an "OS Loader" which is not approved, and to prevent
modification of the pre-boot environment. Note I say pre-boot environment.
 It makes no guarentees beyond that point.

> If secure boot is enabled, only "signed" kernel must boot.

"The UEFI 2.2 specification adds a protocol known as Secure boot, which can
secure the boot process by preventing the loading of drivers or OS loaders
that are not signed <http://en.wikipedia.org/wiki/Public-key_cryptography> with
an acceptable digital signature<http://en.wikipedia.org/wiki/Digital_signature>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20131112/b546bb75/attachment.html>

More information about the kernel-team mailing list