Unsigned kernel boot
dmitry.kasatkin at gmail.com
Tue Nov 12 23:53:59 UTC 2013
On Tue, Nov 12, 2013 at 12:40 PM, Andy Whitcroft <apw at canonical.com> wrote:
> I think you are miss characterising Secure Boot as something which makes
> your machine secure end-to-end. Secure boot is designed to ensure the
> firmware does not load an "OS Loader" which is not approved, and to prevent
> modification of the pre-boot environment. Note I say pre-boot environment.
> It makes no guarentees beyond that point.
>> If secure boot is enabled, only "signed" kernel must boot.
> "The UEFI 2.2 specification adds a protocol known as Secure boot, which can
> secure the boot process by preventing the loading of drivers or OS loaders
> that are not signed with an acceptable digital signature."
I know what you say here.
It is possible to have endless discussion about this topic.
Instead of going to direction of providing convenient ways to boot own
by signing with own keys or using MOK list, Ubuntu just opens a door
to boot any kernel.
This sounds like wrong approach.
So far I booted signed kernel using UEFI bootloader which forbid and
bypass Ubuntu shim and grub.
So I will continue to do it.
More information about the kernel-team