Unsigned kernel boot
Dmitry Kasatkin
dmitry.kasatkin at gmail.com
Tue Nov 12 23:53:59 UTC 2013
On Tue, Nov 12, 2013 at 12:40 PM, Andy Whitcroft <apw at canonical.com> wrote:
> I think you are miss characterising Secure Boot as something which makes
> your machine secure end-to-end. Secure boot is designed to ensure the
> firmware does not load an "OS Loader" which is not approved, and to prevent
> modification of the pre-boot environment. Note I say pre-boot environment.
> It makes no guarentees beyond that point.
>
>> If secure boot is enabled, only "signed" kernel must boot.
>
> "The UEFI 2.2 specification adds a protocol known as Secure boot, which can
> secure the boot process by preventing the loading of drivers or OS loaders
> that are not signed with an acceptable digital signature."
> -apw
I know what you say here.
It is possible to have endless discussion about this topic.
https://www.suse.com/communities/conversations/uefi-secure-boot-details/
http://www.kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/
Instead of going to direction of providing convenient ways to boot own
kernel either
by signing with own keys or using MOK list, Ubuntu just opens a door
to boot any kernel.
This sounds like wrong approach.
So far I booted signed kernel using UEFI bootloader which forbid and
bypass Ubuntu shim and grub.
So I will continue to do it.
--
Thanks,
Dmitry
More information about the kernel-team
mailing list