is this true

Stephen M. Webb stephen at ubuntu.com
Mon Oct 3 14:14:04 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/03/2011 09:59 AM, swfiua at gmail.com wrote:
> I know very little about the UEFI implementation, but do know a fair bit
> about public key cryptography.
>
> If the UEFI implementation is done right then the keys that are embedded in
> the boot loader should be public keys and, by definition, there is no need
> to keep them secret.
>
> The keys that need to be kept secret are the corresponding private keys
used
> to sign the OS'es that you install.
>
> This part should not be a problem for linux. I'd expect the main distros
> to have their own private keys and to provide tools to make it easy to
adder
> their public keys to UEFI.
>
> For users experimenting with their own OS, then I assume you can generate
> your own key pair, load the public key into the boot loader and use the
> private key to sign your OS.
>
> One thing I'm not sure about with UEFI is just what you have to sign. I'd
> expect the signing to include some sort of checksum on the code it is going
> to boot -- can anyone point me at the details?
Well, first off, don't expect hardware vendors to supply any way to
update their silicon (ie. burn new keys into the UEFI boot ROMs).  At
least, not without some kind of private keys from the silicon vendor
for which you will have to sign umpteen NDAs and pay through the
nose.  These guys leaned from the BIOS fandango of the past.

Second, if just anyone can put their keys into the boot ROM, it
defeats the purpose of having keys in the boot ROM.  It would be like
having an iron front door with a big combination lock on it and a
nice, convenient way for anyone to set that combination from the
outside, including the thieves who want to break in.

The only way to provide people with the ability to put their own OS on
secure boot devices would be to provide a physical disable switch that
can not be accessed through software.  This limits the vulnerability
to social engineering approaches, and even those are reduced because
the target population is less likely to open a case and flip a DIP
switch on a circuit board because a dialog box told them to.

The chance of an ODM spending money on the extra traces and hardware
to add such a switch, and of them getting the firmware right and even
tested, are as large as their margins.  In other word pretty close to
zero.

- -- 
Stephen M. Webb  <stephen at ubuntu.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6JwykACgkQTLRKqWcl7vM5ugCgmHE4o23L20KuhnAMezY9zFqu
8MQAnR2irC91DTxrMlgCGbtBTX5hNa/4
=mNAm
-----END PGP SIGNATURE-----

More information about the ubuntu-ca mailing list