UEFI Secure Boot and Ubuntu - implementation

Philipp Kern pkern at debian.org
Mon Jun 25 22:25:28 UTC 2012

On Mon, Jun 25, 2012 at 10:41:17PM +0100, Matthew Garrett wrote:
> The benefits of signing purely a bootloader are minimal - bootloaders 
> that load unsigned code will be perfectly willing to set up a secondary 
> UEFI environment and then launch another bootloader that believes it's 
> in a different security context. Even implementing a kexec equivalent 
> that booted the Windows kernel from Linux wouldn't be terribly difficult 
> (ReactOS has most of the necessary code already). It's not obvious that 
> any security is gained at all.

That's all true. I do wonder, however, if the way Canonical chose is
acceptable to Microsoft or not. Because I don't think the general Linux
community cares about doubtful security benefits from kernel and module
signing. People who want that could use TrustedGRUB[1].

What we do care about is getting Linux to run without much hassle. You
seem to be arguing that we want to provide some sort of security to our
users while we're at it. But the massive inconvience for all sorts of
Linux distributions (like Debian, which might only sign some bunch of
unofficial images[2]) doesn't seem to be worth it, IMHO.

Kind regards
Philipp Kern

[1] Yeah, well, I read your point about TPMs not being in mainstream hardware.
    Let's ignore that. In theory that device was intended to be pushed to
    the mainstream, just like UEFI. We managed to avoid that, luckily, but
    you can make use of them, e.g. with Thinkpads. And buy machines that
    have it.
[2] Kernel signing cannot work sensibly with Debian's current
    infrastructure. I'm aware that Fedora's works differently within
    RedHat's secure data centers.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20120626/a5cc3eb3/attachment.pgp>

More information about the ubuntu-devel mailing list