Mailinglist Archive: opensuse (924 mails)

< Previous Next >
Re: [opensuse] Re: Re: UEFI
On Fri, Oct 26, 2012 at 5:14 PM, Carlos E. R.
<robin.listas@xxxxxxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2012-10-26 23:01, Greg Freemyer wrote:
I assume you can do that, but I don't know if DOS will even run a signed
kernel. Remember the
kernel typically has to be pulled out of the signed container. Don't know
how you would do
that with 2012 and before operating systems.

Thus it may be that openSUSE 12.2 and older will never run with UEFI Secure
Boot systems. (We
are beyond my knowledge at this point.)

I think, IIRC, that it is not the kernel that is signed, but the loader, ie
grub, or even some
other loader that loads grub. Or both.


Remember, the SUSE team wants to enhance the functionality of secure
boot, not bypass it. Just using a signed version of Grub would not
provide any security over disabling Secure Boot.

From the blog:

https://www.suse.com/blogs/uefi-secure-boot-plan/

==
At the implementation layer, we intend to use the shim loader
originally developed by Fedora – it’s a smart solution which avoids
several nasty legal issues, and simplifies the certification/signing
step considerably. This shim loader’s job is to load grub2 and verify
it; this version of grub2 in turn will load kernels signed by a SUSE
key only.
==

That is misleadingly simple, but you get the idea.

The more detailed blog post is here:
https://www.suse.com/blogs/uefi-secure-boot-details/

Feel free to dive in, but the "goal" is to extend secure boot thru
grub2 to such that only signed kernels can be booted.

If you don't want that, turn it off. (Will Windows 8 run with Secure
Boot disabled? I don't know.)

Greg
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups