Re: Fwd: Re: [opensuse-project] UEFI Secure Boot
On Fri, Aug 10, 2012 at 8:59 AM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
On Fri, Aug 10, 2012 at 8:25 AM, Basil Chupin <blchupin@iinet.net.au> wrote:
On 10/08/12 19:44, Vojtech Pavlik wrote:
On Fri, 10 Aug 2012 18:59:26 +1000, Basil Chupin wrote:
My question is: what would happen when one should use - as I did today - a bootable CD like System Rescue Disc? (I am guessing that if this were the openSUSE installation DVD then it would have some code in it which would allow it to boot without problems.)
The openSUSE installation DVD will of course boot, having all the proper signatures that you needed to install the OS in the first place. And it will be booting the kernel present on the DVD, which is signed by the SUSE key.
In case you wanted to create your own rescue DVD that'd be booting custom kernels, that'll be possible, too, using the same shim loader you'll be able to enroll your MOK, or just use one if already present on the system.
Thank you for confirming what I suspected.
My apologies for using the wrong name for the CD I mentioned above, however I was wondering how a bootable CD such as the SystemRescueCD which comes from systemrescuecd.org (http://www.sysresccd.org/SystemRescueCd_Homepage), and similar bootable media, would boot under this UEFI process?
BC
It was my impression that most UEFI bios solutions would not test CD boot media. Forcing CD/DVD boot media to be signed with a well known key would end the use of CD/DVD boot media for all but Microsoft I suspect. (ie. How does the initial openSUSE install get on to a box if install media doesn't have a way around the signing/validation rules.) The same will also need to apply to USB boot media I hope. Greg -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Fri, Aug 10, 2012 at 6:12 AM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
On Fri, Aug 10, 2012 at 8:59 AM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
On Fri, Aug 10, 2012 at 8:25 AM, Basil Chupin <blchupin@iinet.net.au> wrote:
On 10/08/12 19:44, Vojtech Pavlik wrote:
On Fri, 10 Aug 2012 18:59:26 +1000, Basil Chupin wrote:
My question is: what would happen when one should use - as I did today - a bootable CD like System Rescue Disc? (I am guessing that if this were the openSUSE installation DVD then it would have some code in it which would allow it to boot without problems.)
The openSUSE installation DVD will of course boot, having all the proper signatures that you needed to install the OS in the first place. And it will be booting the kernel present on the DVD, which is signed by the SUSE key.
In case you wanted to create your own rescue DVD that'd be booting custom kernels, that'll be possible, too, using the same shim loader you'll be able to enroll your MOK, or just use one if already present on the system.
Thank you for confirming what I suspected.
My apologies for using the wrong name for the CD I mentioned above, however I was wondering how a bootable CD such as the SystemRescueCD which comes from systemrescuecd.org (http://www.sysresccd.org/SystemRescueCd_Homepage), and similar bootable media, would boot under this UEFI process?
BC
It was my impression that most UEFI bios solutions would not test CD boot media.
Forcing CD/DVD boot media to be signed with a well known key would end the use of CD/DVD boot media for all but Microsoft I suspect.
(ie. How does the initial openSUSE install get on to a box if install media doesn't have a way around the signing/validation rules.)
The same will also need to apply to USB boot media I hope.
Greg
This is exactly the easiest way for an attacker to compromise a system that's not protected by a BIOS password or similar mechanism - walk up to it when the owner is away and boot a CD/DVD/USB!
-- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
-- Twitter: http://twitter.com/znmeb; Computational Journalism Publishers Workbench: http://j.mp/QCsXOr Data is the new coal - abundant, dirty and difficult to mine. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Fri, Aug 10, 2012 at 11:47 AM, M. Edward (Ed) Borasky <znmeb@znmeb.net> wrote:
This is exactly the easiest way for an attacker to compromise a system that's not protected by a BIOS password or similar mechanism - walk up to it when the owner is away and boot a CD/DVD/USB!
"It's not your computer anymore" - http://technet.microsoft.com/en-us/library/cc722487.aspx -- Twitter: http://twitter.com/znmeb; Computational Journalism Publishers Workbench: http://j.mp/QCsXOr Data is the new coal - abundant, dirty and difficult to mine. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Fri, Aug 10, 2012 at 2:47 PM, M. Edward (Ed) Borasky <znmeb@znmeb.net> wrote:
On Fri, Aug 10, 2012 at 6:12 AM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
On Fri, Aug 10, 2012 at 8:59 AM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
On Fri, Aug 10, 2012 at 8:25 AM, Basil Chupin <blchupin@iinet.net.au> wrote:
On 10/08/12 19:44, Vojtech Pavlik wrote:
On Fri, 10 Aug 2012 18:59:26 +1000, Basil Chupin wrote:
My question is: what would happen when one should use - as I did today - a bootable CD like System Rescue Disc? (I am guessing that if this were the openSUSE installation DVD then it would have some code in it which would allow it to boot without problems.)
The openSUSE installation DVD will of course boot, having all the proper signatures that you needed to install the OS in the first place. And it will be booting the kernel present on the DVD, which is signed by the SUSE key.
In case you wanted to create your own rescue DVD that'd be booting custom kernels, that'll be possible, too, using the same shim loader you'll be able to enroll your MOK, or just use one if already present on the system.
Thank you for confirming what I suspected.
My apologies for using the wrong name for the CD I mentioned above, however I was wondering how a bootable CD such as the SystemRescueCD which comes from systemrescuecd.org (http://www.sysresccd.org/SystemRescueCd_Homepage), and similar bootable media, would boot under this UEFI process?
BC
It was my impression that most UEFI bios solutions would not test CD boot media.
Forcing CD/DVD boot media to be signed with a well known key would end the use of CD/DVD boot media for all but Microsoft I suspect.
(ie. How does the initial openSUSE install get on to a box if install media doesn't have a way around the signing/validation rules.)
The same will also need to apply to USB boot media I hope.
Greg
This is exactly the easiest way for an attacker to compromise a system that's not protected by a BIOS password or similar mechanism - walk up to it when the owner is away and boot a CD/DVD/USB!
Ed, Are you agreeing or disagreeing with my statement the UEFI allows booting of non-validatable CDs? I don't see how openSUSE could install the UEFI boot loader tools in the first place if that is not true. Greg -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Fri, 10 Aug 2012 17:12:32 -0400, Greg Freemyer wrote:
Are you agreeing or disagreeing with my statement the UEFI allows booting of non-validatable CDs?
I don't see how openSUSE could install the UEFI boot loader tools in the first place if that is not true.
UEFI certainly would allow the booting of non-validatable CDs or USB media. The Secure Boot feature, OTOH, might prevent it. But to do so, you'd simply disable the setting (as the easiest solution). Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Friday 10 August 2012 23:12:32 Greg Freemyer wrote:
On Fri, Aug 10, 2012 at 2:47 PM, M. Edward (Ed) Borasky <znmeb@znmeb.net> wrote:
On Fri, Aug 10, 2012 at 6:12 AM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
On Fri, Aug 10, 2012 at 8:59 AM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
On Fri, Aug 10, 2012 at 8:25 AM, Basil Chupin <blchupin@iinet.net.au> wrote:
On 10/08/12 19:44, Vojtech Pavlik wrote:
On Fri, 10 Aug 2012 18:59:26 +1000, Basil Chupin wrote: > My question is: what would happen when one should use - as I did > today - a bootable CD like System Rescue Disc? (I am guessing that > if this were the openSUSE installation DVD then it would have some > code in it which would allow it to boot without problems.)
The openSUSE installation DVD will of course boot, having all the proper signatures that you needed to install the OS in the first place. And it will be booting the kernel present on the DVD, which is signed by the SUSE key.
In case you wanted to create your own rescue DVD that'd be booting custom kernels, that'll be possible, too, using the same shim loader you'll be able to enroll your MOK, or just use one if already present on the system.
Thank you for confirming what I suspected.
My apologies for using the wrong name for the CD I mentioned above, however I was wondering how a bootable CD such as the SystemRescueCD which comes from systemrescuecd.org (http://www.sysresccd.org/SystemRescueCd_Homepage), and similar bootable media, would boot under this UEFI process?
BC
It was my impression that most UEFI bios solutions would not test CD boot media.
Forcing CD/DVD boot media to be signed with a well known key would end the use of CD/DVD boot media for all but Microsoft I suspect.
(ie. How does the initial openSUSE install get on to a box if install media doesn't have a way around the signing/validation rules.)
The same will also need to apply to USB boot media I hope.
Greg
This is exactly the easiest way for an attacker to compromise a system that's not protected by a BIOS password or similar mechanism - walk up to it when the owner is away and boot a CD/DVD/USB!
Ed,
Are you agreeing or disagreeing with my statement the UEFI allows booting of non-validatable CDs?
Greg
Tell me if I am wrong, but the secure boot job is to "protect" the computer AFTER it is ran. So before, it depend of the UEFI (like Bios) policy. from Vojtěch Pavlík here : http://www.suse.com/blogs/uefi-secure-boot-details/ "There are two types of trusted users: (...) Second, anyone with physical access to the machine. A user with physical access can reboot the machine, and configure UEFI" Dsant -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
participants (4)
-
Dsant -
Greg Freemyer -
Jim Henderson -
M. Edward (Ed) Borasky