On Fri, Aug 10, 2012 at 2:47 PM, M. Edward (Ed) Borasky wrote:

On Fri, Aug 10, 2012 at 6:12 AM, Greg Freemyer wrote:

...

On Fri, Aug 10, 2012 at 8:59 AM, Greg Freemyer wrote:

...

On Fri, Aug 10, 2012 at 8:25 AM, Basil Chupin wrote:

...

On 10/08/12 19:44, Vojtech Pavlik wrote:

...

On Fri, 10 Aug 2012 18:59:26 +1000, Basil Chupin wrote:

...

My question is: what would happen when one should use - as I did today - a bootable CD like System Rescue Disc? (I am guessing that if this were the openSUSE installation DVD then it would have some code in it which would allow it to boot without problems.)

The openSUSE installation DVD will of course boot, having all the proper signatures that you needed to install the OS in the first place. And it will be booting the kernel present on the DVD, which is signed by the SUSE key.

In case you wanted to create your own rescue DVD that'd be booting custom kernels, that'll be possible, too, using the same shim loader you'll be able to enroll your MOK, or just use one if already present on the system.

Thank you for confirming what I suspected.

My apologies for using the wrong name for the CD I mentioned above, however I was wondering how a bootable CD such as the SystemRescueCD which comes from systemrescuecd.org (http://www.sysresccd.org/SystemRescueCd_Homepage), and similar bootable media, would boot under this UEFI process?

BC

It was my impression that most UEFI bios solutions would not test CD boot media.

Forcing CD/DVD boot media to be signed with a well known key would end the use of CD/DVD boot media for all but Microsoft I suspect.

(ie. How does the initial openSUSE install get on to a box if install media doesn't have a way around the signing/validation rules.)

The same will also need to apply to USB boot media I hope.

Greg

This is exactly the easiest way for an attacker to compromise a system that's not protected by a BIOS password or similar mechanism - walk up to it when the owner is away and boot a CD/DVD/USB!

Ed, Are you agreeing or disagreeing with my statement the UEFI allows booting of non-validatable CDs? I don't see how openSUSE could install the UEFI boot loader tools in the first place if that is not true. Greg -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

On Friday 10 August 2012 23:12:32 Greg Freemyer wrote:

On Fri, Aug 10, 2012 at 2:47 PM, M. Edward (Ed) Borasky wrote:

...

On Fri, Aug 10, 2012 at 6:12 AM, Greg Freemyer wrote:

...

On Fri, Aug 10, 2012 at 8:59 AM, Greg Freemyer wrote:

...

On Fri, Aug 10, 2012 at 8:25 AM, Basil Chupin wrote:

...

On 10/08/12 19:44, Vojtech Pavlik wrote:

...

On Fri, 10 Aug 2012 18:59:26 +1000, Basil Chupin wrote: > My question is: what would happen when one should use - as I did > today - a bootable CD like System Rescue Disc? (I am guessing that > if this were the openSUSE installation DVD then it would have some > code in it which would allow it to boot without problems.)

The openSUSE installation DVD will of course boot, having all the proper signatures that you needed to install the OS in the first place. And it will be booting the kernel present on the DVD, which is signed by the SUSE key.

In case you wanted to create your own rescue DVD that'd be booting custom kernels, that'll be possible, too, using the same shim loader you'll be able to enroll your MOK, or just use one if already present on the system.

Thank you for confirming what I suspected.

My apologies for using the wrong name for the CD I mentioned above, however I was wondering how a bootable CD such as the SystemRescueCD which comes from systemrescuecd.org (http://www.sysresccd.org/SystemRescueCd_Homepage), and similar bootable media, would boot under this UEFI process?

BC

It was my impression that most UEFI bios solutions would not test CD boot media.

Forcing CD/DVD boot media to be signed with a well known key would end the use of CD/DVD boot media for all but Microsoft I suspect.

(ie. How does the initial openSUSE install get on to a box if install media doesn't have a way around the signing/validation rules.)

The same will also need to apply to USB boot media I hope.

Greg

This is exactly the easiest way for an attacker to compromise a system that's not protected by a BIOS password or similar mechanism - walk up to it when the owner is away and boot a CD/DVD/USB!

Ed,

Are you agreeing or disagreeing with my statement the UEFI allows booting of non-validatable CDs?

Greg

Tell me if I am wrong, but the secure boot job is to "protect" the computer AFTER it is ran. So before, it depend of the UEFI (like Bios) policy. from Vojtěch Pavlík here : http://www.suse.com/blogs/uefi-secure-boot-details/ "There are two types of trusted users: (...) Second, anyone with physical access to the machine. A user with physical access can reboot the machine, and configure UEFI" Dsant -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org