On Friday 10 August 2012 23:12:32 Greg Freemyer wrote:
On Fri, Aug 10, 2012 at 2:47 PM, M. Edward (Ed)
> On Fri, Aug 10, 2012 at 6:12 AM, Greg Freemyer
>> On Fri, Aug 10, 2012 at 8:59 AM, Greg
>>> On Fri, Aug 10, 2012 at 8:25 AM, Basil
10/08/12 19:44, Vojtech Pavlik wrote:
>> On Fri, 10 Aug 2012 18:59:26 +1000, Basil Chupin wrote:
>>> My question is: what would happen when one should use - as I did
>>> today - a bootable CD like System Rescue Disc? (I am guessing that
>>> if this were the openSUSE installation DVD then it would have some
>>> code in it which would allow it to boot without problems.)
>> The openSUSE installation DVD will of course boot, having all the
>> proper signatures that you needed to install the OS in the first
>> place. And it will be booting the kernel present on the DVD, which is
>> signed by the SUSE key.
>> In case you wanted to create your own rescue DVD that'd be booting
>> custom kernels, that'll be possible, too, using the same shim loader
>> you'll be able to enroll your MOK, or just use one if already present
>> on the system.
> Thank you for confirming what I suspected.
> My apologies for using the wrong name for the CD I mentioned above,
> however I was wondering how a bootable CD such as the SystemRescueCD
> which comes from systemrescuecd.org
), and similar
> bootable media, would boot under this UEFI process?
It was my impression that most UEFI bios solutions would not test CD
Forcing CD/DVD boot media to be signed with a well known key would end
the use of CD/DVD boot media for all but Microsoft I suspect.
(ie. How does the initial openSUSE install get on to a box if install
media doesn't have a way around the signing/validation rules.)
The same will also need to apply to USB boot media I hope.
This is exactly the easiest way for an attacker to compromise a system
that's not protected by a BIOS password or similar mechanism - walk up
to it when the owner is away and boot a CD/DVD/USB!
Are you agreeing or disagreeing with my statement the UEFI allows
booting of non-validatable CDs?
Tell me if I am wrong, but the secure boot job is to "protect" the computer
AFTER it is ran. So before, it depend of the UEFI (like Bios) policy.
from Vojtěch Pavlík here :
"There are two types of trusted users: (...)
Second, anyone with physical access to the machine. A user with physical
access can reboot the machine, and configure UEFI"
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org