Mailinglist Archive: opensuse-project (240 mails)

< Previous Next >
Re: [opensuse-project] UEFI Secure Boot
On Thu, Aug 9, 2012 at 4:41 PM, Andreas Jaeger <aj@xxxxxxxx> wrote:

Let’s call them “Machine Owner Keys” or MOKs for short.


The second is the so called “Boot Services Only Variables.” These variables
accessible to any code that runs during the boot process. After the boot
ends and before the OS starts, the bootloader must call the
ExitBootServices() call.
After that, these variables are no longer accessible, the OS can’t touch them.


An important aspect to remember is that all of this happens during boot time,
verified code is executing now. Therefore, only a user present at the console
can say,
“I want to use my own set of keys.” It can’t be malware or a hacker with
access to the OS because hackers or malware can only change the file, but not
hash stored in the “Boot Services Only” variable.

I want to make sure I understand.

So, if I'm compiling code on my own box I install a MOK validation key
via the console (prior to the ExitBootServices() call) and I use my
MOK signing key to sign any kernels I build.

That seems easy enough.

But what if I want to compile a kernel for a physically remote
computer, what do I do?

I'm thinking of the situation of a rented 1u (or similar) box far from
my location. I've rented those before that I could have the provider
dump a default OS (opensuse/SUSE, fedora/Redhat) on and then I take it
from there.

As part of the provisioning process, does the provider now need to
create a MOK for that machine and install it, then give me the signing
cert so I can build kernels for the box.

Will the same thing be true of a Redhat provisioned remote server?

If all of linux has a similar provisioning scheme, it should fly. If
the openSUSE/SUSE provisioning scheme is unique, I suspect a lot
non-compliance on the part of remote server providers.

To unsubscribe, e-mail: opensuse-project+unsubscribe@xxxxxxxxxxxx
To contact the owner, email: opensuse-project+owner@xxxxxxxxxxxx

< Previous Next >