Mailinglist Archive: opensuse-project (240 mails)

< Previous Next >
Re: Fwd: Re: [opensuse-project] UEFI Secure Boot
On Friday 10 August 2012 23:12:32 Greg Freemyer wrote:
On Fri, Aug 10, 2012 at 2:47 PM, M. Edward (Ed) Borasky <znmeb@xxxxxxxxx>
wrote:
On Fri, Aug 10, 2012 at 6:12 AM, Greg Freemyer <greg.freemyer@xxxxxxxxx>
wrote:
On Fri, Aug 10, 2012 at 8:59 AM, Greg Freemyer <greg.freemyer@xxxxxxxxx>
wrote:
On Fri, Aug 10, 2012 at 8:25 AM, Basil Chupin <blchupin@xxxxxxxxxxxx>
wrote:
On 10/08/12 19:44, Vojtech Pavlik wrote:
On Fri, 10 Aug 2012 18:59:26 +1000, Basil Chupin wrote:
My question is: what would happen when one should use - as I did
today - a bootable CD like System Rescue Disc? (I am guessing that
if this were the openSUSE installation DVD then it would have some
code in it which would allow it to boot without problems.)

The openSUSE installation DVD will of course boot, having all the
proper signatures that you needed to install the OS in the first
place. And it will be booting the kernel present on the DVD, which is
signed by the SUSE key.

In case you wanted to create your own rescue DVD that'd be booting
custom kernels, that'll be possible, too, using the same shim loader
you'll be able to enroll your MOK, or just use one if already present
on the system.

Thank you for confirming what I suspected.

My apologies for using the wrong name for the CD I mentioned above,
however I was wondering how a bootable CD such as the SystemRescueCD
which comes from systemrescuecd.org
(http://www.sysresccd.org/SystemRescueCd_Homepage), and similar
bootable media, would boot under this UEFI process?


BC

It was my impression that most UEFI bios solutions would not test CD
boot media.

Forcing CD/DVD boot media to be signed with a well known key would end
the use of CD/DVD boot media for all but Microsoft I suspect.

(ie. How does the initial openSUSE install get on to a box if install
media doesn't have a way around the signing/validation rules.)

The same will also need to apply to USB boot media I hope.

Greg

This is exactly the easiest way for an attacker to compromise a system
that's not protected by a BIOS password or similar mechanism - walk up
to it when the owner is away and boot a CD/DVD/USB!

Ed,

Are you agreeing or disagreeing with my statement the UEFI allows
booting of non-validatable CDs?

Greg

Tell me if I am wrong, but the secure boot job is to "protect" the computer
AFTER it is ran. So before, it depend of the UEFI (like Bios) policy.

from Vojtěch Pavlík here :
http://www.suse.com/blogs/uefi-secure-boot-details/
"There are two types of trusted users: (...)
Second, anyone with physical access to the machine. A user with physical
access can reboot the machine, and configure UEFI"

Dsant
--
To unsubscribe, e-mail: opensuse-project+unsubscribe@xxxxxxxxxxxx
To contact the owner, email: opensuse-project+owner@xxxxxxxxxxxx

< Previous Next >