Mailinglist Archive: opensuse-security (22 mails)

< Previous Next >
Re: [opensuse-security] signing custom kernel for secure boot
Am 29.03.2017 um 14:46 schrieb Anton Aylward:

(snip) What actual
protection does a 'secure boot' bring when compared to, say, an encrypted
and how complex are each to implement?

I do not disagree with any point you made ;-) Luks and encfs are tools I
use each day.
Oh, I´d also consider to encrypt /tmp and /var.

Secure boot in the first place is a play field for me to learn about it.
But, do not underestimate it. A remote attacker could very well be able
to reboot your machine with his own malicious kernel, if he gains the
necessary rights he does not need to sit in front of your machine. Ok,
before doing that, he has tried many other things before. Inhibiting
loading malicious kernel modules may be much more important and can be
done without secure boot.

And secure boot has one interesting feature, it can store a list of
hashes in its db key store. This way you can ensure certain important
apps have not been tampered with, not only boot loaders. I think this
feature is even more interesting than signing boot loaders.

Imagine, you protect important system apps or files with hashes that are
stored in your system hardware, an attacker will have a hard time to
replace them with malicious code. This feature sound very very
interesting to me.


To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
This Thread