Nice proposed solution to the issues involved, I like it.
Now it's Vojtech's turn to talk about Secure Boot in .
17 plus ones
Shared publicly•View activity
- Additional layers of indirection FTW!Aug 9, 2012
- Uh I didn't notice that was from Vojtech — I start to feel old, I think it was to him that I first reported a bug/missing feature in the kernel ... don't remember how many years ago!Aug 9, 2012
- How many motherboards will ignore the spec and simply not provide a way to change the keys without flashing a new firmware image and how will keys be revoked once they've leaked?Aug 10, 2012
- Greg, do you know if any HW vendors have already committed to carrying the SUSE signing key (or Ubuntu/Fedora/WhateverDistro key, for that matter) on their hardware besides the Microsoft signing key?Aug 10, 2012
- why do we need such a convoluted boot process? And how comes that manufacturers and software vendors tolerate this scheme from microsoft? It's no better than tattooed bioses!Aug 10, 2012
- Me likes it, too. Simplifies things for the end-user, which is a good thing. :)Aug 10, 2012
- ""An important aspect to remember is that all of this happens during boot time, only verified code is executing now. Therefore, only a user present at the console can say, “I want to use my own set of keys.” It can’t be malware or a hacker with remote access to the OS because hackers or malware can only change the file, but not the hash stored in the “Boot Services Only” variable.""
okay... but... IP KVM? ILO? IBM Service Processor?Aug 10, 2012
- why don't we just sign grub2? (why does grub2 need to have a stack of modules to get corrupt? Why can't I have a statically linked grub2? I almost never need to upgrade grub2...)Aug 10, 2012