Language Selection

English French German Italian Portuguese Spanish

Why UEFI secure boot is difficult for Linux

Filed under
Linux

I wrote about the technical details of supporting the UEFI secure boot specification with Linux. Despite me pretty clearly saying that this was ignoring issues of licensing and key distribution and the like, people are now using it to claim that Linux could support secure boot with minimal effort. In a sense, they're right. The technical implementation details are fairly straightforward. But they're not the difficult bit.

Secure boot requires that all code that can touch hardware be trusted

Right now, if you can run unstrusted code before the OS then you can subvert the OS. Secure boot gives you a mechanism for making sure you only run trusted code, which protects against that. So your UEFI drivers have to be signed, your bootloader has to be signed, and your bootloader must only load a signed kernel. If you've only booted trusted code then you know that your OS is safe. But, unlike trusted boot, secure boot provides no way for you to know that only trusted code was executed. That has to be ensured by OS policy.

Rest here




More in Tux Machines

MBARI testing the waters with open source camera

“There is a movement to have open source oceanographic equipment,” said Chad Kecy, lead designer and MBARI engineer. “Anyone could take our designs and modify them for specific needs they have. It’s just a less expensive and easier way of getting cameras in the water.” Read more

Fixing unperceived errors in my X Windows configuration

Last week I decided to bite the bullet and upgrade X Windows to the latest version available in the main Portage tree. After rebooting, X Windows, GLX and Direct Rendering worked fine as usual. So everything was good. Well, not quite. Although the installation was working properly, there were still some long-standing messages in the X.Org log file that indicated my installation was not configured completely correctly. I had ignored them for too long and resolved to find their causes and eliminate them. Here is what I did.

Read more

Leftovers: Software

  • Ekiga 5 – Progress Report
    Ekiga 5 has progressed a lot lately. OpenHUB is reportin a High Activity for the project. The main reason behind this is that I am again dedicating much of my spare time to the project. Unfortunately, we are again facing a lack of contributions. Most probably (among others) because the project has been silent during several years.
  • Calibre Gets a New Tool to Better Edit eBooks
    The Calibre eBook reader, editor, and library management software has been upgraded to version 2.17 and is now available for download. The developer has only implemented a couple of new features, but it's really worth the update if you are using this application to edit eBooks.
  • More Windows Apps and Games Now Work with Wine 1.7.35, EA's Origin Included
    Wine 1.7.35 has been released and the developers have made a number of improvements for some of the core components and they've added support for more apps and games.

today's howtos