Language Selection

English French German Italian Portuguese Spanish

Why UEFI secure boot is difficult for Linux

Filed under

I wrote about the technical details of supporting the UEFI secure boot specification with Linux. Despite me pretty clearly saying that this was ignoring issues of licensing and key distribution and the like, people are now using it to claim that Linux could support secure boot with minimal effort. In a sense, they're right. The technical implementation details are fairly straightforward. But they're not the difficult bit.

Secure boot requires that all code that can touch hardware be trusted

Right now, if you can run unstrusted code before the OS then you can subvert the OS. Secure boot gives you a mechanism for making sure you only run trusted code, which protects against that. So your UEFI drivers have to be signed, your bootloader has to be signed, and your bootloader must only load a signed kernel. If you've only booted trusted code then you know that your OS is safe. But, unlike trusted boot, secure boot provides no way for you to know that only trusted code was executed. That has to be ensured by OS policy.

Rest here

More in Tux Machines

Linux Devices

Linux Graphics

Fedora News

  • The Bugs So Far Potentially Blocking The Fedora 25 Release
    Adam Williamson of the Fedora QA team has sent out a list of the bugs currently outstanding that could block the Fedora 25 release from happening on its current schedule should they not be fixed in time.
  • Updated Fedora 24 ISO Respins Now Available with Dirty COW-Patched Linux Kernel
    It looks like a new set of updated Live ISO images for the Fedora 24 GNU/Linux operating system were published by Ben Williams, founder of the Fedora Unity Project and a Fedora Ambassador. Dubbed F24-20161023, the updated Live ISOs a few days ago and include up-to-date components from the official Fedora 24 Linux software repositories, with which was fully syncronized as of October 23, 2016. Of course, this means that they also include the latest Linux kernel update fully patched against the "Dirty COW" bug.
  • PHP version 5.6.28RC1 and 7.0.13RC1
  • Flock Stories 2016, Episode 1: Redon Skikuli
    Flock Stories by Chris WardIf you were wondering where Flock 2018 might be, today’s guest Redon Skikuli might just have your answer! Redon is not just a Fedora community contributor, he’s a Fedora community creator. I ask Redon what he’s up to these days and why he thinks we should also consider joining future Flocks.

New KNOPPIX Release, LibreOffice 5.1.6, Rosa Down

In Linux news today KNOPPIX 7.7.1 was released to the public based on Debian with GNOME 3.22, KDE 5.7.2, and "Everything 3D." The Rosa project is experiencing network issues and folks may experience problems trying to connect to their services the next few days. LibreOffice 5.1.6 was announced today by The Document Foundation, the sixth update to the Still branch for stable users, and a new vulnerability was disclosed in GNU Tar. Read more