Language Selection

English French German Italian Portuguese Spanish

Supporting third-party keys in a Secure Boot world

Filed under
Linux

It's fairly straightforward to boot a UEFI Secure Boot system using something like Shim or the Linux Foundation's loader, and for distributions using either the LF loader or the generic version of Shim that's pretty much all you need to care about. The physically-present end user has had to explicitly install new keys or hashes, and that means that you no longer need to care about Microsoft's security policies or (assuming there's no exploitable flaws in the bootloader itself) fear any kind of revocation.

But what about if you're a distribution that cares about booting without the user having to install keys? There's several reasons to want that (convenience for naive users, ability to netboot, that kind of thing), but it has the downside that your system can now be used as an attack vector against other operating systems. Do you care about that? It depends how you weigh the risks. First, someone would have to use your system to attack another. Second, Microsoft would have to care enough to revoke your signature.

rest here




More in Tux Machines

Debian Updated, Mint KDE Beta, GIMP Preview

Debian 8.7 was made available this last weekend to address the security and major bugs since 8.6 announced August 2016. As usual, those updating regularly don't need to do anything as they're already current. Elsewhere, Linux Mint founder Clement Lefebvre announced a beta for Mint 18.1 KDE, something I'm looking forward to testing. Alexandre Prokoudine, graphics engineer known for Inkscape and GIMP, posted a preview of new features coming in GIMP 2.10. Dominic Humphries recently revelled in the joy of Linux that just works and Jiri Eischmann compiled a list of the latest Fedora accolades, some I've missed. Read more

A Switch for Your Pi

Thanks to the size of the Raspberry Pi, it's possible to build a project like this into just about anything. I don't have an NES case anymore, but if I did, I'd probably build it inside one for added nostalgia. I decided to use RetroPie as the distribution for my project. The great thing about using RetroPie is that it basically solves all the issues on my list. It has the "Emulation Station" front end built right in (Figure 1), which supports navigation via controller. It also has emulators already installed, waiting for ROMs to be added. Truly, using RetroPie as my base saved at least one article on software alone! Read more

Why Linux users should worry about malware and what they can do about it

Preventing the spread of malware and/or dealing with the consequences of infection are a fact of life when using computers. If you’ve migrated to Linux or Mac seeking refuge from the never-ending stream of threats that seems to target Windows, you can breath a lungful of fresh air—just don’t let your guard down. Though UNIX-like systems such as Mac OS X and Linux can claim fewer threats due to their smaller user bases, threats do still exist. Viruses can be the least of your problem too. Ransomware, like the recent version of KillDisk, attacks your data and asks you to pay, well, a king’s ransom to save your files. (In the case of KillDisk, even paying the ransom can’t save you if you’re running Linux.) Read more

Getting my new Asus X540S notebook ready for Linux

A number of my laptops and netbooks have moved on to other homes and other purposes recently, so I have been looking for something new. Last weekend I saw an advertisement for an Asus X540SA at a ridiculously low price (CHF 299 / €280 / £245 / $300), which is always one of my criteria. Another criteria in this case was a 15" screen, and this ASUS has is 15.6", so that made the decision for me. Read more