Language Selection

English French German Italian Portuguese Spanish

Supporting third-party keys in a Secure Boot world

Filed under
Linux

It's fairly straightforward to boot a UEFI Secure Boot system using something like Shim or the Linux Foundation's loader, and for distributions using either the LF loader or the generic version of Shim that's pretty much all you need to care about. The physically-present end user has had to explicitly install new keys or hashes, and that means that you no longer need to care about Microsoft's security policies or (assuming there's no exploitable flaws in the bootloader itself) fear any kind of revocation.

But what about if you're a distribution that cares about booting without the user having to install keys? There's several reasons to want that (convenience for naive users, ability to netboot, that kind of thing), but it has the downside that your system can now be used as an attack vector against other operating systems. Do you care about that? It depends how you weigh the risks. First, someone would have to use your system to attack another. Second, Microsoft would have to care enough to revoke your signature.

rest here




More in Tux Machines

GNU/Linux Desktop

  • Austrian Schools
    Here it is 2017 and Austrian schools are using GNU/Linux and folks are still having problems with That Other OS in schools. I was in a similar situation back in 2000 when I first installed GNU/Linux in my classroom. TOOS didn’t work for me then and it still doesn’t work for schools today. Any time you have a monopolist telling you what you can and can’t do in your classroom, you’re going to have problems, especially if that monopolist isn’t particularly supportive of your objectives. In my case, M$ was celebrating its monopoly and didn’t even care if the software crashed hourly. I later discovered there were all kinds of evil consequences of the EULA from Hell, like limiting the size of networks without a server running their software and fat licensing fees.
  • How to build the fastest Linux PC possible on a budget
    There’s nothing more satisfying than watching a system boot up almost instantaneously when the power switch is hit. Long gone are the days of going to make yourself a brew while those spinning platters buzz and the display kicks into life, lazily dragging you into the GUI you call home. But surely that luxury of speed is reserved for those who are willing to drop £1,000+ on a new system? Fortunately, this is not the case anymore. With advancements in technology over the last six years, and Intel’s aggressive push to keep reinvigorating its chipsets each and every generation, we’re starting to see more and more affordable budget, speed-oriented components finally making it to market. The SSD has succeeded the hard drive with sub 10-second boot times and lightning quick file transfers. However, three years on and we’ve seen both the rise and fall of the SATA III bus. This was a standard that was supposed to last us until 2020, but now lies completely saturated, with only the ever enduring HDD still making good use of the connectivity.
  • How to communicate from a Linux shell: Email, instant messaging
    I get a lot of questions on how to perform various tasks from a Linux shell/terminal. In the interest of making a simple cheat sheet—something I can point people to that will help them get rolling with terminal powers—what follows are my recommendations for how to perform various types of communication from your shell. I’m talking about the normal sort of communication most people perform via a web browser (or a handful of graphical applications) nowadays: Email, instant messaging, that sort of thing. Except, you know, running them entirely in a terminal—which you can run just about anywhere: in an SSH session on a remote server, on a handheld device, or even on your Android phone/tablet.
  • 5 signs that you are a Linux geek
    Linux users are a passionate bunch, and some are downright proud of their of their geekiness. But if you’re not sure about your status, a writer at MakeUseOf has a list of 5 signs that show you are a Linux geek.

Security News

  • Security updates for Tuesday
  • Kaspersky: No whiff of Linux in our OS because we need new start to secure IoT [Ed: Kaspersky repeats the same anti-Linux rhetoric he used years ago to market itself, anti-Linux Liam Tung recycles]
    Eugene Kaspersky, CEO of Kaspersky Lab, says its new KasperskyOS for securing industrial IoT devices does not contain "even the slightest smell of Linux", differentiating it from many other IoT products that have the open-source OS at the core.
  • Reproducible Builds: week 95 in Stretch cycle
  • EU privacy watchdogs say Windows 10 settings still raise concerns
    European Union data protection watchdogs said on Monday they were still concerned about the privacy settings of Microsoft's Windows 10 operating system despite the U.S. company announcing changes to the installation process. The watchdogs, a group made up of the EU's 28 authorities responsible for enforcing data protection law, wrote to Microsoft last year expressing concerns about the default installation settings of Windows 10 and users' apparent lack of control over the company's processing of their data. The group - referred to as the Article 29 Working Party -asked for more explanation of Microsoft's processing of personal data for various purposes, including advertising.

Android Leftovers

KDE Plasma 5.8.6 Released for LTS Users with over 80 Improvements, Bug Fixes

Today, February 21, 2017, KDE announced the availability of the sixth maintenance update to the long-term supported KDE Plasma 5.8 desktop environment for Linux-based operating systems. Read more