On Wed, Jan 09, 2013 at 01:52:05PM +0100, Florian Weimer wrote: > It just occurred to me that this has zero chance of working because > an attacker can always take the already-signed boot path from the > F18 installer and use that to boot a modified F19 installation > image. We cannot retroactively add these checks to the F18 > installation images (or F18 installations). We could theoretically > revoke the signatures on the F18 binaries, but this would not go > well with our users.
I don't understand what you mean by "already-signed boot path", and I don't see how F18 has anything to do with this. > This is related to the lack of universally agreed-upon semantics for > Secure Boot. A Secure Boot signature does not mean that the image > is harmless to boot. I've recently raised this ambiguity on the > oss-security mailing list in the "Plug-and-wipe and Secure Boot > semantics" thread: If I have physical access to your system then I can just write my own keys directly into flash with an SPI programmer. That's never been the threat model. -- Matthew Garrett | mj...@srcf.ucam.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
