Hello > > If you are worried that somebody who has > > compromised your OS remotely will hack your bootloader, then > > reconsider their motives: They are already on a running host OS > > as root and can look inside your encrypted disk volumes too - > > you have lost already. > > Secureboot is there to prevent someone who has root access from installing a > rootkit. (see above) ???Looking inside??? is bad enough, and kernel signing > won???t prevent a Wordpress security flaw from letting them in. It keeps > them from compromising the kernel, the tool you rely on to see they are > there. >
Once root is compromised, the game is over. That is axiomatic. An attacker with root can get userspace to lie to you too. A keylogger can be written in userspace using evdev. Once a bad guy has root on a system that contains confidential information, you assume that information is compromised. You re-install (or re-sell), you don't reboot. More importantly: If you want to build your own kernel, you need to have the private key to sign it. Unless you compile this kernel on a different system *and* transfer it across using a mechanism which prevents a bad guy from hopping into your build system (eg, no ssh, and stuxnet showed that USB isn't 100% safe either) you have been totally compromised. That is what makes the secure boot infrastructure so useful for third parties who wish to control you: You are not authorised to access their build system, so they get to distribute a kernel to you that they know you can't circumvent. Secureboot is designed for them, not for you. You might come up with a really exotic use case, where it might help you. But if you look at it carefully enough, it relies on secureboot redefining root to something weaker than what we want, and running some complex infrastructure which you are unaware of behind it. If you want a weak root, run a virtual machine instead. regards marc _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
