>On Monday, September 26, 2011 10:26:03 PM Jonas de Buhr wrote: >> >I am assuming that unlike the old days when I used to boot Linux on >> >PCs using a floppy with SmartBootManager, now we'll need to generate >> >some key/hash for our freshly compiled kernel, then add it to the >> >BIOS firmware and flash the BIOS with it before we are able to boot >> >into it? >> > >> >Is it more complicated than that? >> >> how are you going to write to the bios if it doesn't let you? >> >> maybe you are determined enough to manually flash the chip every time >> you update grub but i think thats a buzzkill for >90% of the users ;) > >Eerhm... >If Grub is the bootloader, wouldn't we just need to have a "signed" >version of Grub?
depends if we are talking about hashes being saved in the bios or signatures being checked by the bios. hashes would have to be written to the bios everytime the binary of the bootloader changes. signatures would have to be renewed everytime the binary changes. this is even worse because you will most likely need the some private key to do that which you will not get your hands on. if anyone can create the signature, it's pointless. so you would have to rely on your bios vendor to sign every possible binary of the bootloader. and then you're still locked out.
