On Mon, Feb 25, 2013 at 03:28:32PM +0100, Florian Weimer wrote: > But what puzzles me most is why anyone would assume that the UEFI > application signing process somehow ensures that the embedded > certificate is non-malicious. We cannot even track it back to the > submitter because the third-pary market place UEFI authority only > issues pseudonymous proxy certificates. This utterly useless for any > purpose whatsoever, with the notable exception of avoding one > additional step when setting up a dual-boot machine (which will not > even work reliably until we switch to overwriting the Windows boot > loader, like in the pre-UEFI days).
If your firmware trusts objects signed by Microsoft, you have to assume that objects signed by Microsoft are trustworthy. There's no way to build a security model otherwise. Are Microsoft trustworthy? We don't know. If you don't trust Microsoft, remove their key from db. > Seriously, folks, can we go back one step and discuss what problem you > are trying to solve? Is it about allowing third-party kernel modules > in an environment which does not allow unsigned ring 0 code execution? The problem I'm trying to solve is "Don't permit Linux to be used as a bootloader for backdoored versions of other operating systems". Any other security benefit is a happy side effect. -- Matthew Garrett | mj...@srcf.ucam.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
