On Mon, Jun 25, 2012 at 10:41:17PM +0100, Matthew Garrett wrote: > The benefits of signing purely a bootloader are minimal - bootloaders > that load unsigned code will be perfectly willing to set up a secondary > UEFI environment and then launch another bootloader that believes it's > in a different security context. Even implementing a kexec equivalent > that booted the Windows kernel from Linux wouldn't be terribly difficult > (ReactOS has most of the necessary code already). It's not obvious that > any security is gained at all.
That's all true. I do wonder, however, if the way Canonical chose is
acceptable to Microsoft or not. Because I don't think the general Linux
community cares about doubtful security benefits from kernel and module
signing. People who want that could use TrustedGRUB[1].
What we do care about is getting Linux to run without much hassle. You
seem to be arguing that we want to provide some sort of security to our
users while we're at it. But the massive inconvience for all sorts of
Linux distributions (like Debian, which might only sign some bunch of
unofficial images[2]) doesn't seem to be worth it, IMHO.
Kind regards
Philipp Kern
[1] Yeah, well, I read your point about TPMs not being in mainstream hardware.
Let's ignore that. In theory that device was intended to be pushed to
the mainstream, just like UEFI. We managed to avoid that, luckily, but
you can make use of them, e.g. with Thinkpads. And buy machines that
have it.
[2] Kernel signing cannot work sensibly with Debian's current
infrastructure. I'm aware that Fedora's works differently within
RedHat's secure data centers.
signature.asc
Description: Digital signature
-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
