On Mon, Jun 25, 2012 at 10:41:17PM +0100, Matthew Garrett wrote: > The benefits of signing purely a bootloader are minimal - bootloaders > that load unsigned code will be perfectly willing to set up a secondary > UEFI environment and then launch another bootloader that believes it's > in a different security context. Even implementing a kexec equivalent > that booted the Windows kernel from Linux wouldn't be terribly difficult > (ReactOS has most of the necessary code already). It's not obvious that > any security is gained at all.
That's all true. I do wonder, however, if the way Canonical chose is acceptable to Microsoft or not. Because I don't think the general Linux community cares about doubtful security benefits from kernel and module signing. People who want that could use TrustedGRUB[1]. What we do care about is getting Linux to run without much hassle. You seem to be arguing that we want to provide some sort of security to our users while we're at it. But the massive inconvience for all sorts of Linux distributions (like Debian, which might only sign some bunch of unofficial images[2]) doesn't seem to be worth it, IMHO. Kind regards Philipp Kern [1] Yeah, well, I read your point about TPMs not being in mainstream hardware. Let's ignore that. In theory that device was intended to be pushed to the mainstream, just like UEFI. We managed to avoid that, luckily, but you can make use of them, e.g. with Thinkpads. And buy machines that have it. [2] Kernel signing cannot work sensibly with Debian's current infrastructure. I'm aware that Fedora's works differently within RedHat's secure data centers.
signature.asc
Description: Digital signature
-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel