Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Plug-and-wipe and Secure Boot semantics
From: Greg KH <greg () kroah com>
Date: Tue, 18 Dec 2012 06:41:34 -0800

On Tue, Dec 18, 2012 at 01:46:47PM +0100, Florian Weimer wrote:
Some UEFI machines seem to boot from USB by default, without any
prompting, probably assuming that a signed boot loader cannot cause
any damage.

Specific model name(s) please?

Most signed Linux boot loaders only verify the kernel (and,
indirectly, code that's loaded into the kernel), but not the
initrd contents.

Given that there is only one public signed Linux boot loader, saying
"most" is a bit odd here :)

(This isn't possible because initrds are system-specific and thus
cannot be signed in general.  Recovery images signed by system
manufactures likely have similar issues.) As a result, the signed
loader might start something that wipes the hard disk or uploads its
contents somewhere

I'm wondering if this is a problem.  I haven't investigated boot
order defaults for legacy systems, so I don't know if this
plug-and-wipe issue is a regression.  In the end, this boils down to
what Secure Boot means, semantically.

UEFI Secure Boot really doesn't care about the kernel or the OS at all,
all it is there for is to protect the bootloader and the BIOS.  The fact
that some operating systems take that chain-of-trust and extend it
beyond the BIOS is up to them, and the fact that some UEFI signing
authorities might impose more restrictions on the binaries that they
sign is also up to them, and not part of the UEFI specification or
requirements.

Having a signed USB image boot properly if it is installed seems to be
the correct thing to me, but, in my testing, has not been the default on
the hardware that I have access to.  It would be great to find out what
hardware you are seeing this on as I am helping to get Linux working
properly on UEFI machines these days.

thanks,

greg k-h


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault