[Linux-aus] Fwd: What is LA's response to UEFI Secure Boot?
a.nielsen at shikadi.net
Sun Aug 5 17:34:42 EST 2012
>> I also have questions around virtual bootloaders....
>> Will UEFI eventually be implemented in hypervisors?
> I had the impression that someone had already written such support for testing
> UEFI booting. But in terms of actual use, why bother? With Xen or KVM you
> can boot a kernel that's stored outside the virtual machine environment. In
> that case any trojan running in the VM can't attack it and any trojan that can
> attack it can probably do something worse than just attacking one VM.
I thought the long-term idea behind Secure Boot was that once the OS kernel is
secure, it can enforce the signing of applications too. Unlike now, there
would be no way to circumvent this by patching the kernel to allow unsigned
applications to run, as then the kernel wouldn't be allowed to boot. If your
application hasn't been signed, you can't run it.
From there it would be a simple matter to require all VM software to only
boot correctly signed kernels within the VM, or MS won't sign the VM
application. Thus if (when?) this day arrives, you won't be able to boot an
unsigned Linux kernel on your PC at all, not even in a VM...
More information about the linux-aus