Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Disabling UEFI and dual booting Linux and Windows



Rich Pieri wrote:
> Garrett's shim builds on SuSE's first stage UEFI boot loader...

Presumably, then, this boot loader has been signed with a Microsoft
issued key that SUSE obtained, right?


> ...adding a user-managed key store to the boot sequence. Put shim
> into your boot sequence. Sign your second stage loader with your own
> key, let shim store that key in its key store.
>
> This is actually better than what I'd originally described here some
> months back because it lets you retain a signed trust chain all the
> way up the boot sequence.

As opposed to a boot loader that simply lets you chain to any arbitrary,
unsigned OS loader?

I get how the running shim can present an obvious user prompt to load
keys, but I'm not following how this shim can guard against its key
store from being modified by malicious code. As long as they key store
is not being signed by a third party using a private key, malware should
be able to just inject its own key.

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org