Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Disabling UEFI and dual booting Linux and Windows



On Fri, 07 Dec 2012 21:47:17 -0500
Tom Metro <tmetro+blu at gmail.com> wrote:

> Presumably, then, this boot loader has been signed with a Microsoft
> issued key that SUSE obtained, right?

More info in the link below.


> As opposed to a boot loader that simply lets you chain to any
> arbitrary, unsigned OS loader?

Yes, but if you're doing that then you should just turn UEFI Secure
Boot off. There's no point to having it enabled if you don't use a
signed second-stage loader and kernel and whatever else.


> I get how the running shim can present an obvious user prompt to load
> keys, but I'm not following how this shim can guard against its key
> store from being modified by malicious code.

https://www.suse.com/blogs/uefi-secure-boot-details/

Assuming that UEFI security is working correctly then the only way for
malware to inject its own key is for you to reboot, interrupt the boot
sequence while in boot services mode, and install the malware's key in
your MOK list.

-- 
Rich P.



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org