Es-ce (hormis là où l'on peut encore mettre ce mode "off" dans le BIOS) LA
parade de la Linux Foundation contre l'UEFI et ses (dé)limitations ?
Le "present user"-test (cf. info) sera-t-il utilisable sans intervention
nécessitant par ex. une quelconque action impossible à effectuer par une
personne dv ?
URL:
http://www.linuxfoundation.org/news-media/blogs/browse/2012/10/linux-foundation-uefi-secure-boot-system-open-source
Linux Foundation UEFI Secure Boot System for Open Source
By James Bottomley - October 10, 2012 - 1:53pm
Guest post from James Bottomley, Linux Foundation Technical Advisory
Board
I'm pleased to announce that the [*]Linux Foundation and its
[*]Technical Advisory Board have produced a plan to enable the Linux
(and indeed all Open Source based distributions) to continue operating
as Secure Boot enabled systems roll out. In a nutshell, the Linux
Foundation will obtain a Microsoft Key and sign a small pre-bootloader
which will, in turn, chain load (without any form of signature check) a
predesignated boot loader which will, in turn, boot Linux (or any other
operating system). The pre-bootloader will employ a “present user” test
to ensure that it cannot be used as a vector for any type of UEFI
malware to target secure systems. This pre-bootloader can be used
either to boot a CD/DVD installer or LiveCD distribution or even boot
an installed operating system in secure mode for any distribution that
chooses to use it. The process of obtaining a Microsoft signature will
take a while, but once it is complete, the pre-bootloader will be
placed on the Linux Foundation website for anyone to download and make
use of.
Philosophy Behind this Announcement
The Linux Foundation is committed to giving users freedom of choice on
their platforms. Conforming to this stance, we have already published
a variety of tools to permit users to take control of their secure boot
platforms by replacing the Platform Key and managing (or replacing) the
installed Key Exchange Keys [*]here. However, as one of the enablers
of the Linux ecosystem, the Foundation recognizes that not everyone is
willing (or able) to do this so it was also necessary to find a
solution that would enable people to continue to try out Linux and
other Open Source Operating Systems in spite of the barriers UEFI
Secure boot would place in their way and without requiring that they
understand how to take control of their platforms. Therefore, we also
formulated a technical plan, which is implemented in this
pre-bootloader, to allow distributions to continue functioning in a
secure boot environment.
The current pre-bootloader is designed as an enabler only in that, by
breaking the security verification chain at the actual bootloader, it
provides no security enhancements over booting linux with UEFI secure
boot turned off. Its sole purpose is to allow Linux to continue to
boot on platforms that come by default with secure boot enabled. The
Linux Foundation welcomes efforts by some of the major distributions
(e.g. [*]Fedora, [*]SUSE and [*]Ubuntu) to tackle the problem of
taking full advantage of UEFI secure boot to enhance platform security
and sees the pre-bootloader it is releasing as a stop-gap measure that
will give all distributions time to come up with plans that take
advantage of UEFI secure boot.
Technical Details
The source code for the pre-bootloader is available in
[*]git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
As Loader.c
It is designed to be as small as possible, leaving all the work to the
real bootloader. The real bootloader must be installed on the same
partition as the pre-bootloader with the known path loader.efi
(although the binary may be any bootloader including Grub2). The
pre-bootloader will attempt to execute this binary and, if that
succeeds, the system will boot normally. If the loader.efi fails to
load with a security error (because it is unsigned), the pre-bootloader
will stop at a splash screen and ask the user to confirm, by selecting
a menu option, that they wish to continue booting loader.efi. If this
confirmation (which is the “present user” test) is successful, the
pre-bootloader will then execute loader.efi without security
verification (if the user denies permission to boot, the pre-bootloader
will signal failure and the UEFI boot sequence will continue on to the
next boot path, if there is one). To facilitate repeat booting (and to
make the pre-bootloader useful for booting hard disks as well as USB
keys or DVDs) the pre-bootloader will also check to see if the platform
is booting in Setup Mode and if it is, will ask the user for permission
to install the signature of loader.efi into the authorized signatures
database. If the user gives permission, the signature will be
installed and loader.efi will then boot up without any present user
tests on all subsequent occasions even after the platform is placed
back into secure boot mode. The present user test splash screen that
appears in secure boot mode asking for permission to boot loader.efi
will also direct the user to a Linux Foundation website where we will
gather details of how to place platforms in setup mode and advise the
user how to do this, either to install the signature of loader.efi or
to take full control of the platform by replacing the Platform and Key
Exchange Keys.
* [*]jejb's blog
* [*]Print
* [*]Email
Refs:
...
* http://www.linux-foundation.org/
* http://www.linuxfoundation.org/programs/advisory-councils/tab
*
http://blog.hansenpartnership.com/easier-way-to-take-control-of-uefi-secure-boot-platform/
* http://mjg59.dreamwidth.org/12368.html
* https://www.suse.com/blogs/uefi-secure-boot-details/
* https://lists.ubuntu.com/archives/ubuntu-devel/2012-June/035445.html
* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
* http://www.linuxfoundation.org/blogs/jejb
* http://www.linuxfoundation.org/print/9644
* http://www.linuxfoundation.org/printmail/9644
...
Aldo:~$
--
--
CarrefourBLinuX MailingListe
Pour obtenir de l'aide, envoyez le sujet help :
carrefourblinux-request@xxxxxxxxxxxxxxxxxxx
Archives:
http://listengine.tuxfamily.org/lists.tuxfamily.org/carrefourblinux