[CBLX] es-ce la parade de la Linux Foundation ? UEFI Secure Boot System for Open Source

[ Thread Index | Date Index | More lists.tuxfamily.org/carrefourblinux Archives ]


Es-ce (hormis là où l'on peut encore mettre ce mode "off" dans le BIOS) LA
parade de la Linux Foundation contre l'UEFI et ses (dé)limitations ? 
Le "present user"-test (cf. info) sera-t-il utilisable sans intervention 
nécessitant par ex. une quelconque action impossible à effectuer par une 
personne dv ?

URL:
http://www.linuxfoundation.org/news-media/blogs/browse/2012/10/linux-foundation-uefi-secure-boot-system-open-source

Linux Foundation UEFI Secure Boot System for Open Source

   By James Bottomley - October 10, 2012 - 1:53pm

   Guest post from James Bottomley, Linux Foundation Technical Advisory
   Board

   I'm pleased to announce that the [*]Linux Foundation and its
   [*]Technical Advisory Board have produced a plan to enable the Linux
   (and indeed all Open Source based distributions) to continue operating
   as Secure Boot enabled systems roll out.  In a nutshell, the Linux
   Foundation will obtain a Microsoft Key and sign a small pre-bootloader
   which will, in turn, chain load (without any form of signature check) a
   predesignated boot loader which will, in turn, boot Linux (or any other
   operating system). The pre-bootloader will employ a “present user” test
   to ensure that it cannot be used as a vector for any type of UEFI
   malware to target secure systems. This pre-bootloader can be used
   either to boot a CD/DVD installer or LiveCD distribution or even boot
   an installed operating system in secure mode for any distribution that
   chooses to use it.  The process of obtaining a Microsoft signature will
   take a while, but once it is complete, the pre-bootloader will be
   placed on the Linux Foundation website for anyone to download and make
   use of.

Philosophy Behind this Announcement

   The Linux Foundation is committed to giving users freedom of choice on
   their platforms.  Conforming to this stance, we have already published
   a variety of tools to permit users to take control of their secure boot
   platforms by replacing the Platform Key and managing (or replacing) the
   installed Key Exchange Keys [*]here.  However, as one of the enablers
   of the Linux ecosystem, the Foundation recognizes that not everyone is
   willing (or able) to do this so it was also necessary to find a
   solution that would enable people to continue to try out Linux and
   other Open Source Operating Systems in spite of the barriers UEFI
   Secure boot would place in their way and without requiring that they
   understand how to take control of their platforms.  Therefore, we also
   formulated a technical plan, which is implemented in this
   pre-bootloader, to allow distributions to continue functioning in a
   secure boot environment.

   The current pre-bootloader is designed as an enabler only in that, by
   breaking the security verification chain at the actual bootloader, it
   provides no security enhancements over booting linux with UEFI secure
   boot turned off.  Its sole purpose is to allow Linux to continue to
   boot on platforms that come by default with secure boot enabled.  The
   Linux Foundation welcomes efforts by some of the major distributions
   (e.g. [*]Fedora, [*]SUSE and [*]Ubuntu) to tackle the problem of
   taking full advantage of UEFI secure boot to enhance platform security
   and sees the pre-bootloader it is releasing as a stop-gap measure that
   will give all distributions time to come up with plans that take
   advantage of UEFI secure boot.

Technical Details

   The source code for the pre-bootloader is available in

   [*]git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git

   As Loader.c

   It is designed to be as small as possible, leaving all the work to the
   real bootloader.  The real bootloader must be installed on the same
   partition as the pre-bootloader with the known path loader.efi
   (although the binary may be any bootloader including Grub2).  The
   pre-bootloader will attempt to execute this binary and, if that
   succeeds, the system will boot normally.  If the loader.efi fails to
   load with a security error (because it is unsigned), the pre-bootloader
   will stop at a splash screen and ask the user to confirm, by selecting
   a menu option, that they wish to continue booting loader.efi.  If this
   confirmation (which is the “present user” test) is successful, the
   pre-bootloader will then execute loader.efi without security
   verification (if the user denies permission to boot, the pre-bootloader
   will signal failure and the UEFI boot sequence will continue on to the
   next boot path, if there is one).  To facilitate repeat booting (and to
   make the pre-bootloader useful for booting hard disks as well as USB
   keys or DVDs) the pre-bootloader will also check to see if the platform
   is booting in Setup Mode and if it is, will ask the user for permission
   to install the signature of loader.efi into the authorized signatures
   database.  If the user gives permission, the signature will be
   installed and loader.efi will then boot up without any present user
   tests on all subsequent occasions even after the platform is placed
   back into secure boot mode.  The present user test splash screen that
   appears in secure boot mode asking for permission to boot loader.efi
   will also direct the user to a Linux Foundation website where we will
   gather details of how to place platforms in setup mode and advise the
   user how to do this, either to install the signature of loader.efi or
   to take full control of the platform by replacing the Platform and Key
   Exchange Keys.
     * [*]jejb's blog
     * [*]Print
     * [*]Email

Refs:
....
  * http://www.linux-foundation.org/
  * http://www.linuxfoundation.org/programs/advisory-councils/tab
  * http://blog.hansenpartnership.com/easier-way-to-take-control-of-uefi-secure-boot-platform/
  * http://mjg59.dreamwidth.org/12368.html
  * https://www.suse.com/blogs/uefi-secure-boot-details/
  * https://lists.ubuntu.com/archives/ubuntu-devel/2012-June/035445.html
  * git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
  * http://www.linuxfoundation.org/blogs/jejb
  * http://www.linuxfoundation.org/print/9644
  * http://www.linuxfoundation.org/printmail/9644
.... 

Aldo:~$ 


-- 
-- 
   CarrefourBLinuX MailingListe 
   Pour obtenir de l'aide, envoyez le sujet  help  �
   carrefourblinux-request@xxxxxxxxxxxxxxxxxxx
   Archives: 
   http://listengine.tuxfamily.org/lists.tuxfamily.org/carrefourblinux


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/