[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Xen.efi and secure boot
On Mon, Nov 26, 2012 at 6:16 PM, Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote: The idea of secure boot is that only signed/verified code can perform Different people have different opinions on this. Fedora are signing all the way down to modules, but not user-space; as a result, IIUC, they are ruling out third-party or out-of-tree drivers. Ubuntu are not signing modules AIUI, so in theory someone could install a rootkit; but they think that it's likely any local attacker is going to be able to attack the kernel anyway; on the balance having third-party drivers is more important to them. Nonetheless, Ubuntu are still signing kernels, so that the kernel can still do some of the "boot mode" UEFI operations. (Not sure the correct term here.) The idea is that the kernel will disable the "boot mode" UEFI operations before it loads any kernel modules. Someone booting Xen directly from EFI may want to do the same thing. -George
_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |