|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Xen.efi and secure boot
> ruling out third-party or out-of-tree drivers. Ubuntu are not signing > modules AIUI, so in theory someone could install a rootkit; but they think They can anyway. If the kernel has a hole you can just stuff something hidden in early early userspace boot (eg in the initrd) to re-trojan it. Plus the next generation of devices mostly suspend/resume so its hardly that important anyway. > that it's likely any local attacker is going to be able to attack the > kernel anyway; on the balance having third-party drivers is more important > to them. Don't be misled into thinking this has anything much to do with security. If you are trying to do security use the TPM and do a trusted measured boot which gives you the keys to the file system which then uses signing of its own. > Nonetheless, Ubuntu are still signing kernels In the UEFI sense they are not - nor are Fedora. They are signing a tiny boot loader and implementing their own policy behind that. It's basically a way around the Windows 8 lock down. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |