Announcement

Collapse
No announcement yet.

UEFI SecureBoot Comes To QEMU-KVM

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • UEFI SecureBoot Comes To QEMU-KVM

    Phoronix: UEFI SecureBoot Comes To QEMU-KVM

    Early support for UEFI SecureBoot is now available via qemu-kvm for messing with this troublesome technology in a virtualized world...

    http://www.phoronix.com/vr.php?view=MTEyODU

  • #2
    I am curious to know what Richard Stallman and Linus Torvalds think personally about the whole UEFI thing :S

    Comment


    • #3
      Originally posted by asdx
      Good, I hope Secure Boot locks out all the garbage blobs that are infecting our systems today.
      Yes ,but secure boot is bad standard because they cannot see the difference between a operating system installed by the user and a virus.

      Comment


      • #4
        Originally posted by lapis View Post
        Yes ,but secure boot is bad standard because they cannot see the difference between a operating system installed by the user and a virus.

        Nonsense, it was never meant to, plus it's impossible to do really. Is bash a bad standard because it doesn't write it's own scripts?

        What it does is ask weather X binary object contains a valid signature based on the keys in it's database, and loads it conditionally based on the answer. So far as I can tell, it is at least a passable standard for what it actually is mean to do.

        Comment


        • #5
          Originally posted by WorBlux View Post
          Nonsense, it was never meant to, plus it's impossible to do really. Is bash a bad standard because it doesn't write it's own scripts?

          What it does is ask weather X binary object contains a valid signature based on the keys in it's database, and loads it conditionally based on the answer. So far as I can tell, it is at least a passable standard for what it actually is mean to do.
          A security feature has the purpose to protect the users and not restrict them.

          Even a trusted software from user does not have a key,the system should create a exception system to install the software ,like browsers do.The browser asks the user about the exception.

          Comment


          • #6
            Originally posted by lapis View Post
            A security feature has the purpose to protect the users and not restrict them.

            Even a trusted software from user does not have a key,the system should create a exception system to install the software ,like browsers do.The browser asks the user about the exception.
            Just because someone implements feature in a bad way doesn't mean that feature or standard is bad. Abuse is no argument against proper use. There's absolutely nothing in the standard which would prevent the addition of exceptions or new public keys into the firmware by an end user. Some providers likely will, some won't. Vote with your wallet.

            Comment


            • #7
              Originally posted by WorBlux View Post
              Just because someone implements feature in a bad way doesn't mean that feature or standard is bad. Abuse is no argument against proper use. There's absolutely nothing in the standard which would prevent the addition of exceptions or new public keys into the firmware by an end user. Some providers likely will, some won't. Vote with your wallet.

              The user cannot create exceptions on secureboot.Ex:Ubuntu and fedora need to create keys.
              Using public keys is not a exception because it needs a cenrtificate authority.

              Comment


              • #8
                Originally posted by lapis View Post
                The user cannot create exceptions on secureboot.Ex:Ubuntu and fedora need to create keys.
                Using public keys is not a exception because it needs a cenrtificate authority.
                It's all based on openSSL in the core. You can create a private-public key-pair and an x.509 without the need for a third party.

                If the firmware allows you to use the X.509 as the PKI or sideload as a KEK without needed it linked to the PK, then the user is in control.

                http://feishare.com/uefi/uefi-secure-boot

                Originally posted by How to Enable Secure Boot
                8. Set appropriate value of gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize
                for security feature relative databases which uses EFI Variable as storage.
                Each database stores in a single variable, the maximum variable size is
                defined by PCD value of gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize.
                Database categories include:
                1) PK database: only one entry for public key of PK plus header info.
                2) KEK database: multi-entry for public key of KEK plus header info.
                3) Authorized signature database: multi-entries for authorized signatures
                and one entry for root X509 certificate, plus header info.
                4) Forbidden signature database: multi-entries for forbidden signatures,
                plus header info.

                NOTICE: Typically the size of one X509 certificate is ~2k, which may exceed
                the default maximum variable size. Please adjust the value by PCD if
                needed.

                9. Set a platform policy of image verification by PCDs.
                User can customize platform policy of image verification by PCD value
                before build a platform. In [PcdsFixedAtBuild] section of SecurityPkg.dec
                file, set the PCD value for each type of device accordingly.

                For example, if the platform policy is defined as:
                1) Trust all images from OptionROM.
                2) Validate all images from removable devices and deny execute when security
                violation occurs.
                3) Validate all images from hard disk and query user to make decision when
                security violation occurs.

                Comment


                • #9
                  Originally posted by WorBlux View Post
                  It's all based on openSSL in the core. You can create a private-public key-pair and an x.509 without the need for a third party.

                  If the firmware allows you to use the X.509 as the PKI or sideload as a KEK without needed it linked to the PK, then the user is in control.

                  http://feishare.com/uefi/uefi-secure-boot
                  Why ubuntu and red hat need to buy a key ?

                  Comment


                  • #10
                    Originally posted by lapis View Post
                    Why ubuntu and red hat need to buy a key ?
                    They do not need to. Ubuntu/Canonical have made their own key for their bootloader/kernel to be able to run on machines with Secure Boot and the Ubuntu key. Fedora has bought the right to use a Microsoft key, just for convenience, because basically every motherboard will ship with this key. This way they don have to convince the hardware manufacturers to use their key, unlike Canonical.

                    Comment

                    Working...
                    X