Page 1 of 3 123 LastLast
Results 1 to 10 of 30

Thread: Defeating Secure Boot With Linux Kexec

  1. #1
    Join Date
    Jan 2007
    Posts
    15,652

    Default Defeating Secure Boot With Linux Kexec

    Phoronix: Defeating Secure Boot With Linux Kexec

    Matthew Garrett has written an insightful blog post about security issues pertaining to the Linux kernel's kexec functionality that could defeat any security benefits provided by Secure Boot. Using kexec could even allow you to boot a Windows kernel...

    http://www.phoronix.com/vr.php?view=MTUzNDk

  2. #2
    Join Date
    Dec 2011
    Posts
    2,195

    Default Disable kexec?

    Is there any way to disable kexec?

  3. #3
    Join Date
    Aug 2012
    Location
    Pennsylvania, United States
    Posts
    1,939

    Default

    Quote Originally Posted by uid313 View Post
    Is there any way to disable kexec?
    Read the blogpost, very last section of it says:

    And that's the story of why kexec is disabled on Fedora when Secure Boot is enabled.

  4. #4
    Join Date
    Mar 2013
    Posts
    50

    Default

    These news made my day

  5. #5
    Join Date
    Oct 2008
    Posts
    3,247

    Default

    Quote Originally Posted by nomadewolf View Post
    These news made my day
    I'm not sure why. It just means that any kernel booting into Secure Mode has to have kexec disabled.

  6. #6
    Join Date
    Sep 2012
    Posts
    320

    Default

    Quote Originally Posted by uid313 View Post
    Is there any way to disable kexec?
    Yes and no.

    You can disable kexec when you build the kernel. However you can then
    build kexec in a kernel module (this is hacky but works, it's used on
    Android phones to boot a custom kernel even with locked bootloader).

    Of course you can disable kernel modules altogether but that would
    be very limiting for the system.

  7. #7
    Join Date
    Aug 2012
    Location
    Pennsylvania, United States
    Posts
    1,939

    Default

    Quote Originally Posted by Pajn View Post
    Yes and no.

    You can disable kexec when you build the kernel. However you can then
    build kexec in a kernel module (this is hacky but works, it's used on
    Android phones to boot a custom kernel even with locked bootloader).

    Of course you can disable kernel modules altogether but that would
    be very limiting for the system.
    Depends on the system. For a phone? Tablet? Anything else with 'locked in' components? Not really. It has THESE parts and only THESE parts.

    Laptops, Desktops, and Servers? Okay, granted. But the absolute worst case scenario there is that you compile everything you're supporting into the kernel and not do them as modules.

  8. #8
    Join Date
    Sep 2012
    Posts
    320

    Default

    Quote Originally Posted by Ericg View Post
    Depends on the system. For a phone? Tablet? Anything else with 'locked in' components? Not really. It has THESE parts and only THESE parts.

    Laptops, Desktops, and Servers? Okay, granted. But the absolute worst case scenario there is that you compile everything you're supporting into the kernel and not do them as modules.
    Proprietary graphic drivers could be quite nice to have...

  9. #9
    Join Date
    Aug 2012
    Location
    Pennsylvania, United States
    Posts
    1,939

    Default

    Quote Originally Posted by Pajn View Post
    Proprietary graphic drivers could be quite nice to have...
    No way to compile the kernel portion of Nvidia and AMD drivers in? It'd be up to the individual distros then but still

  10. #10
    Join Date
    Sep 2012
    Posts
    320

    Default

    Quote Originally Posted by Ericg View Post
    No way to compile the kernel portion of Nvidia and AMD drivers in? It'd be up to the individual distros then but still
    No that is totally against the GPL license.
    You can't mix GPL and proprietary code.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •