Announcement

Collapse
No announcement yet.

Defeating Secure Boot With Linux Kexec

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Defeating Secure Boot With Linux Kexec

    Phoronix: Defeating Secure Boot With Linux Kexec

    Matthew Garrett has written an insightful blog post about security issues pertaining to the Linux kernel's kexec functionality that could defeat any security benefits provided by Secure Boot. Using kexec could even allow you to boot a Windows kernel...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    Disable kexec?

    Is there any way to disable kexec?

    Comment


    • #3
      Originally posted by uid313 View Post
      Is there any way to disable kexec?
      Read the blogpost, very last section of it says:

      And that's the story of why kexec is disabled on Fedora when Secure Boot is enabled.
      All opinions are my own not those of my employer if you know who they are.

      Comment


      • #4
        These news made my day

        Comment


        • #5
          Originally posted by nomadewolf View Post
          These news made my day
          I'm not sure why. It just means that any kernel booting into Secure Mode has to have kexec disabled.

          Comment


          • #6
            Originally posted by uid313 View Post
            Is there any way to disable kexec?
            Yes and no.

            You can disable kexec when you build the kernel. However you can then
            build kexec in a kernel module (this is hacky but works, it's used on
            Android phones to boot a custom kernel even with locked bootloader).

            Of course you can disable kernel modules altogether but that would
            be very limiting for the system.

            Comment


            • #7
              Originally posted by Pajn View Post
              Yes and no.

              You can disable kexec when you build the kernel. However you can then
              build kexec in a kernel module (this is hacky but works, it's used on
              Android phones to boot a custom kernel even with locked bootloader).

              Of course you can disable kernel modules altogether but that would
              be very limiting for the system.
              Depends on the system. For a phone? Tablet? Anything else with 'locked in' components? Not really. It has THESE parts and only THESE parts.

              Laptops, Desktops, and Servers? Okay, granted. But the absolute worst case scenario there is that you compile everything you're supporting into the kernel and not do them as modules.
              All opinions are my own not those of my employer if you know who they are.

              Comment


              • #8
                Originally posted by Ericg View Post
                Depends on the system. For a phone? Tablet? Anything else with 'locked in' components? Not really. It has THESE parts and only THESE parts.

                Laptops, Desktops, and Servers? Okay, granted. But the absolute worst case scenario there is that you compile everything you're supporting into the kernel and not do them as modules.
                Proprietary graphic drivers could be quite nice to have...

                Comment


                • #9
                  Originally posted by Pajn View Post
                  Proprietary graphic drivers could be quite nice to have...
                  No way to compile the kernel portion of Nvidia and AMD drivers in? It'd be up to the individual distros then but still
                  All opinions are my own not those of my employer if you know who they are.

                  Comment


                  • #10
                    Originally posted by Ericg View Post
                    No way to compile the kernel portion of Nvidia and AMD drivers in? It'd be up to the individual distros then but still
                    No that is totally against the GPL license.
                    You can't mix GPL and proprietary code.

                    Comment

                    Working...
                    X