First Attempt At Linux Kernel Secure Boot Support

Posted by Michael Larabel on September 06, 2012

Matthew Garrett published the first patches this week that take an initial stab at the Linux kernel UEFI Secure Boot support.

An "RFC" (Request For Comments) patch series was published entitled First attempt at kernel secure boot support by Red Hat's Matthew Garrett.
The UEFI Secure Boot trust model is based on it not being possible for a user to cause a signed OS to boot an unsigned OS, even if that user has administrative privileges. This is an initial attempt at a set of patches to reduce root's ability to modify the kernel. We've done this with an additional capability for a couple of reasons:

1) CAP_SYS_RAWIO already covers pretty much everything we want, but also disables a lot of functionality that we don't want to lose. Following the same model seems reasonable.

2) This capability may be more generically useful for some use-cases. Adding a set of hardcoded is_secure_boot() checks in the same places would prevent that.

Feedback welcome.
See more UEFI SecureBoot coverage for those not up to speed on the Linux implementation.
Discuss this article in our forums, IRC channel, or email the author. You can also follow our content via RSS and on social networks like Facebook, Identi.ca, and Twitter (@Phoronix and @MichaelLarabel). Subscribe to Phoronix Premium to view our content without advertisements, view entire articles on a single page, and experience other benefits.
Comments & Discussion
News Archives
Related Hardware News
Logitech Begins Supporting Linux...
DRM Graphics Driver Comes For...
Linux 3.10: Improved eCryptfs...
Why IBM Now Views LLVM As Being...
KVM Virtualization Gets New...
ARM Support Will Change A Lot...
ARM64 Support Will Improve In...
More Linux Utilities Come For...
Popular News
Portal Released For Steam On...
Why IBM Now Views LLVM As Being...
Linux 3.10 Kernel Yields Biggest...
Interesting Features, Changes In...
Ubuntu To Get Its Own Package...
Steam Linux Usage Still On The...
Linux 3.9 Kernel Released With...
Ubuntu's Mir Moves Ahead With...
Latest Hardware Reviews
  1. Sumo Lounge Emperor
  2. Gallium3D Continues Improving OpenGL For Older Radeon GPUs
  3. 15-Way Open vs. Closed Source NVIDIA/AMD Linux GPU Comparison
  4. Nouveau vs. NVIDIA Linux Comparison Shows Shortcomings
Latest Software Articles
  1. Btrfs vs. EXT4 vs. XFS vs. F2FS On Linux 3.10
  2. AMD Radeon R600 GPU LLVM 3.3 Back-End Testing
  3. F2FS File-System Shows Regressions On Linux 3.10
  4. Previewing The Radeon Gallium3D Shader Optimizations
Latest Linux News
  1. Mageia 3 Released, Still Using Legacy GRUB
  2. NetBSD 6.1 Brings In More Features
  3. Using Six Monitors With AMD's Open-Source Linux Driver
  4. Benchmarking The Intel P-State, CPUfreq Changes
  5. FreeBSD Still Working On Next-Gen Package Manager
  6. DNF Still Advancing As Experimental Yum For Fedora
  7. Logitech Begins Supporting Linux Users
  8. Modern Intel Gallium3D Driver Still Being Toyed With
  9. Linux 3.10 Kernel Benchmarks On A Core i7 Laptop
  10. GCC 4.8.1 Compiler Due To Be Out Next Week
  11. Linux 3.10 Kernel Benchmarks For Intel Ivy Bridge
Latest Forum Talk
  1. Using Six Monitors With AMD's Open-Source Linux...
  2. Mageia 3 Released, Still Using Legacy GRUB
  3. Sumo Lounge Emperor
  4. BHyVe: A New Hypervisor Coming To FreeBSD 10.0
  5. Benchmarking The Intel P-State, CPUfreq Changes
  6. DRM Moves Ahead With HTML5 Specification
  1. Computers
  2. Display Drivers
  3. Graphics Cards
  4. Motherboards
  5. Peripherals
  6. Processors
  7. Software
  8. Operating Systems
  9. All Articles
  1. Linux Benchmarking
  2. OpenBenchmarking.org
  3. Phoronix Test Suite
Copyright © 2004 - 2013 by Phoronix Media.
All trademarks used are properties of their respective owners. All rights reserved. Legal Disclaimer & Disclosure.
Powered by the Phoronix Content Management System (PHXCMS-7.4).