First Attempt At Linux Kernel Secure Boot Support
Written by Michael Larabel in Hardware on 6 September 2012 at 09:31 AM EDT. 1 Comment
Matthew Garrett published the first patches this week that take an initial stab at the Linux kernel UEFI Secure Boot support.

An "RFC" (Request For Comments) patch series was published entitled First attempt at kernel secure boot support by Red Hat's Matthew Garrett.
The UEFI Secure Boot trust model is based on it not being possible for a user to cause a signed OS to boot an unsigned OS, even if that user has administrative privileges. This is an initial attempt at a set of patches to reduce root's ability to modify the kernel. We've done this with an additional capability for a couple of reasons:

1) CAP_SYS_RAWIO already covers pretty much everything we want, but also disables a lot of functionality that we don't want to lose. Following the same model seems reasonable.

2) This capability may be more generically useful for some use-cases. Adding a set of hardcoded is_secure_boot() checks in the same places would prevent that.

Feedback welcome.
See more UEFI SecureBoot coverage for those not up to speed on the Linux implementation.

About The Author
Author picture

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter or contacted via

Related Hardware News
Popular News
Trending Reviews & Featured Articles