First Attempt At Linux Kernel Secure Boot Support

Posted by Michael Larabel on September 06, 2012

Matthew Garrett published the first patches this week that take an initial stab at the Linux kernel UEFI Secure Boot support.

An "RFC" (Request For Comments) patch series was published entitled First attempt at kernel secure boot support by Red Hat's Matthew Garrett.
The UEFI Secure Boot trust model is based on it not being possible for a user to cause a signed OS to boot an unsigned OS, even if that user has administrative privileges. This is an initial attempt at a set of patches to reduce root's ability to modify the kernel. We've done this with an additional capability for a couple of reasons:

1) CAP_SYS_RAWIO already covers pretty much everything we want, but also disables a lot of functionality that we don't want to lose. Following the same model seems reasonable.

2) This capability may be more generically useful for some use-cases. Adding a set of hardcoded is_secure_boot() checks in the same places would prevent that.

Feedback welcome.
See more UEFI SecureBoot coverage for those not up to speed on the Linux implementation.
Discuss this article in our forums, IRC channel, or email the author. You can also follow our content via RSS and on social networks like Facebook, Identi.ca, and Twitter (@Phoronix and @MichaelLarabel). Subscribe to Phoronix Premium to view our content without advertisements, view entire articles on a single page, and experience other benefits.
Comments & Discussion
News Archives
Related Hardware News
DRM Graphics Driver Comes For...
Linux 3.10: Improved eCryptfs...
Why IBM Now Views LLVM As Being...
KVM Virtualization Gets New...
ARM Support Will Change A Lot...
ARM64 Support Will Improve In...
More Linux Utilities Come For...
The State Of ARM SoC GPU Linux...
Popular News
Portal Released For Steam On...
Why IBM Now Views LLVM As Being...
Linux 3.10 Kernel Yields Biggest...
Interesting Features, Changes In...
Ubuntu To Get Its Own Package...
Steam Linux Usage Still On The...
Linux 3.9 Kernel Released With...
Ubuntu's Mir Moves Ahead With...
Latest Hardware Reviews
  1. Gallium3D Continues Improving OpenGL For Older Radeon GPUs
  2. 15-Way Open vs. Closed Source NVIDIA/AMD Linux GPU Comparison
  3. Nouveau vs. NVIDIA Linux Comparison Shows Shortcomings
  4. AMD Radeon Gallium3D More Competitive With Catalyst On Linux
Latest Software Articles
  1. Btrfs vs. EXT4 vs. XFS vs. F2FS On Linux 3.10
  2. AMD Radeon R600 GPU LLVM 3.3 Back-End Testing
  3. F2FS File-System Shows Regressions On Linux 3.10
  4. Previewing The Radeon Gallium3D Shader Optimizations
Latest Linux News
  1. Modern Intel Gallium3D Driver Still Being Toyed With
  2. Linux 3.10 Kernel Benchmarks On A Core i7 Laptop
  3. GCC 4.8.1 Compiler Due To Be Out Next Week
  4. Linux 3.10 Kernel Benchmarks For Intel Ivy Bridge
  5. Linux's "Ondemand" Governor Is No Longer Fit
  6. Firefox 22 Beta Enables WebRTC Support
  7. OpenSUSE 13.1 Milestone 1 Released
  8. DRM Graphics Driver Comes For Dove/Cubox
  9. JADE: An LLVM-Based Video Decoder For MPEG RVC
  10. Ubuntu 13.10 Likely Switching To Chromium Browser
  11. Unity 7, Compiz To Be Polished For Ubuntu 13.10
Latest Forum Talk
  1. Btrfs vs. EXT4 vs. XFS vs. F2FS On Linux 3.10
  2. Linux's "Ondemand" Governor Is No...
  3. Modern Intel Gallium3D Driver Still Being Toyed...
  4. Ubuntu 13.10 Likely Switching To Chromium Browser
  5. KDE's Krita Ported To OpenGL 3.1, OpenGL ES 2.0
  6. Ubuntu Looks Towards MySQL Alternatives
  1. Computers
  2. Display Drivers
  3. Graphics Cards
  4. Motherboards
  5. Peripherals
  6. Processors
  7. Software
  8. Operating Systems
  9. All Articles
  1. Linux Benchmarking
  2. OpenBenchmarking.org
  3. Phoronix Test Suite
Copyright © 2004 - 2013 by Phoronix Media.
All trademarks used are properties of their respective owners. All rights reserved. Legal Disclaimer & Disclosure.
Powered by the Phoronix Content Management System (PHXCMS-7.4).