Announcement

Collapse
No announcement yet.

Linux 5.5 Begins Plumbing Secure Boot Infrastructure For POWER9

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux 5.5 Begins Plumbing Secure Boot Infrastructure For POWER9

    Phoronix: Linux 5.5 Begins Plumbing Secure Boot Infrastructure For POWER9

    With the PowerPC changes for the Linux 5.5 kernel comes the initial infrastructure work on preparing to be able to handle a Secure Boot implementation for POWER9 hardware...

    http://www.phoronix.com/scan.php?pag...POWER9-SB-Prep

  • #2
    Typo:

    Originally posted by phoronix View Post
    for old 32-biit BookE hardware,

    Comment


    • #3
      won't impose any potential Secure Boot restrictions on existing users
      Should note that since the entire boot flow is owner controlled on Raptor POWER products, even when fully implemented this won't impose Secure Boot restrictions on users, existing or new. It instead allows the users to impose Secure Boot restrictions on third parties for the hardware they own, from black hat crackers to the very hardware vendors the systems came from.

      Comment


      • #4
        Originally posted by madscientist159 View Post
        Should note that since the entire boot flow is owner controlled on Raptor POWER products, even when fully implemented this won't impose Secure Boot restrictions on users, existing or new. It instead allows the users to impose Secure Boot restrictions on third parties for the hardware they own, from black hat crackers to the very hardware vendors the systems came from.
        Apart from a few devices that suck and can't load custom keys in their database, x86 UEFI does not impose any Secure Boot restriction either.

        That said, it's good to see something else than UEFI with modern features every once in a while. Is this a Linuxboot system?

        I think I remember that Power servers have their own "smart" bootloader that can do UEFI-like stuff like reading the OS kernel from a partition but it's not Linux-based.

        Comment


        • #5
          Originally posted by starshipeleven View Post
          Apart from a few devices that suck and can't load custom keys in their database, x86 UEFI does not impose any Secure Boot restriction either.
          Maybe not at the OS level (yet, for the most part, etc.) but certainly it does impose severe restrictions on what the machine "owner" can do to the rest of the firmware stack. Which brings up the (admittedly unlikely, but technically possible) spectre of e.g. a future security update for UEFI removing custom OS support (or requiring a paid annual boot license, etc.). POWER simply doesn't have these problems, which is why I wanted to highlight it above.

          Comment


          • #6
            Oh god this is why I hate you. You always need to spindoctor stuff.

            Originally posted by madscientist159 View Post
            Maybe not at the OS level (yet, for the most part, etc.) but certainly it does impose severe restrictions on what the machine "owner" can do to the rest of the firmware stack.
            Umm... no? Intel Boot Guard or its AMD equivalent (what actually prevent the owner from changing the firmware) are unrelated to Secure Boot or even UEFI, as they are hardware features (enforced by ME or PSP or fused signature in the chipset).

            future security update for UEFI removing custom OS support
            This is a problem with all signed board firmwares (i.e. not replaceable by the end user), and is unrelated to the availability or not of a "secure boot" implementation, and I'm tired of you posting bullshit goddamnit.

            Even BIOS could be updated to just check the checksum of Windows's MBR code before executing it, so it would execute ONLY windows bootloader. (Some BIOSes had "boot sector virus check" feature that was able to block writes to or rewrite the MBR, for example)

            Actually the whole Secure Boot system in UEFI is specifically designed around having the user and OEM add his keys.
            It is designed around signature database and not just static hashes, because it's supposed to let the user/OEM add their keys to system database.
            It makes no sense to even care about keys and signing shit if you are just booting the same bootloader over and over, a hard-coded checksum is enough.

            Comment

            Working...
            X