First Attempt At Linux Kernel Secure Boot Support

Written by Michael Larabel in Hardware on 6 September 2012 at 09:31 AM EDT. 1 Comment
HARDWARE
Matthew Garrett published the first patches this week that take an initial stab at the Linux kernel UEFI Secure Boot support.

An "RFC" (Request For Comments) patch series was published entitled First attempt at kernel secure boot support by Red Hat's Matthew Garrett.
The UEFI Secure Boot trust model is based on it not being possible for a user to cause a signed OS to boot an unsigned OS, even if that user has administrative privileges. This is an initial attempt at a set of patches to reduce root's ability to modify the kernel. We've done this with an additional capability for a couple of reasons:

1) CAP_SYS_RAWIO already covers pretty much everything we want, but also disables a lot of functionality that we don't want to lose. Following the same model seems reasonable.

2) This capability may be more generically useful for some use-cases. Adding a set of hardcoded is_secure_boot() checks in the same places would prevent that.

Feedback welcome.
See more UEFI SecureBoot coverage for those not up to speed on the Linux implementation.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week