decoration decoration
Stories

GROKLAW
When you want to know more... 		decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.

You won't find me on Facebook

Donate

Donate Paypal

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.

What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments

Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Need to be able to generate personal key pairs within the distributed OS | 474 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Need to be able to generate personal key pairs within the distributed OS
Authored by: Anonymous on Tuesday, July 03 2012 @ 03:21 PM EDT
Lessay I have a box that has SecBo and only the MegaUpSofT
(MUST) private key. If you have a bootable thing that is
signed with the MUST key you can boot it.

So lessay I use Fegora which has a bootable binary signed
with the MUST key. I can boot Fegora as distributed, and
the kernel (plus, through a [TBD1] mechanism, other files)
can be verified by the box's bootloader. So Fegora boots
and Fegora runs.

I want to modify Fegora to change the spin of a given
spinlock. However, the file that implements the spin change
needs to be signed, and I (naturally) do not have the Fegora
Private key.

So I generate a key pair (call that My-Authorization-Keys,
MAK) in a well-defined [TBD2] format. I then use either the
[TBD3] BIOS-resident Private Key Loader or a (signed) piece
of code running under Fegora to insert that into the BIOS'
key store, and reboot.

Now if I get it well, when checking that specific files are
properly signed, the BIOS checks against all the keys in its
store, in turn. So it tries to load initrd: checks against
MUST, passes; and so on. When it is asked to check my
spinchange file, checking against MUST fails, but checking
against MAK passes, so all is well.

I have no idea of the details of [TBDn|0<n<4], but the above
is about the only way this signing nightmare may work with
user-based updates.. Naturally, MUST doesn't care about
user-provided updates, so the scheme above is unnecessary.

As it's unnecessary for MUST, it is most likely not
implemented that way.

However, the Canonical method actually boots a small,
single-file secondary boot loader, which they do not expect
will need be changed by the user. So, as far as this code
is concerned, they will expect to be the sole providers. In
essence, unless Canonical provides a signing service for
that specific code, that code has been Tivoized by the
definition of the secure boot system. So, unless that
signing service exists, the code must not be GPLv3.

Now, the coed implements ... a boot loader, which needs to
be able to handle user-originated changes: so it implements
something along the lines above, where all components loaded
by that "secondary" loader can be signed by a user-provided
key and can be under GPLv3.

...

Nothing is ever simple.

[ Reply to This | Parent | # ]
Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details ) 		Site layout based on Woodlands theme by Bryan Bell.
Groklaw logo by John Crowley.
News Picks logo by Ted Thompson.
Powered By GeekLog
Created this page in 0.04 seconds