|
Authored by: Anonymous on Friday, October 12 2012 @ 03:42 PM EDT |
> Imagine you get stopped at Airport security and they take
> your laptop on whatever pretext, would UEFI give you any
> piece of mind when it was returned?
No, of course not. They've had physical possession, out of my sight.
Isn't that the number one rule to pwn?
> No to boot a kernel signed by someone else requires no physical presence.
My reading of the article suggested that will only be true after the first
booting of that kernel, with acceptance of its key into the key table.
For the first boot the "present user" has to accept the key,
implying pyhsical presence, since this all happens before the network
is established. And yes, creates a pain for the establishment of
NetBoot systems.
> The user has no idea where the Microsoft keys have been.
And this is a big objection to the MS proposal for Secure Boot.
Corollary: If you can't trust your vendor to sell you a clean key,
why would you buy a computer? Enter the Linux Foundation.
Their boothook runs first, allowing the user to choose,
1. run MS UEFI to verify their kernel;
2. run my UEFI to verify my kernel.
Note the choice is sticky and need only be made once,
unless you're multi-booting in which case you knew all this...
[ Reply to This | Parent | # ]
|
|
|
|
|