UEFI SecureBoot Comes To QEMU-KVM

**phoronix** · 06-27-2012, 04:10 PM

Phoronix: UEFI SecureBoot Comes To QEMU-KVM

Early support for UEFI SecureBoot is now available via qemu-kvm for messing with this troublesome technology in a virtualized world...

http://www.phoronix.com/vr.php?view=MTEyODU

**aliasbody** · 06-27-2012, 04:39 PM

I am curious to know what Richard Stallman and Linus Torvalds think personally about the whole UEFI thing :S

**asdx** · 06-27-2012, 05:15 PM

Good, I hope Secure Boot locks out all the blobs garbage that are infecting our systems today.

**lapis** · 06-27-2012, 05:25 PM

Originally Posted by asdx

Good, I hope Secure Boot locks out all the garbage blobs that are infecting our systems today.

Yes ,but secure boot is bad standard because they cannot see the difference between a operating system installed by the user and a virus.

**WorBlux** · 06-27-2012, 09:21 PM

Originally Posted by lapis

Yes ,but secure boot is bad standard because they cannot see the difference between a operating system installed by the user and a virus.

Nonsense, it was never meant to, plus it's impossible to do really. Is bash a bad standard because it doesn't write it's own scripts?

What it does is ask weather X binary object contains a valid signature based on the keys in it's database, and loads it conditionally based on the answer. So far as I can tell, it is at least a passable standard for what it actually is mean to do.

**lapis** · 06-28-2012, 08:38 AM

Originally Posted by WorBlux

Nonsense, it was never meant to, plus it's impossible to do really. Is bash a bad standard because it doesn't write it's own scripts?

What it does is ask weather X binary object contains a valid signature based on the keys in it's database, and loads it conditionally based on the answer. So far as I can tell, it is at least a passable standard for what it actually is mean to do.

A security feature has the purpose to protect the users and not restrict them.

Even a trusted software from user does not have a key,the system should create a exception system to install the software ,like browsers do.The browser asks the user about the exception.

**WorBlux** · 06-28-2012, 06:22 PM

Originally Posted by lapis

A security feature has the purpose to protect the users and not restrict them.

Even a trusted software from user does not have a key,the system should create a exception system to install the software ,like browsers do.The browser asks the user about the exception.

Just because someone implements feature in a bad way doesn't mean that feature or standard is bad. Abuse is no argument against proper use. There's absolutely nothing in the standard which would prevent the addition of exceptions or new public keys into the firmware by an end user. Some providers likely will, some won't. Vote with your wallet.

**lapis** · 06-28-2012, 09:18 PM

Originally Posted by WorBlux

Just because someone implements feature in a bad way doesn't mean that feature or standard is bad. Abuse is no argument against proper use. There's absolutely nothing in the standard which would prevent the addition of exceptions or new public keys into the firmware by an end user. Some providers likely will, some won't. Vote with your wallet.

The user cannot create exceptions on secureboot.Ex:Ubuntu and fedora need to create keys.
Using public keys is not a exception because it needs a cenrtificate authority.

**WorBlux** · 06-29-2012, 06:50 AM

Originally Posted by lapis

The user cannot create exceptions on secureboot.Ex:Ubuntu and fedora need to create keys.
Using public keys is not a exception because it needs a cenrtificate authority.

It's all based on openSSL in the core. You can create a private-public key-pair and an x.509 without the need for a third party.

If the firmware allows you to use the X.509 as the PKI or sideload as a KEK without needed it linked to the PK, then the user is in control.

http://feishare.com/uefi/uefi-secure-boot

Originally Posted by How to Enable Secure Boot

8. Set appropriate value of gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize
for security feature relative databases which uses EFI Variable as storage.
Each database stores in a single variable, the maximum variable size is
defined by PCD value of gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize.
Database categories include:
1) PK database: only one entry for public key of PK plus header info.
2) KEK database: multi-entry for public key of KEK plus header info.
3) Authorized signature database: multi-entries for authorized signatures
and one entry for root X509 certificate, plus header info.
4) Forbidden signature database: multi-entries for forbidden signatures,
plus header info.

NOTICE: Typically the size of one X509 certificate is ~2k, which may exceed
the default maximum variable size. Please adjust the value by PCD if
needed.

9. Set a platform policy of image verification by PCDs.
User can customize platform policy of image verification by PCD value
before build a platform. In [PcdsFixedAtBuild] section of SecurityPkg.dec
file, set the PCD value for each type of device accordingly.

For example, if the platform policy is defined as:
1) Trust all images from OptionROM.
2) Validate all images from removable devices and deny execute when security
violation occurs.
3) Validate all images from hard disk and query user to make decision when
security violation occurs.

**lapis** · 06-29-2012, 09:21 AM

Originally Posted by WorBlux

It's all based on openSSL in the core. You can create a private-public key-pair and an x.509 without the need for a third party.

If the firmware allows you to use the X.509 as the PKI or sideload as a KEK without needed it linked to the PK, then the user is in control.

http://feishare.com/uefi/uefi-secure-boot

Why ubuntu and red hat need to buy a key ?

Thread: UEFI SecureBoot Comes To QEMU-KVM

Thread Tools

Search Thread

Display

UEFI SecureBoot Comes To QEMU-KVM

Posting Permissions