Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: UEFI SecureBoot Comes To QEMU-KVM

  1. #1
    Join Date
    Jan 2007
    Posts
    14,592

    Default UEFI SecureBoot Comes To QEMU-KVM

    Phoronix: UEFI SecureBoot Comes To QEMU-KVM

    Early support for UEFI SecureBoot is now available via qemu-kvm for messing with this troublesome technology in a virtualized world...

    http://www.phoronix.com/vr.php?view=MTEyODU

  2. #2
    Join Date
    Jun 2012
    Posts
    28

    Default

    I am curious to know what Richard Stallman and Linus Torvalds think personally about the whole UEFI thing :S

  3. #3
    Join Date
    Mar 2011
    Posts
    71

    Default

    Quote Originally Posted by asdx View Post
    Good, I hope Secure Boot locks out all the garbage blobs that are infecting our systems today.
    Yes ,but secure boot is bad standard because they cannot see the difference between a operating system installed by the user and a virus.

  4. #4
    Join Date
    Jan 2011
    Posts
    192

    Default

    Quote Originally Posted by lapis View Post
    Yes ,but secure boot is bad standard because they cannot see the difference between a operating system installed by the user and a virus.

    Nonsense, it was never meant to, plus it's impossible to do really. Is bash a bad standard because it doesn't write it's own scripts?

    What it does is ask weather X binary object contains a valid signature based on the keys in it's database, and loads it conditionally based on the answer. So far as I can tell, it is at least a passable standard for what it actually is mean to do.

  5. #5
    Join Date
    Mar 2011
    Posts
    71

    Default

    Quote Originally Posted by WorBlux View Post
    Nonsense, it was never meant to, plus it's impossible to do really. Is bash a bad standard because it doesn't write it's own scripts?

    What it does is ask weather X binary object contains a valid signature based on the keys in it's database, and loads it conditionally based on the answer. So far as I can tell, it is at least a passable standard for what it actually is mean to do.
    A security feature has the purpose to protect the users and not restrict them.

    Even a trusted software from user does not have a key,the system should create a exception system to install the software ,like browsers do.The browser asks the user about the exception.

  6. #6
    Join Date
    Jan 2011
    Posts
    192

    Default

    Quote Originally Posted by lapis View Post
    A security feature has the purpose to protect the users and not restrict them.

    Even a trusted software from user does not have a key,the system should create a exception system to install the software ,like browsers do.The browser asks the user about the exception.
    Just because someone implements feature in a bad way doesn't mean that feature or standard is bad. Abuse is no argument against proper use. There's absolutely nothing in the standard which would prevent the addition of exceptions or new public keys into the firmware by an end user. Some providers likely will, some won't. Vote with your wallet.

  7. #7
    Join Date
    Mar 2011
    Posts
    71

    Default

    Quote Originally Posted by WorBlux View Post
    Just because someone implements feature in a bad way doesn't mean that feature or standard is bad. Abuse is no argument against proper use. There's absolutely nothing in the standard which would prevent the addition of exceptions or new public keys into the firmware by an end user. Some providers likely will, some won't. Vote with your wallet.

    The user cannot create exceptions on secureboot.Ex:Ubuntu and fedora need to create keys.
    Using public keys is not a exception because it needs a cenrtificate authority.

  8. #8
    Join Date
    Jan 2011
    Posts
    192

    Default

    Quote Originally Posted by lapis View Post
    The user cannot create exceptions on secureboot.Ex:Ubuntu and fedora need to create keys.
    Using public keys is not a exception because it needs a cenrtificate authority.
    It's all based on openSSL in the core. You can create a private-public key-pair and an x.509 without the need for a third party.

    If the firmware allows you to use the X.509 as the PKI or sideload as a KEK without needed it linked to the PK, then the user is in control.

    http://feishare.com/uefi/uefi-secure-boot

    Quote Originally Posted by How to Enable Secure Boot
    8. Set appropriate value of gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize
    for security feature relative databases which uses EFI Variable as storage.
    Each database stores in a single variable, the maximum variable size is
    defined by PCD value of gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize.
    Database categories include:
    1) PK database: only one entry for public key of PK plus header info.
    2) KEK database: multi-entry for public key of KEK plus header info.
    3) Authorized signature database: multi-entries for authorized signatures
    and one entry for root X509 certificate, plus header info.
    4) Forbidden signature database: multi-entries for forbidden signatures,
    plus header info.

    NOTICE: Typically the size of one X509 certificate is ~2k, which may exceed
    the default maximum variable size. Please adjust the value by PCD if
    needed.

    9. Set a platform policy of image verification by PCDs.
    User can customize platform policy of image verification by PCD value
    before build a platform. In [PcdsFixedAtBuild] section of SecurityPkg.dec
    file, set the PCD value for each type of device accordingly.

    For example, if the platform policy is defined as:
    1) Trust all images from OptionROM.
    2) Validate all images from removable devices and deny execute when security
    violation occurs.
    3) Validate all images from hard disk and query user to make decision when
    security violation occurs.

  9. #9
    Join Date
    Mar 2011
    Posts
    71

    Default

    Quote Originally Posted by WorBlux View Post
    It's all based on openSSL in the core. You can create a private-public key-pair and an x.509 without the need for a third party.

    If the firmware allows you to use the X.509 as the PKI or sideload as a KEK without needed it linked to the PK, then the user is in control.

    http://feishare.com/uefi/uefi-secure-boot
    Why ubuntu and red hat need to buy a key ?

  10. #10
    Join Date
    Apr 2012
    Location
    Germany
    Posts
    205

    Default

    Quote Originally Posted by lapis View Post
    Why ubuntu and red hat need to buy a key ?
    They do not need to. Ubuntu/Canonical have made their own key for their bootloader/kernel to be able to run on machines with Secure Boot and the Ubuntu key. Fedora has bought the right to use a Microsoft key, just for convenience, because basically every motherboard will ship with this key. This way they don have to convince the hardware manufacturers to use their key, unlike Canonical.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •