Half-OT: Secure boot and thirdy party kernel modules
quickbooks office
quickbooks.office at gmail.com
Tue Jul 15 12:24:01 UTC 2014
So did any of you get it to work?
That is signing VirtualBox modules and enabling secure boot in the bios?
On Tue, Jul 8, 2014 at 6:20 AM, Sergio Belkin <sebelk at gmail.com> wrote:
>
>
> 2014-07-08 5:47 GMT-03:00 Florian Weimer <fweimer at redhat.com>:
>
>> On 07/08/2014 10:19 AM, Petr Pisar wrote:
>>>
>>> On 2014-07-07, Florian Weimer <fweimer at redhat.com> wrote:
>>>>
>>>> Note that Microsoft's current policy may not allow unrestricted
>>>> virtualization (KVM or Virtualbox—does not matter) because that "permits
>>>> launch of another operating system instance after execution of
>>>> unauthenticated code"—the wording is rather unclear. If Microsoft
>>>> clarifies that this is forbidden, a future Fedora update will remove
>>>> this functionality, so you will be forced to disable Secure Boot at this
>>>> point anyway if you want to continue to use virtualization.
>>
>>
>>> Could you elaborate more what "unauthenticated code" is in this case?
>>
>>
>> I think it's code that is not cryptographically tied (indirectly) to one
>> of the Secure Boot trust roots.
>>
>> However, I don't really know what Microsoft means. It's conceivable that
>> they assume we sign all of user space (not just for installation purposes),
>> and they might have a wrong idea about what we can implement in our system.
>>
>>
>>> Is
>>> it a userspace tool for controlling in-kernel virtualization (e.g. qemu
>>> in case of KVM)? Because KVM as a kernel module is signed.
>>
>>
>> It's unclear. One possible interpretation is that virtualization acts as
>> a barrier because it does not provide access to "real" ring 0 on the host.
>> It sounds reasonable, but it doesn't really match Microsoft's wording I
>> quoted above (from a public blog post).
>>
>>
>> --
>> Florian Weimer / Red Hat Product Security
>> --
>> devel mailing list
>> devel at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/devel
>> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>
>
> Thanks everybody for enlighten me about this obscure topic :)
>
>
> --
> --
> Sergio Belkin http://www.sergiobelkin.com
> LPIC-2 Certified - http://www.lpi.org
>
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
More information about the devel
mailing list