[uefi-secure-boot-guide] master: Add some initial notes about what SB is and is not. (72e4bbb)

sparks at fedoraproject.org sparks at fedoraproject.org
Fri Feb 1 21:45:50 UTC 2013 

Repository : http://git.fedorahosted.org/git/?p=docs/uefi-secure-boot-guide.git

On branch  : master

>---------------------------------------------------------------

commit 72e4bbb5b9a9113fbdb5ca06d20f12023bb2a2ca
Author: Josh Bressers <josh at bress.net>
Date:   Thu Jan 31 09:43:17 2013 -0600

    Add some initial notes about what SB is and is not.


>---------------------------------------------------------------

 en-US/What_is_Secure_Boot.xml |   21 +++++++++++++++++++--
 1 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/en-US/What_is_Secure_Boot.xml b/en-US/What_is_Secure_Boot.xml
index 0ad0cc7..49c7b7f 100644
--- a/en-US/What_is_Secure_Boot.xml
+++ b/en-US/What_is_Secure_Boot.xml
@@ -17,13 +17,30 @@
 	<section id="sect-UEFI_Secure_Boot_Guide-What_is_Secure_Boot-Protect_you_from">
 		<title>What does Secure Boot protect you from?</title>
 		<para>
-			Boot-sector vulnerabilities.
+		Secure Boot is really just a mechanism to protect the boot phase of
+a system. The goal is to prevent untrusted code from booting the system,
+once that part has been verified, it's up to the operating system to take
+over protection. This does give the potential for the operating system to
+extend this chain of trust down into user binaries, but that moves us
+outside of the concept of Secure Boot and into another topic.
+		</para>
+		<para>
+		Fedora has expanded the chain of trust into the Kernel.
+Verification happens as far as only loadin signed kernel modules, but it
+does not extend to user space applications. We can be certain that no
+malware is present until the initial ramdisk (initrd) is loaded. Since
+initrd cannot currently be signed, it cannot be verified.
 		</para>
 	</section>
         <section id="sect-UEFI_Secure_Boot_Guide-What_is_Secure_Boot-Does_not_Protect_you_from">
                 <title>What does Secure Boot not protect you from?</title>
                 <para>
-			Everything else.
+			Secure Boot will not protect your PC from malware or attackers.
+Secure Boot itslef is simply to protect the boot phase of a system. In
+Fedora if you use Secure Boot, what modules the kernel loads can be
+restricted, but user space malware cannot. This of course doesn't mean
+Secure Boot isn't useful, just that it currently only serves a single
+purpose, which is protecting the boot loader.
                 </para>
         </section>
 </chapter>

More information about the docs-commits mailing list