[uefi-secure-boot-guide] master: Add some initial notes about what SB is and is not. (72e4bbb)
sparks at fedoraproject.org
sparks at fedoraproject.org
Fri Feb 1 21:45:50 UTC 2013
Repository : http://git.fedorahosted.org/git/?p=docs/uefi-secure-boot-guide.git
On branch : master
>---------------------------------------------------------------
commit 72e4bbb5b9a9113fbdb5ca06d20f12023bb2a2ca
Author: Josh Bressers <josh at bress.net>
Date: Thu Jan 31 09:43:17 2013 -0600
Add some initial notes about what SB is and is not.
>---------------------------------------------------------------
en-US/What_is_Secure_Boot.xml | 21 +++++++++++++++++++--
1 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/en-US/What_is_Secure_Boot.xml b/en-US/What_is_Secure_Boot.xml
index 0ad0cc7..49c7b7f 100644
--- a/en-US/What_is_Secure_Boot.xml
+++ b/en-US/What_is_Secure_Boot.xml
@@ -17,13 +17,30 @@
<section id="sect-UEFI_Secure_Boot_Guide-What_is_Secure_Boot-Protect_you_from">
<title>What does Secure Boot protect you from?</title>
<para>
- Boot-sector vulnerabilities.
+ Secure Boot is really just a mechanism to protect the boot phase of
+a system. The goal is to prevent untrusted code from booting the system,
+once that part has been verified, it's up to the operating system to take
+over protection. This does give the potential for the operating system to
+extend this chain of trust down into user binaries, but that moves us
+outside of the concept of Secure Boot and into another topic.
+ </para>
+ <para>
+ Fedora has expanded the chain of trust into the Kernel.
+Verification happens as far as only loadin signed kernel modules, but it
+does not extend to user space applications. We can be certain that no
+malware is present until the initial ramdisk (initrd) is loaded. Since
+initrd cannot currently be signed, it cannot be verified.
</para>
</section>
<section id="sect-UEFI_Secure_Boot_Guide-What_is_Secure_Boot-Does_not_Protect_you_from">
<title>What does Secure Boot not protect you from?</title>
<para>
- Everything else.
+ Secure Boot will not protect your PC from malware or attackers.
+Secure Boot itslef is simply to protect the boot phase of a system. In
+Fedora if you use Secure Boot, what modules the kernel loads can be
+restricted, but user space malware cannot. This of course doesn't mean
+Secure Boot isn't useful, just that it currently only serves a single
+purpose, which is protecting the boot loader.
</para>
</section>
</chapter>
More information about the docs-commits
mailing list