Half-OT: Secure boot and thirdy party kernel modules

Sergio Belkin sebelk at gmail.com
Tue Jul 8 13:20:17 UTC 2014 

2014-07-08 5:47 GMT-03:00 Florian Weimer <fweimer at redhat.com>:

> On 07/08/2014 10:19 AM, Petr Pisar wrote:
>
>> On 2014-07-07, Florian Weimer <fweimer at redhat.com> wrote:
>>
>>> Note that Microsoft's current policy may not allow unrestricted
>>> virtualization (KVM or Virtualbox—does not matter) because that "permits
>>> launch of another operating system instance after execution of
>>> unauthenticated code"—the wording is rather unclear.  If Microsoft
>>> clarifies that this is forbidden, a future Fedora update will remove
>>> this functionality, so you will be forced to disable Secure Boot at this
>>> point anyway if you want to continue to use virtualization.
>>>
>>
>  Could you elaborate more what "unauthenticated code" is in this case?
>>
>
> I think it's code that is not cryptographically tied (indirectly) to one
> of the Secure Boot trust roots.
>
> However, I don't really know what Microsoft means.  It's conceivable that
> they assume we sign all of user space (not just for installation purposes),
> and they might have a wrong idea about what we can implement in our system.
>
>
>  Is
>> it a userspace tool for controlling in-kernel virtualization (e.g. qemu
>> in case of KVM)? Because KVM as a kernel module is signed.
>>
>
> It's unclear.  One possible interpretation is that virtualization acts as
> a barrier because it does not provide access to "real" ring 0 on the host.
>  It sounds reasonable, but it doesn't really match Microsoft's wording I
> quoted above (from a public blog post).
>
>
> --
> Florian Weimer / Red Hat Product Security
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>

Thanks everybody for enlighten me about this obscure topic :)

-- 
--
Sergio Belkin  http://www.sergiobelkin.com
LPIC-2 Certified - http://www.lpi.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140708/738479c8/attachment.html>

More information about the devel mailing list