Red Hat Will Pay Microsoft To Get Past UEFI Restrictions
Thibault NĂ©lis
thib at stammed.net
Fri Jun 1 12:58:30 UTC 2012
On 06/01/2012 02:27 PM, William Brown wrote:
> The problem with this scheme is that a "trusted" os would in theory,
> with the users permission be able to some how update the trusted key
> repository on the firmware. Which means the security of your machine is
> as good as the security of your firmware / the OS that is "trusted" to
> update the keys. Given certain operating systems weak security record in
> the past, I would say that doing this would sadly amount to proving no
> security benefit at all ;)
Typically you would only be able to manage the keys via the UEFI
firmware UI, only accessible at boot time. Now of course an attack can
be mounted against the firmware, but these are often set up to only
initialize the minimum hardware necessary to run the boot loader. I
don't think you can reduce the attack surface much more than that, and
it's a good thing to keep it contained.
--
t
More information about the users
mailing list