Red Hat Will Pay Microsoft To Get Past UEFI Restrictions
Alan Cox
alan at lxorguk.ukuu.org.uk
Fri Jun 1 13:12:27 UTC 2012
> Typically you would only be able to manage the keys via the UEFI
> firmware UI, only accessible at boot time. Now of course an attack can
UEFI doesn't define UI. Which is a problem for getting any kind of sanity
here
> be mounted against the firmware, but these are often set up to only
> initialize the minimum hardware necessary to run the boot loader. I
> don't think you can reduce the attack surface much more than that, and
> it's a good thing to keep it contained.
Correct. Any arrangement like this needs physical proof of presence. The
disabling of the "secure" mode likewise. A similar example is the switch
on the Chromebook - you can't software flip it.
Alan
More information about the users
mailing list