...kernel module signing on x86??? Why?
Alan Cox
alan at lxorguk.ukuu.org.uk
Fri Mar 9 10:24:45 UTC 2012
On Fri, 9 Mar 2012 11:07:55 +0100
"Joshua C." <joshuacov at googlemail.com> wrote:
> I saw that the x86 modules can (_should_) be signed int the future. We
> all know the pros and cons of signing but I'm wondering if all this
> _crap_ has anything to do with the microsoft's idea to use a signed
> bootloader, drivers, etc in the latest windoof 8. I think all of you
> have heard that there's a posibility to make the OEM vendors activate
> the so called "secure boot" by default.
It's mandatory they do so for Windows 8 logo on some machine classes
(the size of the class in question keeps growing too), so all Win 8 logo
systems will be locked down by default and require some undefined
screwing around to unlock. For x86 the spec currently does require they
can be unlocked, for ARM the last version I saw says it must be
impossible.
Beyond that at this point it looks like it'll be a matter for competition
bodies, lawsuits and the like to resolve. It's also not clear how it will
fit with the French law on not typing PCs and software together.
Module signing itself isn't just useful for that though - its a matter of
who owns the key and you can do your own module signing with your own key
irrespective of the bogus 'secure boot' stuff.
In theory you can even stuff said keys into the TPM and do very clever
tricks with them.
Alan
More information about the users
mailing list