Need more info: UEFI Secure Boot in Fedora
Alan Cox
alan at lxorguk.ukuu.org.uk
Thu May 31 12:38:53 UTC 2012
> Grub(2). This is signed by the fedora keys. It checks the signature of
> the kernel against the fedora keys.
> |
> v
> Kernel
No - this is insufficient. The kernel must also be locked down, check
every module, disallow iopl3() [ie some X features], disallow ioperm for
most ports, prevent any user even root from loading their own kernel
modules etc.
It's of course all a bit of a joke because it's then a simple matter of
using virtualisation to fake the "secure" environment and running the
"secure" OS in that 8)
> No. I would assume the Fedora project pays the $99, and then distrubtes
> the signed bootloader component, with the fedora keys built in.
I don't believe that would be compliant with the Fedora Project
definitions of freedom.
Alan
More information about the users
mailing list