[coreboot] Feedback On Coreboot: the Solution to the Secure Boot Fiasco
ajg4tadpole at gmail.com
Sat Jan 5 14:44:09 CET 2013
On 05/01/13 02:11, David Hubbard wrote:
> Hi Andrew,
> On Fri, Jan 4, 2013 at 5:09 PM, Andrew Goodbody <ajg4tadpole at gmail.com
> <mailto:ajg4tadpole at gmail.com>> wrote:
> Enrol your own key. Sign your own kernel. Seems to scale linearly
> per user to me.
> Security is not free. There will always be a cost.
> I am actually quite conflicted because I try to look out for the
> underdog in every fight. Right now that would be you (no offense
> intended). Please view my comments as directed at Microsoft and the
> standard they have pushed onto us. And thanks for debating.
No offense taken. I have never been one for following the crowd just
because. Debate is good.
> "Security is not free"
> I think the Linux kernel is a glaring hole in that argument. The Linux
> kernel is *free*, by many definitions. Oh, and it is the *right* way to
> implement security.
There is always a cost to security. The cost for Linux is that certain
operations need privileged access so you have to do something special
(su, sudo etc) in order to complete those operations. That is the sort
of cost I am talking about when I say not free. There is also the added
complexity in the code requiring careful maintenance and simply more
time to implement. So yes security is not free.
> Secure Boot is neither libre nor gratis. For $99 you can have a closed
> DRM solution. All DRM solutions are fundamentally flawed because both
> lock *and* key must be present on the machine. The only thing DRM has
> consistently done is inconvenience the average person.
You only need to pay the $99 if you do not want to enrol your own key.
The point of PKI is that you can see the public key without being able
to guess the private key. It is bugs in the implementation or leaks of
the private key that have compromised current PKI systems, not
fundamental flaws in the cryptography.
> "Enrol (sic) your own key. Sign your own kernel."
'Enrol' is correct English. For some reason American English adds a
superfluous 'l' :-)
> For $99 I could get my kernel signed by Verisign. That does not scale.
> That was my point, thanks.
And my point was that you do not have to play that game. You can use
Secure Boot without paying a penny to anybody. If you do not want to
enrol your own key then you can use shim instead. You can go on
compiling your own kernel and use Secure Boot without having to get it
signed by Verisign every time.
> To attempt to convince all the OEM's to sign their UEFI drivers with my
> key would be impossible; furthermore, the UEFI spec only has *one* slot
> for signatures on OEM UEFI drivers.
Not true. Current tools only implement a single signing slot but there
are tools being developed to allow multiple signatures. This will then
need to be supported in the Secure Boot implementations so may not work
on initial implementations.
> The whole bring-your-own-key argument is a red herring as soon as a
> third-party driver is involved, because the driver must then be trusted
> without verifying its signature. You wouldn't accept that kind of
> security compromise, would you?
The whole 3rd party driver thing complicates matters for sure. First of
all do you even trust that driver? If you do then you can sign it and
overwrite the signature it was shipped with. Also I believe that you can
enrol a hash of a driver as an alternative means of verification to
signature based verification although that may depend on the policy of
> I know I won't. I'll ditch Secure Boot entirely and use coreboot.
Thanks for listening,
More information about the coreboot