secure boot and kernel module signing test?
Blibbet
blibbet at gmail.com
Thu Jul 16 16:13:57 UTC 2015
On 07/16/2015 08:23 AM, Roderick W. Smith wrote:
> Yes, that's correct. Ubuntu's kernel doesn't attempt to enforce Secure
> Boot policy beyond the main kernel file; once the kernel's loaded,
> it's possible to load an unsigned kernel module. Fedora, as you
> inferred, does require signing of kernel modules. Fedora's approach is
> arguably more secure, since an attacker can't load a malicious kernel
> module once the system has booted, but leads to problems with
> third-party kernel modules, like the in-kernel portions of nVidia and
> ATI/AMD video drivers.
Thanks very much, excellent insight.
I wonder if this difference in behavior is part of UEFI spec, or undefined.
Even though current Ubuntu behavior is based on policity decision,
perhaps a new test still might be useful, so user can determine this
level of information about the distro's Secure Boot implementation. FWTS
isn't only going to be used on Ubuntu sysetms, my main use of FWTS is
via Yocto-based LUV-live distro.
New test aside, is there an easy way to determine if a distro's kernel
supports one behavior or another, such as a kernel build prepreproc
directive or variable, or does it vary by distro? I'd like to
investigate behaviour of some of the other distros.
Thanks,
Lee
RSS: http://firmwaresecurity.com/feed
More information about the fwts-devel
mailing list