Unsigned kernel boot
Dmitry Kasatkin
dmitry.kasatkin at gmail.com
Tue Nov 12 09:31:19 UTC 2013
On Mon, Nov 11, 2013 at 3:35 PM, Andy Whitcroft <apw at canonical.com> wrote:
> On Mon, Nov 11, 2013 at 03:05:53PM +0200, Dmitry Kasatkin wrote:
>> Hello,
>>
>> Shim in my 13.04 was just upgraded and I see that Ubuntu now boots
>> unsigned kernel in secure boot enabled system.
>>
>> Why is that?
>>
>> In secure boot it should not be possible to boot unsigned kernel...
>
> That is not the guarentee that shim makes at all. It says it will not
> start an unsigned kernel with boot-services still available, ie if the
> kernel is not signed it will close up access to the EFI settings before
> handoff to anything unsigned.
>
> -apw
Hi,
What is done is very very bad...
You basically breaking the security of the system and allowing anyone
put own kernel to my system.
If secure boot is enabled, only "signed" kernel must boot.
- Dmitry
--
Thanks,
Dmitry
More information about the kernel-team
mailing list