Linked by Thom Holwerda on Sun 10th Feb 2013 22:18 UTC, submitted by Nth_Man
Hardware, Embedded Systems " bricked a Samsung laptop today. Unlike most of the reported cases of Samsung laptops refusing to boot, I never booted Linux on it - all experimentation was performed under Windows. It seems that the bug we've been seeing is simultaneously simpler in some ways and more complicated in others than we'd previously realised." On a related note, the Linux Foundation's UEFI secure boot system has been released.
Permalink for comment 552110
To read all comments associated with this story, please click here.
Linux Foundation Secure Boot loader
by Neolander on Mon 11th Feb 2013 07:46 UTC
Neolander
Member since:
2010-03-08

So, if I get it right, what the Linux Foundation plans to do is to let us boot kernels with an invalid signature, provided that the user clicks the "OK" button of a scary warning. Sounds like a step in the right direction, but if we have to do that on every boot, it's still not a viable long-term plan.

I also like the SUSE option ( https://www.suse.com/blogs/uefi-secure-boot-details/ ) quite a lot, save for being a bit cumbersome. It keeps the full security benefits of signing, but puts it in the hands of users, the way it should have been done to start with in the UEFI spec. Never heard of it before, though...

What I wish is that someone would come up with a signed bootloader that detects kernels which are signed with an unknown key, display them with a little (unsigned) warning next to them, and show a scary warning when a user tries to boot them. If the user still wishes to proceed, the unknown key is enrolled in the database semi-permanently (it can be revoked later if necessary). That would be more user-friendly than the SUSE option, while offering the same benefits. I don't know why nobody has tried that one...

Edited 2013-02-11 08:06 UTC

Reply Score: 3