zlacker

[parent] [thread] 2 comments
1. jart+(OP)[view] [source] 2022-03-05 18:16:56
What's stopping the bad guys from using that shim to boot their own code? Is there a date when the shim expires and Microsoft has to renew it?
replies(1): >>Genbox+4I
2. Genbox+4I[view] [source] 2022-03-05 23:09:20
>>jart+(OP)
Well, it is a chain of trusted components that are responsible for loading the next component in the chain.

UEFI with Secure Boot enabled will only load the stage 1 bootloader if it is signed with the firmware trusted certificate. We don't know if this component is malicious, we just know it is signed by the certificate.

The stage 1 bootloader (shim) will then be responsible for loading the next component (stage 2 bootloader). It will only boot the component if it is signed with a trusted (chosen by the user/distro) certificate.

The bad guys can't insert themselves into this process, as they either have to be trusted by the UEFI firmware (protected by an owner password), signed by Microsoft (to replace the shim) or be signed by the distro's certificate.

As long as the chain is unbroken it is secure.

replies(1): >>jart+sL
◧◩
3. jart+sL[view] [source] [discussion] 2022-03-05 23:34:52
>>Genbox+4I
That's only possible if Microsoft signs a public key the distro owner controls and then embeds it inside a special build of their shim. In that case the distro owner can distribute any Linux Kernel they want, but they need authorization from Microsoft beforehand. Therefore you can't publish a UEFI Linux desktop without being in league with the adversary.
[go to top]