On 01/08/2013 04:25 PM, Jaroslav Reznik wrote:
Following the implementation of Features/SecureBoot, we can extend the Secure Boot keys as a root of trust provided by the hardware against which we can verify a signature on our key files, thus guaranteeing that they're from the same source as the boot media.
It just occurred to me that this has zero chance of working because an attacker can always take the already-signed boot path from the F18 installer and use that to boot a modified F19 installation image. We cannot retroactively add these checks to the F18 installation images (or F18 installations). We could theoretically revoke the signatures on the F18 binaries, but this would not go well with our users.
And it's not just us: an attacker could still use any other signed, non-interactive boot loader/Linux kernel combination.
This is related to the lack of universally agreed-upon semantics for Secure Boot. A Secure Boot signature does not mean that the image is harmless to boot. I've recently raised this ambiguity on the oss-security mailing list in the "Plug-and-wipe and Secure Boot semantics" thread:
<http://www.openwall.com/lists/oss-security/2012/12/18/1> -- Florian Weimer / Red Hat Product Security Team -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
