On Sun, 2012-11-04 at 04:28 +0000, Matthew Garrett wrote: > On Sat, Nov 03, 2012 at 10:56:40PM +0000, James Bottomley wrote: > > On Sat, 2012-11-03 at 13:46 +0000, Matthew Garrett wrote: > > > I... what? Our signed bootloader will boot our signed kernel without any > > > physically present end-user involvement. We therefore need to make it > > > as difficult as practically possible for an attacker to use our signed > > > bootloader and our signed kernel as an attack vector against other > > > operating systems, which includes worrying about hibernate and kexec. If > > > people want to support this use case then patches to deal with that need > > > to be present in the upstream kernel. > > > > Right, but what I'm telling you is that by deciding to allow automatic > > first boot, you're causing the windows attack vector problem. You could > > easily do a present user test only on first boot which would eliminate > > it. Instead, we get all of this. > > Your definition of "Best practices" is "Automated installs are > impossible"? Have you ever actually spoken to a user? Are you sure you've spoken to the right users if you think they use a distro boot system to do automated installs? I've actually had more than enough experience with automated installs over my career: they're either done by paying someone or using a provisioning system. In either case, they provision a static image and boot environment description, including EFI boot services variables, so you can provision a default MOK database if you want the ignition image not to pause on firstboot. There is obviously the question of making the provisioning systems secure, but it's a separate one from making boot secure. James -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html