[coreboot] Feedback On Coreboot: the Solution to the Secure Boot Fiasco

Andrew Goodbody ajg4tadpole at gmail.com
Sat Jan 5 14:44:09 CET 2013

On 05/01/13 02:11, David Hubbard wrote:
> Hi Andrew,
> On Fri, Jan 4, 2013 at 5:09 PM, Andrew Goodbody <ajg4tadpole at gmail.com
> <mailto:ajg4tadpole at gmail.com>> wrote:
>     Enrol your own key. Sign your own kernel. Seems to scale linearly
>     per user to me.
>     Security is not free. There will always be a cost.
> I am actually quite conflicted because I try to look out for the
> underdog in every fight. Right now that would be you (no offense
> intended). Please view my comments as directed at Microsoft and the
> standard they have pushed onto us. And thanks for debating.

No offense taken. I have never been one for following the crowd just 
because. Debate is good.

> "Security is not free"
> I think the Linux kernel is a glaring hole in that argument. The Linux
> kernel is *free*, by many definitions. Oh, and it is the *right* way to
> implement security.

There is always a cost to security. The cost for Linux is that certain 
operations need privileged access so you have to do something special 
(su, sudo etc) in order to complete those operations. That is the sort 
of cost I am talking about when I say not free. There is also the added 
complexity in the code requiring careful maintenance and simply more 
time to implement. So yes security is not free.

> Secure Boot is neither libre nor gratis. For $99 you can have a closed
> DRM solution. All DRM solutions are fundamentally flawed because both
> lock *and* key must be present on the machine. The only thing DRM has
> consistently done is inconvenience the average person.

You only need to pay the $99 if you do not want to enrol your own key.
The point of PKI is that you can see the public key without being able 
to guess the private key. It is bugs in the implementation or leaks of 
the private key that have compromised current PKI systems, not 
fundamental flaws in the cryptography.

> "Enrol (sic) your own key. Sign your own kernel."

'Enrol' is correct English. For some reason American English adds a 
superfluous 'l' :-)

> For $99 I could get my kernel signed by Verisign. That does not scale.
> That was my point, thanks.

And my point was that you do not have to play that game. You can use 
Secure Boot without paying a penny to anybody. If you do not want to 
enrol your own key then you can use shim instead. You can go on 
compiling your own kernel and use Secure Boot without having to get it 
signed by Verisign every time.

> To attempt to convince all the OEM's to sign their UEFI drivers with my
> key would be impossible; furthermore, the UEFI spec only has *one* slot
> for signatures on OEM UEFI drivers.

Not true. Current tools only implement a single signing slot but there 
are tools being developed to allow multiple signatures. This will then 
need to be supported in the Secure Boot implementations so may not work 
on initial implementations.

> The whole bring-your-own-key argument is a red herring as soon as a
> third-party driver is involved, because the driver must then be trusted
> without verifying its signature. You wouldn't accept that kind of
> security compromise, would you?

The whole 3rd party driver thing complicates matters for sure. First of 
all do you even trust that driver? If you do then you can sign it and 
overwrite the signature it was shipped with. Also I believe that you can 
enrol a hash of a driver as an alternative means of verification to 
signature based verification although that may depend on the policy of 
that platform.

> I know I won't. I'll ditch Secure Boot entirely and use coreboot.
> Regards,
> David

Thanks for listening,

More information about the coreboot mailing list