> Once upon a time, Peter Robinson <pbrobinson@gmail.com> said:
> > U-Boot upstream has supported UEFI secure boot for a while. I've been
> > meaning on looking into it and enrolling the Fedora keys into our
> > builds so it's there across all our officially supported devices.
>
> I saw the U-Boot supports Secure Boot, but... does that add any security
> in the typical Fedora setup, where U-Boot is on the same storage as
> shim, grub2, and the kernel? I would think you'd only gain security
> from U-Boot's Secure Boot support if U-Boot itself was in firmware that
> can't be modified (at least easily) from Linux.
Without further changes, no it doesn't, a lot of the U-Boot we build
now actually can go on SPI flash so in a lot of cases it's not the
same storage.
Of course to properly do fully secure boot chain you'd need to fully
sign the firmware stack, most U-Boot builds these day for aarch64 are
a collection of 3-4 firmware, and then of course burn those keys into
a OTP on the chip at which point you'd have that full stack.
So no it doesn't provide that full level of security because without
that process you don't get a fully authenticated boot flow that has
each step verify the next one, but it's possible and I think it's
useful to be able to demonstrate that. I'm also working with some
vendors to actually implement that full stack.
Peter
--
_______________________________________________
arm mailing list -- arm@lists.fedoraproject.org
To unsubscribe send an email to arm-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/arm@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
No comments:
Post a Comment