Reply to post: Re: Great plan Timmy. @Caffinated Sponge

Re: Great plan Timmy. @Caffinated Sponge

My previous post on this was a little incomplete. I had not realized that on Intel Secure Boot systems, there is a 'shim' bootloader signed against a Microsoft certificate that can isolate grub and the kernel from Secure Boot. This shim will do additional signature checking, and have certificates maintained by the sysadmin to allow locally compiled versions of grub to be booted. So only the shim needs to be signed against a certificate in the Secure Boot in the UFEI.

But my original point is that the certificates installed in the Secure Boot system are entirely under the control of the hardware vendor. For the UEFI used on Intel systems to boot Windows, the main certificate holder is Microsoft. Microsoft has come up with this method to allow some Linux distributions to sign against the shim certificates, and allowed them to get grub or other bootloader signed with the shim certificate.

UEFI does have a facility to install new certificates, but I think many systems have this disabled so the only certificates that can be used are those that were installed when the system was created.

I suspect that on latest Apple hardware, the only certificate holder is Apple, and only Apple certificates are installed.

If Apple choose not to sign the shim bootloader, then you can't run Linux. It's nothing the Linux community can change, it's completely at Apple's discretion.

I think that the cryptography involved in signing with a certificate is sufficiently advanced that you can't 'steal' a certificate. There is magic (read - a cryptographic checksum) in the signature that will check that the code that contains the certificate signature has not been tampered with. So the only solution is to obtain a correct signature for your code. If Apple don't want to grant one, then tough.

I can totally see why some people want to be able to prove that their system is secure, and is only running software from a recognized source (I won't say trusted, because I think that some OS vendors have abused any trust that they once may have had), but the mechanism used is a double-edged sword which allows these organizations to eliminate rival and alternative OS installations.

So far Microsoft have been prepared to play fair. But there is absolutely nothing that says that they will remain that way. Remember, the last E in EEE is Extinguish...