Comment Re:Doesn't work (Score 1) 274
Well, that's the point. Nothing you run before reboot will be able to run in the firmware, because it doesn't have the right signature.
Well, that's the point. Nothing you run before reboot will be able to run in the firmware, because it doesn't have the right signature.
No, only the first time you install a given key.
It must be possible to install your own keys, but that may be implemented by allowing you to clear the platform key and switch back to setup mode.
It'll only boot grub if grub is signed with a key that a physically present user has manually enrolled. If you choose to enrol a key that's been used to sign a grub that'll then boot anything (including viruses) then you're vulnerable, but such a virus would only be able to infect systems with that key installed - anyone who hasn't installed that key still gets the protection.
Given that I've been working with the Microsoft people who manage the signing for the best part of a year now, I'm pretty sure they know who I am and what I was getting signed.
If your system currently has Windows 8 installed, then do this:
1) Insert the install media
2) Mouse to the bottom right
3) Select "Settings"
4) Click "Power"
5) While holding down shift, click "Restart"
6) Click "Use a device"
7) Click your install media
This is a little more involved than ideal, but it's got the huge benefit that it's consistent between systems rather than requiring you to use different hotkeys for different platforms.
"With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?"
openssl req -new -nodes x509 -outform DER -out sig.crt -keyout signing_key.priv
And then enrol it with mokutil or MokManager from shim.
Malware doesn't have a key in KEK, so it can't.
Keys can be revoked through OS updates. Check the UEFI spec for discussion of authenticated variables and dbx.
As the author of the linked article, things have somewhat changed since then - the language in the hwcert docs makes it clear that the hardware can be configured into a state where keys can be added. Is it a guarantee? No, but it's as close as is possible to get in the technology world.
"Right and if the modifications have absolutely nothing to do with the kernel or drivers then there is no obligation."
No. You must provide either the source or a written offer to provide the source to any third party on request regardless of whether you've modified the GPLed material or not.
Work expands to fill the time available. -- Cyril Northcote Parkinson, "The Economist", 1955