7

On Ubuntu and possibly Debian systems, you can install packages which contain images which are signed by Ubuntu's EFI key. For example, linux-signed-image-generic-lts-trusty is one of these packages.

Say I have a fully-encrypted disk and an unencrypted boot partition, as is required. I use a PGP encrypted key file to decrypt my disk. What exactly does using these signed images get me in additional security? How trivial is it to generate a "signed" EFI kernel image which is compromised?

Naftuli Kay
  • 6,715
  • 9
  • 47
  • 75

1 Answers1

7

With your unencrypted boot partition, malware could theoretically replace your unsigned kernel with its own (say, a hypervisor running your original kernel). This malware would then be undetectable by your system, while having full access to it.

A signed kernel closes this hole, at least in theory: since the malware hypervisor isn't be signed, a EFI BIOS that requires a signed OS would refuse to load it.

The problem with this is that while a random malware author isn't likely to have a signing key recognized by your BIOS, a state-level actor is, and there's a decent chance that an author working for organized crime will.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • > The problem with this is that while a random malware author isn't likely to have a signing key taking in consideration that its an idea of non-freesoftware companies.. they means that its not have much sense, due the protection must be again organizated crimen! not agains a poor one-man cracker (cracker not hacker ignorants) so the in conclusion a signed kernel can be booting using the stupid signed BIOS EFI, that's all, but its complety crackeable! AND UEFI can be disabled at bios level setup – PICCORO Lenz McKAY Apr 01 '17 at 15:05
  • @PICCOROLenzMcKAY Not having access to a signing key does not make this non-free software, as long as you are permitted to disable the signing mechanism and use an alternate kernel if you wish. – forest Dec 31 '17 at 01:55