Repository : http://git.fedorahosted.org/git/?p=docs/uefi-secure-boot-guide.git
On branch : master
commit 83c9ec1e4f780e80397306414cfe73b1088813f6 Author: Josh Bressers josh@bress.net Date: Thu Jan 31 09:43:17 2013 -0600
Add some initial notes about what SB is and is not.
Signed-off-by: Eric Christensen sparks@redhat.com
en-US/What_is_Secure_Boot.xml | 21 +++++++++++++++++++-- 1 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/en-US/What_is_Secure_Boot.xml b/en-US/What_is_Secure_Boot.xml index 0ad0cc7..49c7b7f 100644 --- a/en-US/What_is_Secure_Boot.xml +++ b/en-US/What_is_Secure_Boot.xml @@ -17,13 +17,30 @@ <section id="sect-UEFI_Secure_Boot_Guide-What_is_Secure_Boot-Protect_you_from"> <title>What does Secure Boot protect you from?</title> <para> - Boot-sector vulnerabilities. + Secure Boot is really just a mechanism to protect the boot phase of +a system. The goal is to prevent untrusted code from booting the system, +once that part has been verified, it's up to the operating system to take +over protection. This does give the potential for the operating system to +extend this chain of trust down into user binaries, but that moves us +outside of the concept of Secure Boot and into another topic. + </para> + <para> + Fedora has expanded the chain of trust into the Kernel. +Verification happens as far as only loadin signed kernel modules, but it +does not extend to user space applications. We can be certain that no +malware is present until the initial ramdisk (initrd) is loaded. Since +initrd cannot currently be signed, it cannot be verified. </para> </section> <section id="sect-UEFI_Secure_Boot_Guide-What_is_Secure_Boot-Does_not_Protect_you_from"> <title>What does Secure Boot not protect you from?</title> <para> - Everything else. + Secure Boot will not protect your PC from malware or attackers. +Secure Boot itslef is simply to protect the boot phase of a system. In +Fedora if you use Secure Boot, what modules the kernel loads can be +restricted, but user space malware cannot. This of course doesn't mean +Secure Boot isn't useful, just that it currently only serves a single +purpose, which is protecting the boot loader. </para> </section> </chapter>