Re: [GIT PULL] Load keys from signed PE binaries

From: Chris Friesen
Date: Wed Feb 27 2013 - 12:36:31 EST

On 02/27/2013 09:24 AM, Theodore Ts'o wrote:
On Tue, Feb 26, 2013 at 11:54:51AM -0500, Peter Jones wrote:
No, no, no. Quit saying nobody knows. We've got a pretty good idea -
we've got a contract with them, and it says they provide the signing
service, and under circumstances where the thing being signed is found
to enable malware that circumvents Secure Boot

The question is what does "malware that circuments Secure Boot" mean?
Does starting up a hacked KVM and running Windows 8 under KVM so that
malare can be injected count as circumenting Secure Boot? If so, will
you have to disable KVM, too?

I could see an argument for KVM to require either a signed binary or else someone at the keyboard to explicitly okay loading the image. Anything else breaks the chain of trust.

It may be somewhat far-fetched, but I think it would be possible to take an existing secure-boot Win 8 install, turn it into a VM but with an infected kernel. Then install a signed Linux distro that runs the Win8 VM as a guest.

At this point you've got a running infected Win8 install that is running on Secure Boot hardware but is actually running malware.

Admittedly this would be tricky to do reliably in a way that the user doesn't notice, so it may not actually be a real-world threat.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at