Oracle adds secure-ish boot support to its Linux distro

But how secure is it?

Oracle has released a new secure-boot version of its Linux, but the new issuance is attracting criticism that it's not actually secure.

The issue, according to a series of Tweets by Linux engineer Matthew Garrett, is that Oracle's Unbreakable Enterprise Kernel supports kexec_load() and carries the same signature as the kernel Oracle sources from Red Hat.

Rather than death-by-paraphrasing, Garrett's Tweet stream is below.

The Secure Boot support is meant to ensure that there's a chain of trust in the boot process, as described by Oracle SVP for Linux and Virtualisation Engineering Wim Coekarts here.

“When the firmware loads the boot loader, it verifies/checks the signature of this bootloader with the key stored in firmware before continuing”, Coekarts writes. That emphasis on the signing would indicate that if Garrett's criticism is accurate, there is a serious hole in the process.

The Register has asked Oracle for comment on the issues raised by garrett in his Tweets. ®




Biting the hand that feeds IT © 1998–2019