Join Log in
Score:0
keldorn avatar Ubuntu

Secure Boot with Ubuntu

gb flag
keldorn

I would like to ask about Secure Boot feature in UEFI especially in Ubuntu context.

I know that Ubuntu official ISO images are signed with Secure Boot signature.

Let's assume we have PC with Secure boot enabled. My questions are as follows:

  1. Will Secure Boot or Ubuntu Installer notice and terminate if I change a random single bit in Iso Image, burn such image to DVD and then try to boot?

  2. Same question as above but when writing to USB drive with eg. dd command?

  3. Optional question a bit offtopic is above scenario with other Secure Boot enabled installation images like Windows or Passmark Memtest (that has official signatures and will start with SB)

Generally speaking I would like to know if Secure Boot provides protection from scenario when hacker takes part of the Official Iso, modifies it with some additional malware and uses such iso to spread it (and Secure Boot will not notice as it's hackers version is based on Official ISO, but modified)

Best regards

77
1 + 1
guiverc avatar
cn flag
guiverc
It was my understanding that the Secure Boot is handled by the *firmware* on the machine, ie. its the firmware code that decides if the media is bootable (ie. decision is made before Ubuntu is running). Ubuntu's involvement in that is creating the ISO, not the booting/execution of that ISO. https://wiki.ubuntu.com/UEFI/SecureBoot https://wiki.debian.org/SecureBoot
2
Reply
Score:2
user535733 avatar Ubuntu
cn flag
user535733

Secure Boot is not a complete security solution. It is but one step along the chain-of-trust.

Ubuntu's fully-authorized implementation of Secure Boot means that your install USB is a permitted boot media. It's not intended to detect changes to the entire install images. It is intended to ensure that the included GRUB bootloader has not been poisoned.

Many legitimate users edit install images for their own purposes -- that's how Open Source software works. Their properly-made images boot...because the bootloader is unchanged.

See How Shim verifies binaries in secure boot? and https://wiki.ubuntu.com/UEFI/SecureBoot for a lengthy explanation of how Secure Boot works with Ubuntu.

There are layers of different protections, unrelated to Secure Boot and many much older, that detect or prevent corruption or tampering with the filesystem and with the software packages to be installed upon that filesystem.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.