←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 2 comments | 18 Jul 25 03:53 UTC | HN request time: 0.645s | source
Show context
palata ◴[18 Jul 25 09:28 UTC] No.44602753[source]
[Warning: I'm not interested in sarcasm or uninformed rants against secure boot, there are plenty already]

I'm hoping to get insights from people who understand secure boot well here. My understanding on Android (for the minority of Android manufacturers that do it correctly) is that there is a "manufacturer key" burnt somewhere on the ROM that cannot ever be changed, and once a first system is installed properly:

1. It is impossible to overwrite the system partitions unless the bootloader is unlocked from the already-installed OS (I assume that something makes sure that only the signed OS can unlock the bootloader?).

2. Once the bootloader is unlocked, it is impossible to overwrite only parts of the system: it's all or nothing, such that one cannot inject stuff into an existing system (evil maid style).

Still on Android, it's possible to add custom keys. That's what GrapheneOS and the likes use.

How is it on UEFI? It sounds like the "manufacturer keys" are always from Microsoft, but is there not a way to use custom keys?

replies(3): >>44602785 #>>44602973 #>>44603027 #
1. jeroenhd ◴[18 Jul 25 09:35 UTC] No.44602785[source]
> Still on Android, it's possible to add custom keys. That's what GrapheneOS and the likes use.

AFAIK, that depends on the hardware used. Google Pixels allow it, but it's not universally permitted. Plenty of stories can be found on XDA where people tried to lock their bootloader that bricked their phone.

replies(1): >>44602977 #
2. palata ◴[18 Jul 25 10:06 UTC] No.44602977[source]
> AFAIK, that depends on the hardware used. Google Pixels allow it, but it's not universally permitted.

You're right! That's what I mentioned the few manufacturers who do it correctly. GrapheneOS only supports Pixels for other reasons than that. CalyxOS supports other devices (one constraint being to be able to relock the bootloader). /e/OS doesn't seem care so much about the secure boot.

> Plenty of stories can be found on XDA where people tried to lock their bootloader that bricked their phone.

That raises a question: what is the point of relocking the bootloader? If overwriting the keys means that the whole system will be formatted, then I don't see why it should ever be prevented at all? If an evil maid wants me to lose my data, they can leave with the laptop, right?