I'll readily admit that I have only a cursory knowledge about the inner workings of secure boot, but from my reading there is no mechanism for any OS to assert that it has booted securely. The only informative mechanism is an in-memory flag that can be trivially provided by a subversive boot element.
When I read the title of your post, I was hoping that you would clarify the method with which an OS can assert its secure-boot status, because as I see it, secure boot is mere sophistry: you start from a presumed-secure base, then erect big and inconvenient obstacles to try and maintain that assumption.
But how does the OS prove the base was secure to begin with?
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
assumption of innocence
Date: 2012-06-15 01:58 pm (UTC)When I read the title of your post, I was hoping that you would clarify the method with which an OS can assert its secure-boot status, because as I see it, secure boot is mere sophistry: you start from a presumed-secure base, then erect big and inconvenient obstacles to try and maintain that assumption.
But how does the OS prove the base was secure to begin with?