Announcement

Collapse
No announcement yet.

Secure Boot Breaks Kexec, Hibernate Support On Linux

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Misleading headline

    Phoronix, "Secure Boot Breaks Kexec, Hibernate Support On Linux" is a very misleading headline.

    Implementing SB does not 'break' those things. The problem is that those features make it trivial to circumvent SB protections. It's not that these things have to be disabled for SB to 'work'; it's that if you want to have the actual protection of SB, it logically requires that those features be disabled until they are improved from a security perspective. As long as those things are enabled, an attack could circumvent the protections SB is intended to provide.

    Comment


    • #12
      Don't you think that when you are root you cant do enough things already?

      Comment


      • #13
        Originally posted by Kano View Post
        Don't you think that when you are root you cant do enough things already?
        Secure Boot is intended to prevent you booting untrusted bootloaders. A kernel that will execute arbitrary code is effectively an untrusted bootloader. Userspace code, even if run by root, isn't.

        Comment


        • #14
          Well you know that you have usally cant use precompiled kernel modules for binary drivers? If you sign em on your own you usually store the key on the hd - easy to find in the bash history. Basically you can skip this test then when an attacker can find it. One other thing nobody mentioned, several boards can be flashed using flashrom, not all but the number is growing. You have direct access to the firmware then...

          Comment


          • #15
            Originally posted by Kano View Post
            Well you know that you have usally cant use precompiled kernel modules for binary drivers? If you sign em on your own you usually store the key on the hd - easy to find in the bash history. Basically you can skip this test then when an attacker can find it. One other thing nobody mentioned, several boards can be flashed using flashrom, not all but the number is growing. You have direct access to the firmware then...
            Modern boards can't be flashed with flashrom, because the SPI controller will only allow write access when you're in system management mode. You produce a distro, so I guess you get to figure out how you're going to handle key management for third party modules.

            Comment


            • #16
              My testboard with EFI Secure Boot can be flashed (the only way how i can reset the keys i added) also my ASUS P8Z68-V - i guess all ASUS boards with 64 mbit flash work with flashrom.

              Comment


              • #17
                Originally posted by Kano View Post
                My testboard with EFI Secure Boot can be flashed (the only way how i can reset the keys i added) also my ASUS P8Z68-V - i guess all ASUS boards with 64 mbit flash work with flashrom.
                That's nice, but such boards aren't Windows 8 logo compliant.

                Comment


                • #18
                  Having helped with Flashrom, there's two big issues with flashing modern machines:
                  1. Laptops
                  2. Intel's Management Engine

                  The Management Engine is the easier of the two (which is only because there's no generic way to handle the laptop issue). Virtually every manufacturer follows Intel's recommendations on how to lockdown the permissions on the various areas of the flash chip, which involve making the ME (Management engine region) read-only, which is quite a problem because you can't be sure of a successful flash unless you can get the ME to stop itself (and you don't know if there's an ME update inside the update which needs to be applied), and you can't just overwrite the region in software.

                  Again, with physical access you can bypass all of these issues, but unless you're prepared to break out a soldering iron, programmer, and ready & able to make backups of your chips, you're stuck.

                  Laptops are hard because the BIOS usually shares space with the EC (embedded controller), which controls lots of important things like your keyboard, lighting, battery, and fans. If that goes, you'll probably have a nice brick. You need to know how to stop the EC, which requires datasheets that usually aren't available, and may be missing important info.
                  Combine the two, and you've got a nearly impossible situation.

                  Comment

                  Working...
                  X