Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Secure Boot Breaks Kexec, Hibernate Support On Linux

  1. #1
    Join Date
    Jan 2007
    Posts
    14,302

    Default Secure Boot Breaks Kexec, Hibernate Support On Linux

    Phoronix: Secure Boot Breaks Kexec, Hibernate Support On Linux

    A set of "controversial" patches were published by Matthew Garrett this morning for the Linux kernel. One of the patch series will disable the kernel's support for kexec and hibernate support when running in a UEFI Secure Boot environment...

    http://www.phoronix.com/vr.php?view=MTI4NjE

  2. #2
    Join Date
    Aug 2007
    Posts
    6,607

    Default

    Basically Secure Boot with physical access to the system is a joke anyway for several reasons:

    a) You can boot Ubuntu (but not Kubuntu), Fedora and whatever other distro that ships binaries with MS key - then feel free do modifiy whatever you like.

    b) If you use mjg59's shim to add a key/hash it was impossible for me to reset this without reflashing the firmware to a state before. When added it is in for all times (tested with ami uefi - one of the boards tested was an asrock b75 board). So it will always accept your efi binaries.

    c) Some boards like Asrock keep the CSM enabled by default even with Secure Boot on (btw. would you search it under ACPI options???) - just boot via a normal loader.

    d) Even if you don't have a SB enabled iso you can just switch it off in 99% of all cases because there is no firmware password set anyway.

    Even if you only allow signed kernels to be booted from hd you would need to encrypt it. And what protects you from a modified initrd? Maybe it would be more useful to sign that with a personal key, set a uefi password (if it helps - i know boards with password skip jumper...). A tiny bit hard could be a password set on the hd, but when suspend is used that password if often stored as well. Better forget security on local pcs

  3. #3
    Join Date
    Apr 2011
    Posts
    114

    Default

    Yes, Secure Boot does nothing to protect against physical attack. Nobody's ever claimed otherwise.

  4. #4
    Join Date
    Aug 2007
    Posts
    6,607

    Default

    And how to you exploit hibernate remotely? Usually you are already root there to do so...

  5. #5
    Join Date
    Apr 2011
    Posts
    114

    Default

    You can gain root remotely.

  6. #6
    Join Date
    Aug 2012
    Location
    Pennsylvania, United States
    Posts
    1,859

    Default

    Secure Boot is all about protecting against longterm remote exploits (Someone hacks you and replaces a kernel module that you use with one that has a backdoor, or something along those lines) If they've got physical access...you got screwed long before they sat down at your desk.

  7. #7
    Join Date
    Dec 2008
    Location
    Vermont
    Posts
    99

    Default

    Quote Originally Posted by Ericg View Post
    Secure Boot is all about protecting against longterm remote exploits
    Or is Secure Boot all about protecting Microsoft's longterm revenue stream. Keep in mind that up-front the article didn't buy into the security of Secure Boot. They were looking at taking these actions in order to prevent their key from being revoked from Microsoft. When the playing field appears crooked, due diligence becomes all the more important.

  8. #8
    Join Date
    Aug 2012
    Location
    Pennsylvania, United States
    Posts
    1,859

    Default

    Quote Originally Posted by phred14 View Post
    Or is Secure Boot all about protecting Microsoft's longterm revenue stream. Keep in mind that up-front the article didn't buy into the security of Secure Boot. They were looking at taking these actions in order to prevent their key from being revoked from Microsoft. When the playing field appears crooked, due diligence becomes all the more important.
    Secure Boot's a tool, the wielder chooses how that tool is handled. If Microsoft wants to use Secure Boot for evil, fine, but don't blame Secure Boot. Blame Microsoft for making that choice.

  9. #9
    Join Date
    Nov 2012
    Location
    France
    Posts
    535

    Default

    Quote Originally Posted by Ericg View Post
    Secure Boot is all about protecting against longterm remote exploits (Someone hacks you and replaces a kernel module that you use with one that has a backdoor, or something along those lines) If they've got physical access...you got screwed long before they sat down at your desk.
    Crackers have better things to do. "Secure" Boot being a thing to make installing Linux and other OSes harder is bigger than a big ass.

  10. #10
    Join Date
    Aug 2007
    Posts
    6,607

    Default

    All you need to do is to sign your grub loader (i would like when gummiboot would work as well) - creating it is a bit tricky. I compiled grub2 from ubuntu and then signed the cd efi binary from the amd64.tar.gz in my first test. Basically you gain nothing that way, it just starts with Secure Boot enabled as it does not check for any signed kernels like when you use the precompiled grub-efi-amd64-signed (together with shim-signed) from Ubuntu.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •