Announcement

Collapse
No announcement yet.

The UEFI SecureBoot Saga For Linux Continues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Kano
    replied
    You can attack every system, but be sure the most common way is to use the mbr up to now for those things. the first virus that used the mbr must be as old as dos. It does not matter if you use coreboot or whatever, if you want to attack a system you find a way - and if you need to write a new bios/uefi then you do so. As soon as flashrom works and your enemy is root on your system he can attack the bios directly as well, no matter if it is internally uefi or not. You can simply add an option rom with your code that will be executed on boot. Of course you dont know that as you never modified a bios, but i did - i added/replaced vga rom, raid rom, pxe, plop...

    Leave a comment:


  • Qaridarium
    replied
    german wikipedia talk about efi as a security risk:

    "EFI is a developer of core boat, according to safety-critical application environments - such as in banks - as a potential security risk because there would be some of the implemented network stack, the theoretical possibility of data without being noticed by the operating system to an arbitrary address to send. Our own network stack for TCP / IP, which runs "below" the operating system directly and independently on the motherboard allows you to manipulate the system to infect or monitor, without being able to control it, for example, from Windows or limit. Also DRM purposes EFI could be used to as the I / O data stream on digital watermark to monitor out. For these reasons, some users are more likely to advocate an open source system such as coreboot (formerly LinuxBIOS). [18] [21] [22]"

    https://de.wikipedia.org/wiki/UEFI#Kritik

    Leave a comment:


  • Kano
    replied
    I think there are better reasons to use Kanotix. But you should not mix up standard uefi booting with secure boot. uefi boot is really cool when done correctly - especially with a kernel with efi stub. It is a bit weird that you can use "rdev" now for that purpose which was already dropped from utils-linux because nobody used it...

    Leave a comment:


  • Qaridarium
    replied
    Originally posted by Kano View Post
    No i wont because if somebody does not find the option to disable secure boot he is most likely not able to use linux as well...
    lol ;-) maybe i will use kanotix in the future only to prove that I'm able to find the bios option

    Leave a comment:


  • Kano
    replied
    No i wont because if somebody does not find the option to disable secure boot he is most likely not able to use linux as well...

    Leave a comment:


  • Qaridarium
    replied
    Originally posted by Kano View Post
    @Q

    Kanotix is definitely not dead, maybe look at our homepage, we just release a Hellfire (squeeze) update and a Dragonfire (wheezy) preview.

    But if EVERYBODY can get a signed bootloader then this system is absolutely pointless. For x86 you just have to find a setup option to disable secure boot - usually secure boot can only work in uefi mode anyway. So when you would force a boot via csm (and bios emulation) how should secure boot be active if thats done via quick boot selection?

    If you see secure boot as something positive to your own security that means that could be sure that nobody managed to put in a spy module to save your encryption keys if you encrypt your data like it is possible when you hijack the mbr for this and then execute maybe truecrpt later but store the key.

    I don't understand why ms would give away a signed 3rd party efi loader, you can be 100% sure that it will be used for exploits. If you dont need security features you can disable em on your own. It would be interesting to know if there is a uefi spec to update the included public keys. Basically it should not be that hard to do when you have got access to the uefi, you can extract, change (there are several tools to modifiy uefi, just for another purpose currently) and flash your own keys.

    Even if the key area would be write protected after first write you could still replace the eeprom chip, which is a piece of cake on a desktop system, well could be tricky on a laptop. When YOU are able to control it, then you can gain a little bit more security, if you cant it would be just like without.
    i know your releases ok bad style it was more a question will you support secure-boot in the future and will you pay 100 dollar to microsoft ?

    Leave a comment:


  • steveriley
    replied
    Originally posted by linux5850 View Post
    I don't think it's just a BIOS thing. I think it's also a TPM chip built into your pc that's does the checking for keys and allowing which code can boot or not.
    In the comments section, someone asked about TPM, and the response was that SecureBoot is designed not to require one.

    Leave a comment:


  • Kano
    replied
    @Q

    Kanotix is definitely not dead, maybe look at our homepage, we just release a Hellfire (squeeze) update and a Dragonfire (wheezy) preview.

    But if EVERYBODY can get a signed bootloader then this system is absolutely pointless. For x86 you just have to find a setup option to disable secure boot - usually secure boot can only work in uefi mode anyway. So when you would force a boot via csm (and bios emulation) how should secure boot be active if thats done via quick boot selection?

    If you see secure boot as something positive to your own security that means that could be sure that nobody managed to put in a spy module to save your encryption keys if you encrypt your data like it is possible when you hijack the mbr for this and then execute maybe truecrpt later but store the key.

    I don't understand why ms would give away a signed 3rd party efi loader, you can be 100% sure that it will be used for exploits. If you dont need security features you can disable em on your own. It would be interesting to know if there is a uefi spec to update the included public keys. Basically it should not be that hard to do when you have got access to the uefi, you can extract, change (there are several tools to modifiy uefi, just for another purpose currently) and flash your own keys.

    Even if the key area would be write protected after first write you could still replace the eeprom chip, which is a piece of cake on a desktop system, well could be tricky on a laptop. When YOU are able to control it, then you can gain a little bit more security, if you cant it would be just like without.

    Leave a comment:


  • disi
    replied
    Easy enough: avoid any hardware with a Windows 8 sticker?
    This is what I am going to do...

    Little example, me buying a netbook:
    1. tell the vendor to rip out the hard drive and put a SSD in
    2. do not bother to install Windows on it and keep the licence
    3. after some research, the third vendor was OK with that

    Leave a comment:


  • Qaridarium
    replied
    security boot and UEFI is just: "The Coming War on General Purpose Computation"

    http://boingboing.net/2011/12/27/the...eral-purp.html

    Leave a comment:

Working...
X