Announcement

Collapse
No announcement yet.

The State Of Linux Distributions Handling SecureBoot

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • duby229
    replied
    Originally posted by mjg59 View Post
    Doesn't help. If someone's gained root access they can just modify /dev/sda directly.



    That'd work, though you'd want to use a cryptographic signature instead of a CRC - it's easy to force a CRC to match. The easiest thing to do would be to have the firmware verify the signature, that way you don't need a second computer to verify your laptop every time you want to boot it. And... you've just reinvented Secure Boot.
    Getting root access on linux is horribly difficult to do without the password. If you dont believe me then try it for yourself.

    Leave a comment:


  • ShadowBane
    replied
    Originally posted by duby229 View Post
    Go ahead and name one... Just one... where by the method of infection is through a booted linux system....
    Really, any of the remote root exploits listed here would allow the installation of bootloader viruses...
    Search Exploit Database for Exploits, Papers, and Shellcode. You can even search by CVE identifiers.


    Bootloader exploits are attractive because they are very hard to detect from a booted computer. There is no reason to expect that people using Linux would never be targeted by such attacks.

    Leave a comment:


  • duby229
    replied
    Originally posted by ShadowBane View Post
    So, please tell me how Linux is magically safe from viruses that install themselves to the bootloader...

    The reality is that these viruses can target any operating system, Linux included. Secure boot protects Linux just as effectively as it does windows, the only problem that is getting seriously discussed is that it may be difficult to load custom keys into the trusted keys list. (Notice that I said 'may', there is no guarantee that it will be difficult on all or even the majority of systems)
    Go ahead and name one... Just one... where by the method of infection is through a booted linux system....

    Leave a comment:


  • mjg59
    replied
    Originally posted by crazycheese View Post
    Make /boot and / RO.
    Doesn't help. If someone's gained root access they can just modify /dev/sda directly.

    CRC the /boot partition and make independent system check-verify it, before booting it.
    That'd work, though you'd want to use a cryptographic signature instead of a CRC - it's easy to force a CRC to match. The easiest thing to do would be to have the firmware verify the signature, that way you don't need a second computer to verify your laptop every time you want to boot it. And... you've just reinvented Secure Boot.

    Leave a comment:


  • mjg59
    replied
    Originally posted by crazycheese View Post
    Incorrect - you can SHIP the systems (as OEM) with SecureBoot off, but you will loose right to put "windows 8 certified" on your computers.[1]
    That's what I said. You're free to sell a computer running Windows 8 without Secure Boot. You don't get the Microsoft certification. Since you're not forced to ship with Secure Boot enabled (merely given an incentive to), it's probably not an antitrust violation.

    The touch hardware needs to be certified, not the entire platform.

    The definition of "Trusted" should be "Owner".
    Absolutely, which is why Microsoft require that it be possible to replace the Microsoft keys on any x86 systems. Anyone with access to the firmware menu can install their own keys.

    Leave a comment:


  • crazycheese
    replied
    Originally posted by ShadowBane View Post
    So, please tell me how Linux is magically safe from viruses that install themselves to the bootloader...

    The reality is that these viruses can target any operating system, Linux included. Secure boot protects Linux just as effectively as it does windows, the only problem that is getting seriously discussed is that it may be difficult to load custom keys into the trusted keys list. (Notice that I said 'may', there is no guarantee that it will be difficult on all or even the majority of systems)
    Hello and welcome to reality.

    Build all modules in kernel.

    Disable dynamic module loading.

    Make /boot and / RO.

    CRC the /boot partition and make independent system check-verify it, before booting it.

    Place /etc on write-once media.

    Activate NX and Apparmor.

    Secured.

    Leave a comment:


  • ShadowBane
    replied
    Originally posted by duby229 View Post
    It does nothing for Linux. NOTHING. While linux does have its security issues... It doesnt need to worry about MS's security issues.
    So, please tell me how Linux is magically safe from viruses that install themselves to the bootloader...

    The reality is that these viruses can target any operating system, Linux included. Secure boot protects Linux just as effectively as it does windows, the only problem that is getting seriously discussed is that it may be difficult to load custom keys into the trusted keys list. (Notice that I said 'may', there is no guarantee that it will be difficult on all or even the majority of systems)

    Leave a comment:


  • crazycheese
    replied
    Originally posted by mjg59 View Post
    What? Windows 8 boots fine without Secure Boot. You're free to sell it installed on computers that don't even support it, you just don't get Microsoft certification.
    Incorrect - you can SHIP the systems (as OEM) with SecureBoot off, but you will loose right to put "windows 8 certified" on your computers.[1]
    So, in case OEM opts in microsoft way, the user will be required to mess with his system in order to switch secure boot off.
    This is good cause to void warranty.
    This also adds additional complicated step and as such makes it harder for newbies. As you mentioned earlier "security consists of many layers" - these are two such "complication" layers in "securing the customer".
    One more reason to pay FSF to sue microsoft arse.

    Or switch altogether to OPEN platform, taking "Personal Computing" along. Because it ain't personal, when you are forbidden to do personal customization.
    Because SecureBoot is required permanently ON for ARM and windowsRT, which is future of windows.
    You can be assured, microsoft itself nullified your argument above.

    ---
    And in case OEM opts out and decides to disable SecureBoot - he looses right to get "Windows 8 Certified" label.
    Which means:
    1. You are not considered microsoft professional or microsoft partner anymore.
    1.1. If you are large enough, you can counter this.
    2. Windows deactivates and will deactivate functionality, if the system is not certified.

    2.1. This means to OEM, that their system with windows is crippled, although they pay same price to microsoft.
    3. windows 8 OEM certification is a complex procedure involving preinstallation, activation and labeling of the machine. If OEM does not use this, the prices for windows installation will be SIGNIFICANTLY HIGHER - thus his solutions will cost more without being any different, which will unavoidably result in OEM going bankrupt due to (current, still holding) monopoly of microsoft.

    The options above indicate microsoft to use nazi tactics or be nazi themself.

    Either with us or our enemy.

    You may surrender to our rules, or you will get such prices, that you will be out of the market in no time. And because we posses monopoly in marketshare, this is our market.

    Note, this is similar to microsoft hardware OEM agreements, now coming in software.
    Bonus: remember why Gaben started adapting to Linux.

    Originally posted by mjg59 View Post
    It looks for anything that it knows isn't a trusted boot loader and prevents it from running. So, it does?
    The definition of "Trusted" should be "Owner".

    However, the definiton of "Trusted" in "Secure Boot" means "Owner of the signing key"

    The owner of the key is ....microsoft.

    Hereby the only "Trusted" member is "microsoft" or assigned by "microsoft".

    Welcome to antitrust law violation.

    If the owner of the key would be ... anyone, which is what we have with BIOS password... there would be no lock-in and it would be a viable security feature.
    This way, the OWNER of the hardware would generate a key, sign components and save key in own system, the same way CMOS did that, but inside non-volatile TPM module.

    This is the correct way - to put the ownership in hands of the hardware owner.

    But the key is in hands of microsoft as a sole decision maker and hence consititutes either MONOPOLY (similar to OS monopoly) or unavoidably embedded MICROSOFT-ONLY feature (similar to IE).

    Originally posted by duby229 View Post
    heh... i give up....
    Doesn't mean you loose.

    Originally posted by mjg59 View Post
    So, again, suggest a solution that solves the problem that Microsoft are trying to solve without preventing the booting of unsigned code.
    GPL whole windows.
    They are making people trust a black box. The only way to achieve this is to lie and spread FUD.
    Last edited by crazycheese; 28 December 2012, 07:21 PM.

    Leave a comment:


  • duby229
    replied
    heh... i give up....

    Leave a comment:


  • mjg59
    replied
    Originally posted by duby229 View Post
    If you boot Windows 8, You must use secureboot. How is that not forced?
    What? Windows 8 boots fine without Secure Boot. You're free to sell it installed on computers that don't even support it, you just don't get Microsoft certification.

    If it really was a mechanism to protect against boot viruses.... Shouldnt it look for boot viruses?
    It looks for anything that it knows isn't a trusted boot loader and prevents it from running. So, it does?

    Leave a comment:

Working...
X