Announcement

Collapse
No announcement yet.

Why You Don't See Coreboot Supported By Many Modern Intel Systems

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by uid313 View Post
    Does Intel Boot Guard hamper NSA?
    I bet NSA would get "proper" signature in a blink of your eye. So in your shoes I wouldn't count on such "protection" at all.

    You see, Microsoft recently signed Stuxnet and Duqu. Digital warfare software - not just some mere malware but full-fledged espionage and industrial sabotage complex. It is very interesting wheh things like this are using VALID DIGITAL SIGNATURES to do their jobs.
    Last edited by SystemCrasher; 10 February 2015, 03:03 PM.

    Comment


    • #12
      Hopefully this will be hacked by someone

      So long as this only locks the UEFI firmware it is unlikely to draw serious attention from hackers, but when Intel (or some OEM ignoring "windows certification") decides to lock the southbridge to a bootloader and to Windows the shit will hit the fan. Apple thought the iPhone could not be jailbroken either. They didn't lose all their control (can't run Linux on it), but that AT&T carrier lock and feature locks sure didn't last.

      First things first: Not all keys stay secret, as we've found with DRM on Blu-Ray players. If the keys are hardwired into the southbridge, than Intel has no way to revoke them. The first step here is social engineering. The private key is in a large corporation, no doubt one with many disgruntled employees. One whistleblower could irrevocably unlock millions of computers. Perhaps one of those malware authers would offer a bounty, but in that case the danger is they sit on the key and use it themselves instead of releasing it to the public like what happened with Blu-Ray.

      We don't have enough computing power to brute-force this key, but there are plenty of corporate equivalents to rubber-hose decryption. Suppose Intel execs had the FSF outside their homes until they released the keys for all their locked consumer "goods?" FCC Commissioner Wheeler is now supposedly doing our bidding on net neutrality after protesters showed up in his driveway.

      Intels' counterargument would of course be that you should check to ensure that any computer you plan to buy can run the software (AND firmware) you plan to use it with, just as you buy a gun to shoot a particular cartridge. I have said the same myself for years: DO NOT BUY any computing equipment for Linux, much less for coreboot, without checking first to see if it will run what you want it to run. Right now, I advise only old BIOS boards, known good coreboot boards, or unlocked/OC enthusiest boards for desktops (No new OEM machines), and Pine Trail or earlier Intel Atom in used netbooks (due to PowerVR), and either AMD based machines or Chromebooks reflashed with vanilla Corebook for newer laptops. This has gotten much worse in the past five years, used to be you could use any random hardware and only "oddball" things like webcams or proprietary wireless cards did not work.

      I wonder if "enthusiest" overclocking motherboards for these newer Intel processors also use the locked southbridges? If an unlocked southbridge exists and Intel does not seek to block it's use, perhaps someone could be induced to use it on laptops instead of the locked version. I wonder what Google is doing about this: rejecting the new CPU's. or using their size to get unlocked southbridges.

      In the final analysis, Blu-ray is dying, in part due to rejection of DRM. Intel should consider the danger that Microsoft could at any time "partner" with OEMS to only sign firmware locked to Windows, and that Intel would become another Blu-Ray, avoided by millions who don't want a locked product. The Windows 8 and Vista caused sales declines of OEM systems should be an education for them. I don't buy Intel, you don't have to either. Never throw away computing equipment that is good enough for your needs, we don't know what the OEM's will be shipping in 5 years and they have proven they cannot be trusted. Until there is a brute force or other crack on boot keys, there is the boycott, just like what happened to all those nasty locked Microsoft Surface RT tablets that nobody wanted.

      Comment


      • #13
        secure boot is crap

        This entire secure boot thing is really just a bunch of crap. If some software or something gets permission to rewrite the bootloader it means you're pretty much screwed anyway because you've almost certainly got an infected computer. And just because the whole boot process is safe and you're booting a genuine copy MS crap doesn't mean you're safe and have no viruses and spyware and all that.
        There's really no good defense again human stupidity and lack of computer skill so don't give experienced users a hard time because of these things. Sure, try to make stuff secure for everyone but as long as people click on thing in a webpage saying they have a virus and need to install some crap from that website ...

        Comment


        • #14
          Plus, there really are people dumb enough to believe that they actually -are- the 1000000th visitor.

          IE is the absolute worst vector for infections that exists. The best thing to do is just don't use IE. Personally I use firefox with noscript. It really isn't that hard. Trying to tell people how to use noscript is the ultimate lesson on how dumb people really are.

          EDIT: Even smart people are stupid about clicking on shit.

          Comment


          • #15
            Originally posted by duby229 View Post
            Plus, there really are people dumb enough to believe that they actually -are- the 1000000th visitor.

            IE is the absolute worst vector for infections that exists. The best thing to do is just don't use IE. Personally I use firefox with noscript. It really isn't that hard. Trying to tell people how to use noscript is the ultimate lesson on how dumb people really are.

            EDIT: Even smart people are stupid about clicking on shit.
            It can always happen that you click on something you didn't want.

            SystemCrasher, mcirsta, Luke ("Hopefully this will be hacked by someone"), I agree.

            Comment


            • #16
              Originally posted by opensource View Post
              It can always happen that you click on something you didn't want.

              SystemCrasher, mcirsta, Luke ("Hopefully this will be hacked by someone"), I agree.
              Except with noscript it's very rare that you see something you don't want. Which is exactly why I recommend it.

              Comment


              • #17
                Actually, I don't blame Intel for this: I blame the OEMs for choosing to use it. And besides, I don't see it as much of an issue. Almost all users are never going to want to install a firmware other than one produced by your mobo manufacturer, so there's very rarely any problem locking it to that.

                This is very different to SecureBoot, which can / does make difficulties for booting non-Windows operating systems. Unless as Luke suggested some fool decides to make a firmware that is locked to Windows, but that is definitely not its intended purpose.

                I will say that this reminds me of BADUSB (as in it is the same as the solution to that), and another recent Mac vulnerability that this would have protected against...

                Comment


                • #18
                  USER keys, not vendor keys are needed for things like this

                  Originally posted by PreferLinux View Post
                  Actually, I don't blame Intel for this: I blame the OEMs for choosing to use it. And besides, I don't see it as much of an issue. Almost all users are never going to want to install a firmware other than one produced by your mobo manufacturer, so there's very rarely any problem locking it to that.

                  This is very different to SecureBoot, which can / does make difficulties for booting non-Windows operating systems. Unless as Luke suggested some fool decides to make a firmware that is locked to Windows, but that is definitely not its intended purpose.

                  I will say that this reminds me of BADUSB (as in it is the same as the solution to that), and another recent Mac vulnerability that this would have protected against...
                  In "secure" boot, you can replace MS keys with your own. Not so for this it seems. BADUSB would be blocked if you used either original firmware signed with vendor keys or Coreboot (etc) signed with your OWN key, so long as adding or removing keys required hardware enablement such as setting a jumper or throwing a switch to block online replacement.

                  Here;s how I would use it for a maximum security case-and here's how it would fail:

                  1: I sign coreboot or a known good (found keylogger-free by binary analysis) OC BIOS with my key, and lock the southbridge to it. It is in turned locked to a known good GRUB2, which I also sign with the same key. The bootloader in turn is locked by this key or another to my initramfs and kernel. My private key can be kept in my (encrypted) FS for signing new bootloaders, kernels, initramfs updates, etc.

                  2: It seems that both "evil maid" and "evil cook" attacks on my boot decryption passphrase are blocked. Maybe this makes me overconfident, thinking I can leave my laptop in an unattended hotel room while I am at that WTO protest in China.

                  3: Guess what-China's MSS does not use BIOS keyloggers or software keyloggers, they pull out the keyboard and insert a hardware keylogger instead. As separate hardware not interacting with the motherboard, my fancy secure Coreboot/BIOS/whatever cannot prevent it from functioning. An encrypted laptop with no defenses but the keyboard expoxied down is actually more secure, as there are far more BIOS versions, kernel version, and certainly initramfs configurations out there than there are laptop keyboard pinouts.

                  4: Maybe the NSA is the problem, and I did epoxy down the keyboard? OK, now any backdoors in the TPM come into play, extracting my private key from it, bypassing normal TPM key export restrictions.

                  Comment


                  • #19
                    What is all this about?

                    The main reason is to force user to pay for "system" as "service" based on the wishes of hardware (and software) vendor.
                    This "secure" extension does not give security to the user, but to the selling company.
                    As everybody may notice, malware can't be mitigated by this sort of "security" because all the system are infected already without the need of hampering boot procedure.
                    And latest Intel CPU has secondary "security chip/CPU" inside your main CPU, and this chip is able to control everything and your company/selling company is able to program it by using Java... (see http://www.alexrad.me/discourse/why-...creenshot.html).
                    Nobody cares about user security (all phones could be cracked by attacking GSM chip via wireless signal no matter what OS you actually use), but everybody cares about "security" of the seller income and NSA/FBI/whatever ability to read your data.
                    Poor world :-|

                    Comment


                    • #20
                      Originally posted by blackiwid View Post
                      [...] X230 no big difference except not so good keyboard its also a ok version [...]
                      Are the current Asus Zenbook keyboards any better?
                      Any other current linux-friendly laptop featuring a nice/comfortable keyboard?
                      Thanks!

                      Comment

                      Working...
                      X