I kind of loosely followed https://wiki.gentoo.org/wiki/Sakaki%...ng_Secure_Boot

I don't think everything from that link worked for me though, i.e. efi-updatevar didn't like my UEFI, so I just copied public keys into my EFI partition, rebooted into UEFI imported them from there. Another change is that I didn't keep backup of microsoft key, so if you do this you can skip a lot of steps in that tutorial.

The scripts for generating keys and signing bootloaders are: http://pastebin.com/fDXg3SYW (you might need to adjust some paths but it should not be too hard)

lewl I saw that coming; I knew, that this going to happen, one way or another, from the very day I learned about the signing.

I'm not contradicting anything. I'm pointing out that the supposedly evil secureboot that was supposedly a giant conspiracy to prevent Linux from ever being installed on new hardware didn't actually stop Linux from being installed on new hardware. And that freedom to install Linux had nothing to do with this hack* either. Meanwhile, I'd love to kick out the bloated locked-down Android installation that's on my phone but I can't do it. And no, even "rooting" a phone in an unreliable manner to slap on another Android image isn't good enough just like having to hack and "root" a Windows PC to go from Windows 10.1 to some other minor variant of Windows wouldn't exactly make that an open platform either.


* Which incidentally is being massively overhyped: Microsoft's signing key did not leak out and that stupid website doesn't post the supposed "golden key" at all. Instead, they just discovered a bypass in the secureboot process that was put in to enable debugging where the secure boot process just says: What the heck, I'm in debug mode so I'll load this code whether it's signed or not. That's vastly different from actually having access to Microsoft's private key.

I still believe that's the case, but I knew that it was going to be a failed attempt. When MS first released Windows 7, they were incredibly proud of how "uncrackable" it was. However, people managed to pirate it before it was even released. Any time MS ever claims something is secure, people effortlessly find a way around it. So whether Secure Boot was "secretly" meant to hinder Linux users or not, I knew it wasn't anything to be afraid of. Thankfully, most hardware manufacturers allow you to disable it anyway.

Depends on your definition of "need". It's a common enough issue that it has a specific name, and a common enough issue that some motherboards and CPUs have hardware designed to detect and protect against it (outside of SB).

First of all, Android is relatively locked down already. There are a lot of things you can't do without rooting it. Second, if you want a legitimately locked-down device, get a Windows phone or an iPhone. Third, I'm not sure how locking down an Android platform is supposed to help you get a "real" Linux distro on it. If anything, that would make it harder to install. But for most phones, installing Linux on them is difficult primarily because of hardware limitations. Most of them are compatible to some degree, but accessing the built-in NAND or dealing with GPU drivers is the real burden.

Well, that website crashes Firefox, so...

Well, that website crashes Firefox, so...

Just what the heck are you on about with this? You appear to be contradicting yourself.

First off, a lot of high end Android devices employ a secured boot process that is actually *more* secure than secureboot ever was. For instance, Qualcomm starts off with validating the PBL against burned in public key. It then loads the PBL, which validates the next boot loader along the path of SBL1 --> SBL2 --> TZ --> SBL2 --> SBL3 (up to this point, they are all *qualcomm* key verified) --> boot partition (kernel+initrd) (from this point forward, we will be dealing with *vendor* keys, i.e. Google's key in the case of a Nexus), and then THAT even verifies that nobody has tampered with the SYSTEM PARTITION!!!! The system partition verification is performed by dmverity, which returns i/o errors on any data that fails checks. So it doesn't strictly write protect the system partition, but it makes changed data unreadable.

So not quite sure if you are making a joke about putting (in)secureboot on these devices so that you could bypass the much stronger secured boot process on them...?

But I don't really see a big problem with this state of things to begin with. It isn't as if ALL devices are locked down all the way from top to bottom like this. Its mainly just SAMSUCK that is. Just pick something that allows you to disable the signature check at some stage of the boot process. Every device ever sold as a "Nexus", for instance, allows you to disable the write protect and signature check on the boot partition. I think that Sony is also pretty good on this. HTC used to be, but I haven't kept up on their hardware.

amp3030
Microsoft can send a new bootloader via Windows Update which doesn't accept the Golden Key any more.
But this is not an effective measure because the attacker could simply replace it with the old bootloader again.
They would additionally have to blacklist the old bootloader in UEFI dbx, but that would render all systems/live media/etc. unbootable which haven't upgraded to the new bootloader yet. Or which restore from recovery.

So for all practical purposes, Microsoft has defeated secure boot for good this time.

Is it technically possible for MS to generate a new key and automatically send it out to every PC in the world via Windows update, to restore the boot protection, at least for PCs that hasn't already got a bootkit?

stikonas Can you help me with the process? (links, or advices) would be very helpful...