Announcement

Collapse
No announcement yet.

Linux 5.5 Begins Plumbing Secure Boot Infrastructure For POWER9

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • starshipeleven
    replied
    Originally posted by madscientist159 View Post
    You seem to be confusing the early signature checks (Boot Guard / ME signature checks) with the OS loader stage signature checks.
    No, it's you who are mixing it up.

    Secure Boot is OS signature check and has a signature database and infrastructure to add and update the keys.

    Boot Guard is board firmware signature checks with key fused in hardware https://github.com/corna/me_cleaner/...tel-Boot-Guard and is enforced by Intel ME when it is initializing the board.

    You answered my statement of x86 UEFI does not impose any Secure Boot restriction with Maybe not at the OS level (yet, for the most part, etc.) but certainly it does impose severe restrictions on what the machine "owner" can do to the rest of the firmware stack.


    Secure Boot does exactly nothing to restrict access to the firmware stack. It is simply a OS signature checking before boot.

    The former means you have to trust the entire firmware stack implicitly on x86 systems.
    Hint: even the *vendor* doesn't trust that stack implicitly. That's why it's updateable.
    What the fuck are you talking about. The vendor's Boot Guard key is fused permanently in the chipset, no update is possible.

    You can update the board firmware if it is signed, but you can't change the key used to check the firmware, you can only desolder the chipset and replace it with a "new" one that has no such key fused in.

    Leave a comment:


  • madscientist159
    replied
    Just saw this in my old notifications.

    You seem to be confusing the early signature checks (Boot Guard / ME signature checks) with the OS loader stage signature checks. The former means you have to trust the entire firmware stack implicitly on x86 systems.

    Hint: even the *vendor* doesn't trust that stack implicitly. That's why it's updateable.

    Leave a comment:


  • starshipeleven
    replied
    Oh god this is why I hate you. You always need to spindoctor stuff.

    Originally posted by madscientist159 View Post
    Maybe not at the OS level (yet, for the most part, etc.) but certainly it does impose severe restrictions on what the machine "owner" can do to the rest of the firmware stack.
    Umm... no? Intel Boot Guard or its AMD equivalent (what actually prevent the owner from changing the firmware) are unrelated to Secure Boot or even UEFI, as they are hardware features (enforced by ME or PSP or fused signature in the chipset).

    future security update for UEFI removing custom OS support
    This is a problem with all signed board firmwares (i.e. not replaceable by the end user), and is unrelated to the availability or not of a "secure boot" implementation, and I'm tired of you posting bullshit goddamnit.

    Even BIOS could be updated to just check the checksum of Windows's MBR code before executing it, so it would execute ONLY windows bootloader. (Some BIOSes had "boot sector virus check" feature that was able to block writes to or rewrite the MBR, for example)

    Actually the whole Secure Boot system in UEFI is specifically designed around having the user and OEM add his keys.
    It is designed around signature database and not just static hashes, because it's supposed to let the user/OEM add their keys to system database.
    It makes no sense to even care about keys and signing shit if you are just booting the same bootloader over and over, a hard-coded checksum is enough.

    Leave a comment:


  • madscientist159
    replied
    Originally posted by starshipeleven View Post
    Apart from a few devices that suck and can't load custom keys in their database, x86 UEFI does not impose any Secure Boot restriction either.
    Maybe not at the OS level (yet, for the most part, etc.) but certainly it does impose severe restrictions on what the machine "owner" can do to the rest of the firmware stack. Which brings up the (admittedly unlikely, but technically possible) spectre of e.g. a future security update for UEFI removing custom OS support (or requiring a paid annual boot license, etc.). POWER simply doesn't have these problems, which is why I wanted to highlight it above.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by madscientist159 View Post
    Should note that since the entire boot flow is owner controlled on Raptor POWER products, even when fully implemented this won't impose Secure Boot restrictions on users, existing or new. It instead allows the users to impose Secure Boot restrictions on third parties for the hardware they own, from black hat crackers to the very hardware vendors the systems came from.
    Apart from a few devices that suck and can't load custom keys in their database, x86 UEFI does not impose any Secure Boot restriction either.

    That said, it's good to see something else than UEFI with modern features every once in a while. Is this a Linuxboot system?

    I think I remember that Power servers have their own "smart" bootloader that can do UEFI-like stuff like reading the OS kernel from a partition but it's not Linux-based.

    Leave a comment:


  • madscientist159
    replied
    won't impose any potential Secure Boot restrictions on existing users
    Should note that since the entire boot flow is owner controlled on Raptor POWER products, even when fully implemented this won't impose Secure Boot restrictions on users, existing or new. It instead allows the users to impose Secure Boot restrictions on third parties for the hardware they own, from black hat crackers to the very hardware vendors the systems came from.

    Leave a comment:


  • tildearrow
    replied
    Typo:

    Originally posted by phoronix View Post
    for old 32-biit BookE hardware,

    Leave a comment:


  • Linux 5.5 Begins Plumbing Secure Boot Infrastructure For POWER9

    Phoronix: Linux 5.5 Begins Plumbing Secure Boot Infrastructure For POWER9

    With the PowerPC changes for the Linux 5.5 kernel comes the initial infrastructure work on preparing to be able to handle a Secure Boot implementation for POWER9 hardware...

    http://www.phoronix.com/scan.php?pag...POWER9-SB-Prep
Working...
X