Announcement

Collapse
No announcement yet.

Linux Group Files Complaint With EU Over SecureBoot

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • How about the malware authors just use fedora's or linux foundation's shim bootloader to run their malware?

    Then: microsoft revokes the keys to those bootloaders, and thousands of people's linux computers simultaneously say "I can't let you do that, Dave" and stop working.

    (How does UEFI get information about revoked keys anyway? Does it contact some website to look for instructions about keys without user approval? If so, it sounds suspiciously like Palladium in new clothes... an outside entity can, at any time, shut down your computer at will. How is that not scaring people shitless?)

    Comment


    • Originally posted by duby229 View Post
      Just wait and see. If something can be encrypted then it can be decrypted as well.
      Yes, obviously - you already have the decryption key, otherwise how would you verify the signature? But you have no way to create an equivalently signed image.

      Comment


      • Originally posted by dee. View Post
        How about the malware authors just use fedora's or linux foundation's shim bootloader to run their malware?
        Fedora's shim loader only loads binaries signed by Fedora or signed by a key that the physically-present end user has installed in their system. They'd need to either steal Fedora's key (which is kept in a physically secure location) or convince the user to install a new key. And if they can convince the user to install a new key, they can convince the user to just disable the protections entirely.

        (How does UEFI get information about revoked keys anyway? Does it contact some website to look for instructions about keys without user approval? If so, it sounds suspiciously like Palladium in new clothes... an outside entity can, at any time, shut down your computer at will. How is that not scaring people shitless?)
        Blacklist updates are distributed via your normal OS update mechanism. If you don't trust your OS vendor, you probably have other problems.

        Comment


        • Originally posted by mjg59 View Post
          Yes, obviously - you already have the decryption key, otherwise how would you verify the signature? But you have no way to create an equivalently signed image.
          You'll see. Every single restriction management system ever devised has been hacked. Literally all of them. Secureboot won't be any different. Everyone who thinks it's invulnerable will be sorely surprised when some flaw gets documented that allows some hack to be exploited. It's going to happen. When the shear amount of effort that is going into hacking this is considered one can't help but to think it's only a matter of time.

          EDIT: I'm reasonably confident that whatever these hacks wind up looking like it probably won't be anything that Secureboots developers ever thought of. Thats the nature of hacks. People are fallible and they overlook things. It's just a matter of time for something that was overlooked to be exploited.
          Last edited by duby229; 27 March 2013, 05:35 PM.

          Comment


          • Originally posted by duby229 View Post
            You'll see. Every single restriction management system ever devised has been hacked.
            Every rights management system that relies on obfuscation of the keys. Secure Boot doesn't. Specific implementations may be compromised, but there's no known mechanism to break RSA.

            Comment


            • Originally posted by mjg59 View Post
              Blacklist updates are distributed via your normal OS update mechanism. If you don't trust your OS vendor, you probably have other problems.
              An OS update that messes with your UEFI? Given the horribly broken state of most UEFI implementations I have seen? Yeah, I totally don't see anything going wrong here, not at all

              Comment


              • Personally I have no doubt at all that some day I'm gonna wake up and load Phoronix to read Micheal post an article describing how some guy some where wrote a tidy little tool that breaks Secureboot.

                EDIT: And when that happens all hell is going to break lose in the malware world.
                Last edited by duby229; 27 March 2013, 05:44 PM.

                Comment


                • Hell yeah!

                  Originally posted by duby229 View Post
                  Personally I have no doubt at all that some day I'm gonna wake up and load Phoronix to read Micheal post an article describing how some guy some where wrote a tidy little tool that breaks Secureboot.

                  EDIT: And when that happens all hell is going to break lose in the malware world.
                  That day will be the happiest occasion for me to happen in years! This is especially very likely to happen, because hardware-implementations are very inflexible!

                  Comment


                  • Originally posted by mjg59 View Post
                    Every rights management system that relies on obfuscation of the keys. Secure Boot doesn't. Specific implementations may be compromised, but there's no known mechanism to break RSA.
                    The PS3 used asymmetric cryptography, yet its signing keys were found. RSA may not be broken, that doesn't mean it's impossible.

                    Comment


                    • Originally posted by curaga View Post
                      The PS3 used asymmetric cryptography, yet its signing keys were found. RSA may not be broken, that doesn't mean it's impossible.
                      The PS3 used a custom cryptographic system with specific weaknesses. Secure Boot uses plain RSA in the form of X509 certificates - this isn't some new and untested protocol, it's one that security researchers have spent significant time examining. It may be breakable, but right now there's no evidence that it is.

                      Comment

                      Working...
                      X