Secure Boot? Yes, we've heard of it ...

Altoid · 2024-07-29 09:56:15

Hello:

Great way to start the week:

From this morning's The Register ...

Brandon Vigliarolo @The Register wrote:

Secure Boot useless on hundreds of PCs from major vendors after key leak
Plus: More stalkerware exposure; a $16M TracFone fine; Ransomware victims don't use MFA, and more

Snippets from the article:

... research published last week by security boffins at firmware security vendor Binarily.
... found hundreds of PCs sold by Dell, Acer, Fujitsu, Gigabyte, HP, Lenovo and Supermicro – and components sold by Intel – using what appears to be a 12-year old test platform key (PK) leaked in 2022 ...

"An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database," Binarily's boffins wrote.

... not like the manufacturers using the offending PK didn't have reason to know it was untrusted ...
It said so right on the package.

Very interesting how secure the boot ended up being.

Best,

A.

Edit:
Just noticed another previous post here about this problem.
No matter: 50+ years later, Arte Johnson can still make me laugh out loud with his routines.
Much needed these days.

Last edited by Altoid (2024-07-29 10:20:54)

quickfur · 2024-07-29 13:33:32

IMNSHO, the fundamental issue with Secure Boot is that it's solving the wrong problem. As I said before, what's the point of Secure Boot if the OS it's going to boot into is insecure? It's the equivalent of ordering Diet Coke to appease your conscience alongside the 16oz juicy steak you're eating.

The first order of business is to fix the lousy OS, then you could meaningfully talk about booting securely.

Before then, the only thing that you could possibly achieve is merely a half-assed non-solution to the wrong problem. Which about summarizes the past 3 decades of Windows history.

igorzwx · 2024-07-29 14:36:29

quickfur wrote:

a half-assed non-solution to the wrong problem

Are you talking about pulseaudio?

lynch9 · 2024-07-29 15:33:17

@igorzwx
ahaha yeah, often it just ends up causing more headaches (much like other Poettering projects, IMO).
Personally, I just find it tricky to set up and too buggy in practice. It feels like a temporary fix rather than a real solution.. still waiting for something that actually works smoothly :P

Last edited by lynch9 (2024-07-30 13:03:56)

Matlib · 2024-08-07 23:06:06

Good laptops allow uploading your own key. In theory It allows using TPM to decrypt volumes, so that it doesn't ask for password on boot. But you need to trust laptop's BIOS (I wouldn't), and this is susceptible to cold boot attacks.

Apart from being compromised, the default PKE needs to be used with boot loader called “shim”, and it has had vulnerabilities too.

nahkhiirmees · 2024-08-18 20:13:24

Why on earth shim has to answer to http requests?
I thought that shim is supposed to be just a bootloader.

O tempora o mores...

Last edited by nahkhiirmees (2024-08-18 20:52:48)

quickfur · 2024-08-19 02:34:16

Http is like the "standard" for everything these days. Everyone and his neighbour's dog can't live without http. You can't do anything with any device without http, even if it's just to boot locally without a network connection (hint: it won't work). The day will come when you can't even go to the washroom without http. Just wait until the hackers hack into a zero day vulnerability in your toilet seat cover.

It's absolutely ridiculous, yet nobody's doing anything about it!

Micronaut · 2024-08-21 02:55:52

Slashdot has a story about yet another SNAFU with secure boot. MS attempting to fix a Wind'ohs vulnerability has broken GRUB and people with dual boot systems cannot boot.

Last edited by Micronaut (2024-08-21 02:56:21)

stargate-sg1-cheyenne-mtn · 2024-08-21 08:29:55

some microsoft windows users having problems with a recent update:

https://arstechnica.com/security/2024/08/a-patch-microsoft-spent-2-years-preparing-is-making-a-mess-for-some-linux-users/

stargate-sg1-cheyenne-mtn · 2024-08-21 10:02:58

while pointed out in another forum thread, the suggested reading is definitely informative and sharable.

https://dev1galaxy.org/viewtopic.php?pid=51773#p51773

here is a direct link to the suggested reading(in case the original post changes):

https://easylinuxtipsproject.blogspot.com/p/security.html

zapper · 2024-08-22 02:05:03

Secure boot is bad, because there is a network stack underneath the operating system running like almost always*

*unless you disable parts of intel me and coreboot the system.

Whose idea was it to put a network stack underneath the OS?

That only made problems for everyone, linux users included.

The officially official Devuan Forum!

#1 2024-07-29 09:56:15

Secure Boot? Yes, we've heard of it ...

#2 2024-07-29 13:33:32

Re: Secure Boot? Yes, we've heard of it ...

#3 2024-07-29 14:36:29

Re: Secure Boot? Yes, we've heard of it ...

#4 2024-07-29 15:33:17

Re: Secure Boot? Yes, we've heard of it ...

#5 2024-08-07 23:06:06

Re: Secure Boot? Yes, we've heard of it ...

#6 2024-08-18 20:13:24

Re: Secure Boot? Yes, we've heard of it ...

#7 2024-08-19 02:34:16

Re: Secure Boot? Yes, we've heard of it ...

#8 2024-08-21 02:55:52

Re: Secure Boot? Yes, we've heard of it ...

#9 2024-08-21 08:29:55

Re: Secure Boot? Yes, we've heard of it ...

#10 2024-08-21 10:02:58

Re: Secure Boot? Yes, we've heard of it ...

#11 2024-08-22 02:05:03

Re: Secure Boot? Yes, we've heard of it ...

Board footer