The officially official Devuan Forum!

You are not logged in.

#1 2024-07-29 09:56:15

Altoid
Member
Registered: 2017-05-07
Posts: 1,581  

Secure Boot? Yes, we've heard of it ...

Hello:

Great way to start the week:

From this morning's The Register ...

Brandon Vigliarolo @The Register wrote:

Secure Boot useless on hundreds of PCs from major vendors after key leak
Plus: More stalkerware exposure; a $16M TracFone fine; Ransomware victims don't use MFA, and more

Snippets from the article:

... research published last week by security boffins at firmware security vendor Binarily.
... found hundreds of PCs sold by Dell, Acer, Fujitsu, Gigabyte, HP, Lenovo and Supermicro – and components sold by Intel – using what appears to be a 12-year old test platform key (PK) leaked in 2022 ...

"An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database," Binarily's boffins wrote.

... not like the manufacturers using the offending PK didn't have reason to know it was untrusted ...
It said so right on the package.

Very interesting how secure the boot ended up being.

Best,

A.

Edit:
Just noticed another previous post here about this problem.
No matter: 50+ years later, Arte Johnson can still make me laugh out loud with his routines.
Much needed these days.

Last edited by Altoid (2024-07-29 10:20:54)

Offline

#2 2024-07-29 13:33:32

quickfur
Member
Registered: 2023-12-14
Posts: 431  

Re: Secure Boot? Yes, we've heard of it ...

IMNSHO, the fundamental issue with Secure Boot is that it's solving the wrong problem. As I said before, what's the point of Secure Boot if the OS it's going to boot into is insecure? It's the equivalent of ordering Diet Coke to appease your conscience alongside the 16oz juicy steak you're eating.

The first order of business is to fix the lousy OS, then you could meaningfully talk about booting securely.

Before then, the only thing that you could possibly achieve is merely a half-assed non-solution to the wrong problem. Which about summarizes the past 3 decades of Windows history.

Offline

#3 2024-07-29 14:36:29

igorzwx
Member
Registered: 2024-05-06
Posts: 105  

Re: Secure Boot? Yes, we've heard of it ...

quickfur wrote:

a half-assed non-solution to the wrong problem

Are you talking about pulseaudio?

Offline

#4 2024-07-29 15:33:17

lynch9
Member
Registered: 2024-07-17
Posts: 11  

Re: Secure Boot? Yes, we've heard of it ...

@igorzwx
ahaha yeah, often it just ends up causing more headaches (much like other Poettering projects, IMO).
Personally, I just find it tricky to set up and too buggy in practice. It feels like a temporary fix rather than a real solution.. still waiting for something that actually works smoothly :P

Last edited by lynch9 (2024-07-30 13:03:56)


Hey, it's lynchian9.
Feel free to reach out via email.

Offline

#5 2024-08-07 23:06:06

Matlib
Member
Registered: 2022-08-25
Posts: 7  
Website

Re: Secure Boot? Yes, we've heard of it ...

Good laptops allow uploading your own key. In theory It allows using TPM to decrypt volumes, so that it doesn't ask for password on boot. But you need to trust laptop's BIOS (I wouldn't), and this is susceptible to cold boot attacks.

Apart from being compromised, the default PKE needs to be used with boot loader called “shim”, and it has had vulnerabilities too.

Offline

#6 2024-08-18 20:13:24

nahkhiirmees
Member
Registered: 2022-07-24
Posts: 261  

Re: Secure Boot? Yes, we've heard of it ...

Why on earth shim has to answer to http requests?
I thought that shim is supposed to be just a bootloader.

O tempora o mores...

Last edited by nahkhiirmees (2024-08-18 20:52:48)

Offline

#7 2024-08-19 02:34:16

quickfur
Member
Registered: 2023-12-14
Posts: 431  

Re: Secure Boot? Yes, we've heard of it ...

Http is like the "standard" for everything these days. Everyone and his neighbour's dog can't live without http. You can't do anything with any device without http, even if it's just to boot locally without a network connection (hint: it won't work). The day will come when you can't even go to the washroom without http. Just wait until the hackers hack into a zero day vulnerability in your toilet seat cover.

It's absolutely ridiculous, yet nobody's doing anything about it!

Offline

#8 2024-08-21 02:55:52

Micronaut
Member
Registered: 2019-07-04
Posts: 228  

Re: Secure Boot? Yes, we've heard of it ...

Slashdot has a story about yet another SNAFU with secure boot. MS attempting to fix a Wind'ohs vulnerability has broken GRUB and people with dual boot systems cannot boot.

Last edited by Micronaut (2024-08-21 02:56:21)

Offline

#9 2024-08-21 08:29:55

stargate-sg1-cheyenne-mtn
Member
Registered: 2023-11-27
Posts: 190  

Re: Secure Boot? Yes, we've heard of it ...


Be Excellent to each other and Party On!
https://www.youtube.com/watch?v=rph_1DODXDU
https://en.wikipedia.org/wiki/Bill_%26_Ted%27s_Excellent_Adventure
Do unto others as you would have them do instantaneously back to you!

Offline

#10 2024-08-21 10:02:58

stargate-sg1-cheyenne-mtn
Member
Registered: 2023-11-27
Posts: 190  

Re: Secure Boot? Yes, we've heard of it ...

while pointed out in another forum thread, the suggested reading is definitely informative and sharable.

https://dev1galaxy.org/viewtopic.php?pid=51773#p51773

here is a direct link to the suggested reading(in case the original post changes):

https://easylinuxtipsproject.blogspot.com/p/security.html


Be Excellent to each other and Party On!
https://www.youtube.com/watch?v=rph_1DODXDU
https://en.wikipedia.org/wiki/Bill_%26_Ted%27s_Excellent_Adventure
Do unto others as you would have them do instantaneously back to you!

Offline

#11 2024-08-22 02:05:03

zapper
Member
Registered: 2017-05-29
Posts: 967  

Re: Secure Boot? Yes, we've heard of it ...

Secure boot is bad, because there is a network stack underneath the operating system running like almost always*

*unless you disable parts of intel me and coreboot the system.

wink

Whose idea was it to put a network stack underneath the OS?

That only made problems for everyone, linux users included.


Freedom is never more than one generation away from extinction. Feelings are not facts
If you wish to be humbled, try to exalt yourself long term  If you wish to be exalted, try to humble yourself long term
Favourite operating systems: Hyperbola Devuan OpenBSD
Peace Be With us All!

Offline

Board footer