Matthew Garrett ([personal profile] mjg59) wrote,
@ 2012-06-14 08:39 pm UTC
  • Previous Entry
  • Add to Memories
  • Tell someone about this!
  • Next Entry
Entry tags:advogato, fedora
Carla Schroder wrote a piece for linux.com on secure boot, which gives a reasonable overview of the technology and some of the concerns. It unfortunately then encourages everyone to ignore those legitimate concerns by making the trivially false claim that secure boot is just security theatre.

Security isn't some magic binary state where you're either secure or insecure and you can know which. Right now I'd consider my web server secure. If someone finds an exploitable bug in Apache then that would obviously no longer be the case. I could make it more secure by ensuring that Apache runs in a sufficiently isolated chroot that there's no easy mechanism for anyone to break out, which would be fine up until there's also a kernel exploit that allows someone to escalate their privileges enough to change their process root. So it's entirely possible that someone could right now be breaking into my system through bugs I don't even know exist. Am I secure? I don't know. Does that mean I should just disable all security functionality and have an open root shell bound to a well known port? No. Obviously.

Secure boot depends on the correctness of the implementation and the security of the signing key. If the implementation is flawed or if control of the signing key is lost then it stops providing security, and understanding that is important in order to decide how much trust you place in the technology. But much the same is true of any security technique. Kernel flaws make it possible for an unprivileged user to run with arbitrary privileges. Is user/admin separation security theatre? SSL certificate authorities have leaked keys. Is it security theatre for your bank to insist that you use SSL when logging in?

Secure boot doesn't instantly turn an insecure system into a secure one. It's one more technology that makes it more difficult for attackers to take control of your system. It will be broken and it will be fixed, just like almost any other security. If it's security theatre, so is your doorlock.

Why is this important? Because if you tell anyone that understands the technology that secure boot adds no security, they'll just assume that you're equally uninformed about everything else you're saying. It's a perfect excuse for them to just ignore discussion of market restrictions and user freedoms. We don't get anywhere by arguing against reality. Facts are important.

(Read 48 comments) - (Post a new comment)
(Flat) (Top-level comments only)

Re: assumption of innocence


(Anonymous)
2012-06-21 02:03 pm UTC (link)
My response wasn't about the kernel issue, I was referring to your assertion that there is "no way for the OS to prove that the PAM stack hasn't been replaced".

But there is, since the OS can execute processes in parallel with the PAM stack (e.g. init, sulogin) which can independently observe it.

(Reply to this)  (Thread from start)  (Parent)  (Thread


Re: assumption of innocence


[personal profile] mjg59
2012-06-21 02:09 pm UTC (link)
Of course, once someone's replaced the PAM stack, they've also had the ability to modify everything that could validate it.

(Reply to this)  (Thread from start)  (Parent


(Read 48 comments) - (Post a new comment)
(Flat) (Top-level comments only)