"Why not just use Coreboot?"
Jun. 6th, 2012 10:32 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mjg59Why not just avoid the entire Secure Boot problem by using Coreboot? Because the reason we have the Secure Boot problem is because Microsoft's Windows 8 certification requirements mean vendors have to ship a UEFI implementation with Secure Boot. You could satisfy that by using Coreboot with a Tiano payload, but it'll still have Secure Boot enabled so you still have the same set of problems. But maybe you could just reflash your system with Coreboot? No, because another part of the requirements states that all firmware updates have to be cryptographically signed now. The only way to reflash will be to attach a flash programmer directly to your motherboard.
So why not just use Coreboot? Because it doesn't help solve this problem in any way.
So why not just use Coreboot? Because it doesn't help solve this problem in any way.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2012-06-06 04:10 pm (UTC)UEFI is so complex that it is almost impossible to implement bug free.
(no subject)
From:What keys can be used to sign the firmware (typically)?
Date: 2012-06-06 05:38 pm (UTC)Re: What keys can be used to sign the firmware (typically)?
From:Coreboot = dead soon?
Date: 2012-06-06 06:01 pm (UTC)Such a shame. I much preferred Coreboot's minimalism. But even openfirmware would have been preferable over UEFI. I still don't understand the raison d'etre of (U)EFI, and it seems to have been overloaded with boatloads of "stuff" of dubious necessity.
From what I understand, even an open source "UEFI-light" is not in the cards, right? Man, this really is turning into a nightmare.
Re: Coreboot = dead soon? How is firmware flashing prevented?
From:Re: Coreboot = dead soon? How is firmware flashing prevented?
From:Re: Coreboot = dead soon?
From:Re: Coreboot = dead soon?
From:Re: Coreboot = dead soon? How is firmware flashing prevented?
From:no subject
Date: 2012-06-06 06:07 pm (UTC)firmware/hardware-level password protection as an alternative
Date: 2012-06-06 09:00 pm (UTC)I wouldn't be surprised if this is not possible on today's systems, but wouldn't this be an appealing alternative to placing the burden of security on some other key-signing authority? The computer would come with a pre-set random password, and/or ask for one on first boot. Ideally, users could be given the option of using the password, or using Microsoft keys.
I'm curious if you can spot any problems with this idea. One that I see is that the password check may need to be at the cpu, chipset, or firmware level before giving write access to firmware. That might be tricky to implement and/or depend on AMD/Intel wanting to implement it.
Another catch is: if flashing is done within a booted OS, then you face the problem of keyloggers. But this can be avoided by booting from a usb stick to flash the firmware.
I think having this choice is preferable to a "Trust Microsoft's key signing authority and the ability for every signed GNU/Linux distro to lock down their bootloaders, kernels and modules appropriately" approach as the only option besides having no protection at all.
What do you think about this idea?
Re: firmware/hardware-level password protection as an alternative
From: (Anonymous) - Date: 2012-06-06 09:10 pm (UTC) - ExpandRe: firmware/hardware-level password protection as an alternative
From:Re: firmware/hardware-level password protection as an alternative
From: (Anonymous) - Date: 2012-06-07 02:29 pm (UTC) - ExpandEFI is horrible, just see how much so.
Date: 2012-06-06 10:07 pm (UTC)http://www.youtube.com/watch?v=V2aq5M3Q76U
Re: EFI is horrible, just see how much so.
From:Re: EFI is horrible, just see how much so.
From: (Anonymous) - Date: 2012-06-07 05:03 pm (UTC) - ExpandGoogle will disagree with you for now
Date: 2012-06-06 10:19 pm (UTC)Realistically, though, if we ever get to the point that we can't do something like coreboot on hardware, the next target is Linux -- as it has been all along, since this secure boot nonsense first started to appear. And we can't hide behind the ARM: MS is pushing UEFI on that one too.
The Chromebook/Chromebox have a verified boot that's open source right down to the BIOS. That's how it ought to be.
Not that I speak for Google.
Re: Google will disagree with you for now
From: (Anonymous) - Date: 2012-06-07 12:43 am (UTC) - ExpandRe: Google will disagree with you for now
From:Re: Google will disagree with you for now
From: (Anonymous) - Date: 2012-06-07 10:45 am (UTC) - ExpandRe: Google will disagree with you for now
From: (Anonymous) - Date: 2014-02-18 07:34 pm (UTC) - ExpandSmall correction
Date: 2012-06-06 11:13 pm (UTC)Re: Small correction
From:Why hasn't Red Hat gone to the DOJ?
Date: 2012-06-06 11:29 pm (UTC)Why haven't Red Hat and the other Linux friendly tech companies gone to the DOJ about this? This is clearly setting Microsoft up to be the gatekeeper whether or not they are being benevolent about it at the moment. It is simply unacceptable that a company with a monopoly hold on the OS market should be the sole driving force behind this technology. Especially considering past threats against Linux. Why isn't anyone screaming bloody murder right now?
Re: Why hasn't Red Hat gone to the DOJ?
From: (Anonymous) - Date: 2012-06-07 08:36 am (UTC) - ExpandRe: Why hasn't Red Hat gone to the DOJ?
From:Re: Why hasn't Red Hat gone to the DOJ?
From: (Anonymous) - Date: 2012-06-07 03:45 pm (UTC) - ExpandSeriously?
Date: 2012-06-07 01:45 pm (UTC)Why not just drop ALL of those wasted words and start with "Microsoft's Windows 8 certification requirements means..."
Flame
Date: 2012-06-07 03:32 pm (UTC)there is a www.change.org petition started about UEFI
Date: 2012-06-07 04:33 pm (UTC)https://www.change.org/petitions/federal-trade-commission-stop-microsoft-pc-makers-monopoly-plan-for-uefi-boot-loader-restriction
People are stupid as usual
Date: 2012-06-08 05:03 pm (UTC)Re: People are stupid as usual
From:Re: People are stupid as usual
From: (Anonymous) - Date: 2012-06-08 11:14 pm (UTC) - ExpandRe: People are stupid as usual
From:Re: People are stupid as usual
From: (Anonymous) - Date: 2012-06-08 11:19 pm (UTC) - Expanddelete the duplicate please
Date: 2012-06-08 05:08 pm (UTC)Someone can just write and sign the bytecoode interpreter. Then what? Even though the
interpreter itself is not malicious it could be used for malicious purposes. Where do
you draw a line? Will you ban thin hypervisors because some flaw could allow unsigned
VM code to change something on the host?
>>People desperately want to believe that the Secure Boot implementation is fundamentally
>>broken, and that's just not true.
But it is true.
Certificate Authority system is broken. Adding a 3rd party to a chain of trust reduces
security by increasing the number of entities you implicitly trust. The whole CA thing
is just a money raking scheme, a big boys club membership pass.
>>For starters, you'll need to provide some form of plausible ID for Verisign to
>>authenticate you and hand over access.
Yes, as if someone from Russia or China couldn't do that. Good luck trying to arrest them.
Anyway, Verisign wouldn't be the first security company that got compromised.
Verisign has been tricked into issuing certificates in Microsoft's name:
http://news.cnet.com/2100-1001-254628.html
Diginotar has been breached:
http://isc.sans.edu/diary.html?storyid=11500
RSA has been breached:
http://www.nytimes.com/2011/06/08/business/08security.html?pagewanted=all
Microsoft's own certificates were compromised few days ago and had to be revoked, not
to mention that they have allowed Flame malware to exist and do its bidding. It's almost
as if that was a deliberate backdoor waiting to be exploited:
http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx
And what if someone with enough determination actually physically breached into Verisign
and got the UEFI root CA thus compromising everything? How is that going to be revoked?
Will it require user consent, or will it be silent, mandatory key update? What will happen
with user added keys? Will you trust the state of potentially compromised system or you
will zap the key store and just load the new key? Will you have to pay again to sign with
a new key?
The whole point of secure boot is not to secure our computers from malicious software
(did anyone seriously believed that for one second?), but to secure software and media
content that we "the pirates" might try to "steal".
Next thing you won't be able to pass the BIOS boot screen unless the computer is online
and can check for updated or revoked certificates. From that point onwards it is just a
matter of months before they will silently start scanning your data and sending it to
them through the out-of-band network channel.
UEFI key management application
Date: 2012-06-09 10:10 am (UTC)Let's assume, that users want to insure that their boot sequence has been verified and signed by the trusted vendor of their choice, yet still keep themselves in control to override the upstream signatures. How should that be set up?
There could be some centrally maintained list of 'root' keys that each hardware vendor imports as the default list. The signing format must be updated to allow multiple signatures on binaries. That way, the user can choose which vendor keys to trust and distributions can decide to have there code signed by multiple vendors who choose to take responsibility for the security of the code. The UEFI implementation must provide a simple application to manage those keys. This simple applications must provide a consistent user experience over all UEFI implementations. It would probably be best to provide this simple application in the reference implementation. The management must allow the user to trust and distrust keys, to remove keys and to add keys from external media and to prioritize keys in a list to resolve potential conflicts of binaries whose signatures have been revoked by some vendors but not by others. There should probably also be an easy way to restore the default list. Yet there must be another application for the operating systems for every day users to generate there own key and install it on external media to add it to the UEFI key management, so that they can position their own key on top and override the vendor keys. It should also be trivial for the user to sign boot loaders, kernels, drivers they trust.
The major distributions could use a single organization like the Linux Foundation to manage a root key in the default list. Yet it would allow other distributions to distribute their own root key independently via their websites. The user would store them on external media to install them via the UEFI key management. This should allow the user to control the system while using secure boot to keep whatever integrity secure boot offers.
Re: UEFI key management application
From: (Anonymous) - Date: 2012-06-11 06:11 pm (UTC) - ExpandRe: UEFI key management application
From:Why not just use coreboot?
Date: 2012-06-15 09:14 pm (UTC)Re: Why not just use coreboot?
From:Re: Why not just use coreboot?
From: (Anonymous) - Date: 2012-06-16 04:11 am (UTC) - Expand