On Sat, Jun 2, 2012 at 6:50 PM, pk <pete...@coolmail.se> wrote: > On 2012-06-02 22:10, Michael Mol wrote:
[snip] >> It's also probable that the OS kernel can tell the UEFI BIOS about new >> keys to blacklist. I expect that'll be a recurring thing in the >> Monthly batch of security updates Microsoft puts out. (Makes sense, >> really; if malware is using a key, blacklist that key.) > > Yes, would expect something like this. Secure boot supposedly prevents > "unauthorized firmware, operating systems or UEFI drivers" at boot time. > So if I interpret this correctly it would mean that if I have, say, an > old graphics card with an old firmware (vga bios) I can't use it with > "secure boot". It's probable that a system using an IOMMU and virtualization tech could emulate the real-mode requirements needed to execute that VGA BIOS safely. Gets more interesting...my understanding of things like Firewire is that it's almost trivially easy to crack a system on the bus, because of the way DMA is implemented. > More interestingly, how is an "operating system" defined? > Does it mean only the kernel itself or does it mean a full-blown OS with > init and other supporting software? The BIOS will only load a signed bootloader. The signed bootloader will only load a signed kernel. The signed kernel will...do whatever you tell it to do. > What does that mean to a source based "distro"? It's going to make building and installing grub and the kernel trickier; you'll have to get them signed. And that's going to be a PITA for anyone who does developers. What it *really* means is that someone who wants to run Linux as a hobbyist or developer is going to disable "SecureBoot", and then fall back to business as usual. > Also, I would assume a legitimate key would be able to > sign pretty much any binary so a key that Fedora uses could be used to > sign malware for Windows, which then would be blacklisted by > Microsoft... If Fedora allows their key to sign crap, then their key will get revoked. What I hope (I don't know) is whether or not the signing system involved allows chaining. i.e., with SSL, I can generate my own key, get it signed by a CA, and then bundle the CA's public key and my public key when I go on to sign _another_ key. So, could I generate a key, have Fedora sign it, and then use my key to sign my binaries? If my key is used to do malicious things, Fedora's off the hook, and it's only my key which gets revoked. > and how is malware defined? Anything that would be > detrimental to Microsoft? Dunno. I imagine it comes down to whatever the chief key's owner doesn't want running on the same hardware while SecureBoot is enabled. Rootkits come to mind. > >> Someone linked to some absolutely terrible stuff being built into >> Intel's Ivy Bridge...it's plausible it will be possible to deploy > > You mean: > https://en.wikipedia.org/wiki/Intel_insider#Intel_Insider_and_remote-control > > ? The vPro stuff relates, yeah. > >> blacklist key updates over the network within a couple years. > > Well, UEFI already implements remote management: > http://www.uefi.org/news/UEFI_Overview.pdf (page 13) > ... so implementing an automatic update over the network, preferably via > SMM/SMI so that the operating system cannot intervene would be possible > already today... and you've lost control of your computer. You still own your network, so you have at least some control over it. These features are intended to be managed by the system network administrator. This is going to be a matter of caveat emptor. Don't buy a Tivo or Kindle and expect to be able to repurpose it. (And don't buy hardware from Oracle, I expect. Though I suspect you may eventually not get a choice is you want to run their software.) If you don't know whether or not you can expect to reformat a device before you buy it, then you haven't been paying attention to mobile tech over the last five years, and you didn't do your homework. Apologies for the lack of sympathy. :( -- :wq
