Re: [DNG] UEFI Secure Boot workaround?
Didier Kryn writes: > Le 04/03/2016 12:42, Arnt Gulbrandsen a écrit : >> Didier Kryn writes: >>> Insert a Knoppix Cdrom, mount your home and read it. If UEFI >>> refuses to boot the Knoppix disk, use the Debian installer. >> >> Mounting the home (using either knoppix or d-i) requires the luks >> passphrase. You could get that passphrase if you're able to install >> a keysniffing kernel that my boot loader trusts, and give me the >> laptop back. Or perform some other attack that either bypasses luks >> or obtains the password. >> >> Arnt >> > Booting from removable media bypasses the bootloader (does it > bypass UEFI?). Therefore it is enough to have a live OS on removable > media, equipped with this keysniffing kernel. But, sure, as > Dr. Nikolaus Klepp writes, it suffices to plug the disk into another > computer. > > I wonder if this UEFI thingy is anything else than a pure annoyance. It's designed to be useful to the people "PC hardware vendors" have a reason to care for, IOW, Microsoft, Microsoft and Microsoft. Probably for no more nefarious reasons make "software and content 'piracy'" more difficult by ensuring that "ordinary users" can't run software enabling them to do so. That it additionally requires some amount of "jailbreaking" in order to install "Linux system software" the usual suspects disapprove of is probably just a side effect. BTW, https://citp.princeton.edu/research/memory/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] UEFI Secure Boot workaround?
Arnt Gulbrandsen wrote: > Simon Hobson writes: >> Not really, but I don't see any sign of that as a question in the post I was >> replying to ! > > You said secure boot's security is blown out of the water because it's > possible to run untrusted code under certain circumstances. Pretty much > IMHO it provides useful security because (absent mistakes by the owner) there > are many attackers who cannot make use of those circumstances. Not really, it comes down to "anyone with physical access to your hardware" can fiddle with the boot process. With the ability to run an "insecure" boot package, you have the opportunity to interject in the process - such as capture your password unlocking the encrypted root volume. Full disk encryption won't help unless it's handled by the BIOS/EFI, having full disk encryption done by the kernel means that (as a minimum) you need a volume unencrypted with a bootloader, kernel, and init filesystem. Really, it comes down to that group of "many attackers who cannot make use of those circumstances" is really the same set that can't attack your boot process because they don't have physical access to the machine (or remote admin ability while it's running). In this situation, the security added by secure boot is roughly ... a bit of a hindrance, but no obstacle to someone who knows what they are doing. The only way round that is for there to be no "insecure" signed bootloaders in existence. But because that situation pretty well kills "open" operating systems, that is not the case. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] UEFI Secure Boot workaround?
Am Freitag, 4. März 2016 schrieb Arnt Gulbrandsen: > Dr. Nikolaus Klepp writes: > > Am Freitag, 4. März 2016 schrieb Arnt Gulbrandsen: > >> You said secure boot's security is blown out of the water because it's > >> possible to run untrusted code under certain circumstances. IMHO it > >> provides useful security because (absent mistakes by the owner) there are > >> many attackers who cannot make use of those circumstances. > > > > In most cases a 50¢ screwdriver will make those unlikely > > circumstances reality. Lawful inspection, anyone? > > Not using full disk encryption is a bad, bad mistake. So what? Austrian economy looses ~ 1.600.000.000,- € every year becaus of "friendly" espionage (this is an official number given by BMI). ~ 800.000 notebooks are stolen worldwide every year. Guess what full disc encryption will give you for a security benefit. Nik -- Please do not email me anything that you are not comfortable also sharing with the NSA. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] UEFI Secure Boot workaround?
Le 04/03/2016 12:42, Arnt Gulbrandsen a écrit : Didier Kryn writes: Insert a Knoppix Cdrom, mount your home and read it. If UEFI refuses to boot the Knoppix disk, use the Debian installer. Mounting the home (using either knoppix or d-i) requires the luks passphrase. You could get that passphrase if you're able to install a keysniffing kernel that my boot loader trusts, and give me the laptop back. Or perform some other attack that either bypasses luks or obtains the password. Arnt Booting from removable media bypasses the bootloader (does it bypass UEFI?). Therefore it is enough to have a live OS on removable media, equipped with this keysniffing kernel. But, sure, as Dr. Nikolaus Klepp writes, it suffices to plug the disk into another computer. I wonder if this UEFI thingy is anything else than a pure annoyance. Didier ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] UEFI Secure Boot workaround?
Dr. Nikolaus Klepp writes: Am Freitag, 4. März 2016 schrieb Arnt Gulbrandsen: You said secure boot's security is blown out of the water because it's possible to run untrusted code under certain circumstances. IMHO it provides useful security because (absent mistakes by the owner) there are many attackers who cannot make use of those circumstances. In most cases a 50¢ screwdriver will make those unlikely circumstances reality. Lawful inspection, anyone? Not using full disk encryption is a bad, bad mistake. So what? Arnt ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] UEFI Secure Boot workaround?
Am Freitag, 4. März 2016 schrieb Arnt Gulbrandsen: > Simon Hobson writes: > > Not really, but I don't see any sign of that as a question in > > the post I was replying to ! > > You said secure boot's security is blown out of the water because it's > possible to run untrusted code under certain circumstances. IMHO it > provides useful security because (absent mistakes by the owner) there are > many attackers who cannot make use of those circumstances. In most cases a 50¢ screwdriver will make those unlikely circumstances reality. Lawful inspection, anyone? nik -- Please do not email me anything that you are not comfortable also sharing with the NSA. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] UEFI Secure Boot workaround?
Simon Hobson writes: Not really, but I don't see any sign of that as a question in the post I was replying to ! You said secure boot's security is blown out of the water because it's possible to run untrusted code under certain circumstances. IMHO it provides useful security because (absent mistakes by the owner) there are many attackers who cannot make use of those circumstances. Arnt ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] UEFI Secure Boot workaround?
Arnt Gulbrandsen wrote: > Simon Hobson writes: >> Isn't it the bootloader that UEFI loads and runs, and as long as the >> bootloader (Grub) is signed, then UEFI should boot it and grub can boot >> anything you want. Kind of blasts the argument that secure boot is either >> essential or secure out of the water when you can sign one bit of >> "insecure"* code and have it load anything. > > I wonder if you misunderstand, perhaps... Evidently ... > I have a linux laptop with data you shouldn't access. You may assume it's > sensibly configured (secure boot, luks, etc, but standard hardware, no > epoxy). Can you explain to me how you would evade its security? Not really, but I don't see any sign of that as a question in the post I was replying to ! But just thinking off the top of my head ... The bootloader can't be on an encrypted partition, unless the EFI supports that. So you have part of the boot process which isn't secured. Therefore anyone with access to the hardware can interfere with the bootloader and in theory, that could include booting the kernel in some non-standard way. It's not beyond the bounds of possibility to sniff the password* for unlocking your encrypted volume and storing that for later retrieval before booting your chosen setup without further modification. * I'mm assuming that to access the encrypted volumes, either the key must be accessible to the bootloader (and hence to any other signed bootloader someone might install), or there is a password needed to unlock it (in which case there's scope for sniffing the keystrokes). The way round this is a completely secure boot process - where the bootloader needs to be signed, and will only load signed configs, and will only run signed binaries, and so on. This is much as certain organisations have been trying to push for a while - against a "certain amount of pushback" from those of us who want to be able to run what we want on our own hardware. The fact that we have a "signed" bootloader that will load unsigned configs and binaries (ie our choice of kernel) makes a hole in the system. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] UEFI Secure Boot workaround?
Le 04/03/2016 12:10, Arnt Gulbrandsen a écrit : Simon Hobson writes: Isn't it the bootloader that UEFI loads and runs, and as long as the bootloader (Grub) is signed, then UEFI should boot it and grub can boot anything you want. Kind of blasts the argument that secure boot is either essential or secure out of the water when you can sign one bit of "insecure"* code and have it load anything. I wonder if you misunderstand, perhaps... I have a linux laptop with data you shouldn't access. You may assume it's sensibly configured (secure boot, luks, etc, but standard hardware, no epoxy). Can you explain to me how you would evade its security? I'm not interested in how I could misconfigure it, because I'm not worried about attacks by myself. Assuming I configured it sensibly, how would you either access the data or install password-sniffing software? Arnt Insert a Knoppix Cdrom, mount your home and read it. If UEFI refuses to boot the Knoppix disk, use the Debian installer. I can see two ways to protect data: protect the laptop, or crypt the data. Didier ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] UEFI Secure Boot workaround?
Simon Hobson writes: Isn't it the bootloader that UEFI loads and runs, and as long as the bootloader (Grub) is signed, then UEFI should boot it and grub can boot anything you want. Kind of blasts the argument that secure boot is either essential or secure out of the water when you can sign one bit of "insecure"* code and have it load anything. I wonder if you misunderstand, perhaps... I have a linux laptop with data you shouldn't access. You may assume it's sensibly configured (secure boot, luks, etc, but standard hardware, no epoxy). Can you explain to me how you would evade its security? I'm not interested in how I could misconfigure it, because I'm not worried about attacks by myself. Assuming I configured it sensibly, how would you either access the data or install password-sniffing software? Arnt ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] UEFI Secure Boot workaround?
Edward Bartolo wrote: > I think, with a signed Linux kernel, UEFI Secure Boot can be made to > load any other unsigned Linux kernel, which would imply, any > distribution would be possible to be booted. > > How I imagine it can be done:[list] > [*]boot partition would contain a signed Linux kernel which UEFI loads > as soon as the boot sequence starts > [*]the signed kernel would run a simple program that loads a > bootloader like GRUB2 > [*]the bootloader would continue as it normally does[/list] Isn't it the bootloader that UEFI loads and runs, and as long as the bootloader (Grub) is signed, then UEFI should boot it and grub can boot anything you want. Kind of blasts the argument that secure boot is either essential or secure out of the water when you can sign one bit of "insecure"* code and have it load anything. * Insecure only from the POV of secure boot, where the whole idea relies on every link in the chain being secure. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] UEFI Secure Boot workaround?
Ooops, sorry, I was of the impression I was using a forum. On 04/03/2016, Edward Bartolo wrote: > Hi, > > I think, with a signed Linux kernel, UEFI Secure Boot can be made to > load any other unsigned Linux kernel, which would imply, any > distribution would be possible to be booted. > > How I imagine it can be done:[list] > [*]boot partition would contain a signed Linux kernel which UEFI loads > as soon as the boot sequence starts > [*]the signed kernel would run a simple program that loads a > bootloader like GRUB2 > [*]the bootloader would continue as it normally does[/list] > ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] UEFI Secure Boot workaround?
Hi, I think, with a signed Linux kernel, UEFI Secure Boot can be made to load any other unsigned Linux kernel, which would imply, any distribution would be possible to be booted. How I imagine it can be done:[list] [*]boot partition would contain a signed Linux kernel which UEFI loads as soon as the boot sequence starts [*]the signed kernel would run a simple program that loads a bootloader like GRUB2 [*]the bootloader would continue as it normally does[/list] ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng