Forwarding two posts by Guido Stepken in Ubuntu G+ community for discussion
__________________________ https://plus.google.com/+GuidoStepken/posts/XZsgDcuairt Linux UEFI TPM 2.0 security impacts The "security chain" begins with one or more TPM 2.0 "Endorsement Keys" (EK), that are stored on the motherboard and that cannot be overwritten without "allowance" by either the owner (hardware manufacturer) or somebody, that is "higher" in key hierarchy, such as Microsoft or U.S. government authorities. Key Exchange Keys (KEK) establish a trust relationship between the operating system and the platform firmware. Each operating system (and potentially each 3rd party application, that needs to communicate with platform firmware) enrolls a public key (KEKpub) into the platform firmware. When your hardware comes "Windows Certified", the "Endorsement Key" already is initialized, is signed by Microsoft and U.S. authorities. "Windows certified" here automatically means "NSA backdoor" included and activated in all encryption modules. Hardware encryption on newer INTEL Xeon machines, at boot, load those key rings from UEFI tables into processor buffer. From then on, the CPU hardware encrypts everything with Microsoft and U.S. authorities keys being enclosed in the key ring, independent of used operating system! And surprisingly, it depends on your compiler settings, if your software then uses "hardware accelerated encryption" (fast, but unsafe, since NSA key ring is enclosed) or pure (slower, but NSA safe!) "software encryption". But you have to make sure, that your software encryption libraries do not load Endorsement Keys from UEFI tables. In Red Hat Linux, they do. Red Hat binaries are closed source, can not be rebuilt from src.rpm files. So everything, that is encrypted on your Windows or Red Hat Linux machine, has a backdoor for U.S. authorities. SSLv2, SSLv3 data, OpenVPN transfers included. On Debian / UBUNTU / FreeBSD / OpenBSD it depends on compiler settings and CPU type used. On modern INTEL Xeon processors, using "hardware acceleration" at compile time, it automatically generates U.S. backdoors in all kinds of encryption. Note: Independent of OS used!!! Using software encryption sometimes does not help, since a "secure tunnel" (e.g. to your bank) is built up with help of your own key ring and the bank's key ring. Since your bank's key ring always is "signed" by U.S. authorities, they automatically can decode all your SSL traffic. Note: SSL traffic between two partners can be decoded, when key from only one side is known! Cisco routers, Akamai silent proxies - globally - do a "full take" of all traffic around the world that finally is stored and automatically decoded, read by N.S.A. There simply is no secrecy/privacy any longer. Even THREEMA isn't safe any longer, because now hardware encryption processor instructions in INTEL XEON processors automatically include the NSA key. Pretending to "fight terrorism", U.S.A. is spying everywhere to gain strategical advantage over markets, industries, economies, banks, countries, foreign politicians. See Erdogan / J. Tymoshenko phone disclosures, "Edathy case", Merkel mobile spying, Snowden reports about CIA and a swiss banker or BNP Paribas 9 billion "punishment": http://www.businessinsider.com/edward-snowden-describes-cia-tricks-2013-6 http://www.disclose.tv/action/viewvideo/169947/Tymoshenko_tape_leak_Time_to_grab_guns_and_kill_damn_Russians_RT/ http://www.reuters.com/article/2015/05/01/us-bnp-paribas-settlement-sentencing-idUSKBN0NM41K20150501 http://www.bbc.com/news/world-europe-26336354 http://www.telegraph.co.uk/news/worldnews/europe/germany/10407282/Barack-Obama-approved-tapping-Angela-Merkels-phone-3-years-ago.html With Linux kernel 4.2, around 100 UEFI / encryption / key signing / key revocation functions have been added, that give U.S. authorities absolute control over "secure boot" - Linux kernel and drivers, all hardware (in processor) encryption and also about what (signed) software is allowed to run on your machine. In Red Hat Linux that is already included! See: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.0/html/Deployment_Guide/SubsystemOverview.html Also see EDKII specifications: http://tianocore.sourceforge.net/wiki/EDK_II_Specifications Finally, they will charge you even for free and open source software, that only can be installed and started when "U.S. certificate" tax ($99 per software version) is properly paid to Verisign / Microsoft / Symantec owners. So, "uncertified" Linux kernels won't run on on "Windows certified" UEFI hardware any longer. And Microsoft / Verisign, in future, simply won't sign Linux kernels or drivers, that do not have TPM 2.0 and hardware encryption included and activated!!! It's time for a "Windows / NSA uncertified" label! Get rid of UEFI, TPM 2.0, use LinuxBIOS (aka Coreboot aka SeaBIOS), exclusively, that automatically comes with Google Chromebooks, Chromeboxes. Btw: Docker is based on QEMU: http://wiki.qemu.org/Features/TPM Don't use new INTEL XEON processors!!! They're coming with NSA keys included in their hardware encryption module!!! If unsure, use own, pure software encryption! List of hardware supporting Coreboot is available here: http://www.coreboot.org/Supported_Motherboards Interestingly, UEFI "secure boot" doesn't make computers more secure. They are still vulnerable to runtime attacks, e.g. buffer overflows, stack/heap overflows. These mechanisms only prevent, that "U.S. uncertified" ($99 per certificate!) software cannot be started any longer. Thanks for understanding! ___________________ https://plus.google.com/+GuidoStepken/posts/CgZ2ZJtUBLz Another good reason to use UBUNTU Red Hat, unlike UBUNTU, has a PKI (Public Key Infrastructure) on board. Not only all encryption modules have U.S. controlled backdoors, no! They also may revoke Linux boot loader UEFI certificates any time, they want! Sources are closed. Not included in RedHat or Fedora source .src.rpm files. U.S. certification authorities, e.g. Symantec, as well as Microsoft, Red Hat, CISCO have same "top institutional holders". In fact, it's one organisation, owned by same U.S. hedge funds: http://finance.yahoo.com/q/mh?s=RHT+Major+Holders http://finance.yahoo.com/q/mh?s=MSFT+Major+Holders http://finance.yahoo.com/q/mh?s=SYMC+Major+Holders http://finance.yahoo.com/q/mh?s=CSCO+Major+Holders Their biggest customer(s) are NSA and U.S. gov. These U.S. companies or U.S. authorities may revoke any UEFI Linux boot signature, any time they want. Same for CISCO routers VPN (tunnel) encryption. Never, ever believe, that your Red Hat or Microsoft Windows 10 "UEFI dual boot" computer or VPN encryption keys would be under your control. Its certificates already could have been revoked without telling you. Try to reboot and your computer hangs. VPN IPsec infrastructure keys could have been already revoked. That already happened with some ten thousands of machines with Realtek drivers, whose network driver certificates were revoked because of Iran and Stuxnet virus. In fact, all U.S. software and certification, encryption keys are under control of "U.S. department of commerce". "Department of commerce" falls under "U.S. patriot act". Quote from MS EULA: http://www.microsoft.com/en-us/server-cloud/products/intune-trust-center/privacy.aspx "Your Services’ data may be transferred to, stored and processed in the United States or any other country where Microsoft or its affiliates, subsidiaries or service providers maintain facilities. Microsoft abides by the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of data from the European Economic Area, and Switzerland." According to "U.S. patriot act", U.S. government may look into all your data, either stored in cloud, on your enterprise servers or on your private desktop. Without asking a judge. Globally. With installing Red Hat Linux or Windows 10 you are signing a contract, where you explicitly allow U.S. software companies (and indirectly U.S. gov.) to look into, to search your private data. https://en.wikipedia.org/wiki/USA_PATRIOT_Act Don't use UEFI computers, don't use Red Hat Linux, don't use Windows 10, don't use U.S. clouds or any U.S. company's services outside U.S.A. These automatically fall under "U.S. patriot act". Thanks for understanding. _______________________________ _________________________________ Best A. Mani Prof(Miss) A. Mani CU, ASL, AMS, ISRS, CLC, CMS HomePage: http://www.logicamani.in Blog: http://logicamani.blogspot.in/ http://about.me/logicamani sip:girlprofes...@ekiga.net