FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 09-20-2012, 03:06 AM
JD
 
Default UEFI bootkit

On 09/19/2012 08:50 PM, Eddie G. O'Connor Jr. wrote:

On 09/19/2012 10:47 PM, JD wrote:


On 09/19/2012 08:30 PM, Eddie G. O'Connor Jr. wrote:

On 09/19/2012 02:05 PM, Mike Wright wrote:

And in today's news:

http://www.theregister.co.uk/2012/09/19/win8_rootkit/

A few things in particular stood out to me:

1) "Writing a bootkit couldn't be an easier task for virus writers
with the UEFI framework available, much easier than before when
they needed to code in pure assembly."


2) "... unless SecureBoot is used to ensure that only digitally
signed UEFI bootloaders can be executed at the system bootup.


3) "... enabling SecureBoot by default effectively limits user
choice."


Great! MS shoots self in foot, others in head. We saw it coming :/



Or.......maybe this was a little "skit" to help make the push for
universal UEFI enforcement?.....this way Linux users are locked out,
the landscape once again returns to the Windows vs Apple conflict
eliminating the biggest threat to both of them in one hatchet swing!
I for one am going to be looking into way to get around this
thing.....I see no reason to be locked into using a particular brand
or service JUST because someone ELSE thinks I should!



EGO II
I think there will be at least a few mobo manufacturers who will
provide the buyer the option
of either uefi or traditional bios. Not so sure about laptop
manufacturers. Perhaps

one or more may choose to offer that choice.




And if there's no "options" out there?.....then what? do I just go
ahead and install my OWN version of a BIOS and hope for the best?...



EGO II

In that case, I feel that many people will start building open source
bioses for a limited set of mobos. They will provide the software to
burn the bios into the mobo's eeprom or will even sell mobo's which
them modify and install their own bios prom on. I think nature abhors
vaccum.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 03:36 AM
"Eddie G. O'Connor Jr."
 
Default UEFI bootkit

On 09/19/2012 11:06 PM, JD wrote:


On 09/19/2012 08:50 PM, Eddie G. O'Connor Jr. wrote:

On 09/19/2012 10:47 PM, JD wrote:


On 09/19/2012 08:30 PM, Eddie G. O'Connor Jr. wrote:

On 09/19/2012 02:05 PM, Mike Wright wrote:

And in today's news:

http://www.theregister.co.uk/2012/09/19/win8_rootkit/

A few things in particular stood out to me:

1) "Writing a bootkit couldn't be an easier task for virus
writers with the UEFI framework available, much easier than before
when they needed to code in pure assembly."


2) "... unless SecureBoot is used to ensure that only digitally
signed UEFI bootloaders can be executed at the system bootup.


3) "... enabling SecureBoot by default effectively limits user
choice."


Great! MS shoots self in foot, others in head. We saw it coming :/



Or.......maybe this was a little "skit" to help make the push for
universal UEFI enforcement?.....this way Linux users are locked
out, the landscape once again returns to the Windows vs Apple
conflict eliminating the biggest threat to both of them in one
hatchet swing! I for one am going to be looking into way to get
around this thing.....I see no reason to be locked into using a
particular brand or service JUST because someone ELSE thinks I should!



EGO II
I think there will be at least a few mobo manufacturers who will
provide the buyer the option
of either uefi or traditional bios. Not so sure about laptop
manufacturers. Perhaps

one or more may choose to offer that choice.




And if there's no "options" out there?.....then what? do I just go
ahead and install my OWN version of a BIOS and hope for the best?...



EGO II

In that case, I feel that many people will start building open source
bioses for a limited set of mobos. They will provide the software to
burn the bios into the mobo's eeprom or will even sell mobo's which
them modify and install their own bios prom on. I think nature abhors
vaccum.




I agree, well then in that case I'm not as worried as I was before!


EGO II
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 11:06 AM
Alan Cox
 
Default UEFI bootkit

> The question I have is, can the buyer simply choose NOT to
> use uefi (i.e. blow it off the system) and boot any OS of choice
> which will not insist on the presence of any UEFI?

No.

> I think the answer to this question is more important as it provides
> an "opt-out" choice to the consumer.

There are two things here

UEFI is a replacement for the BIOS and in fact quite a few modern systems
are UEFI but boot into a "BIOS" compatiblity by default.

'Secure' boot is the signed booting stuff. That is an add on to basic EFI
and on x86 it's required by Microsoft as part of their requirements that
it must be disableable but that disabling it must be done in a secure
("proof of presence" - ie local) manner.

It's also possible in theory to replace/amend the keys although thats a
bit more complicated. The Linux Foundation have been working on tools for
this.

On ARM systems the requirement is the reverse - it must not be possible
to disable it, so those devices will be locked to Windows if shipped that
way.

In theory there is nothing stopping a vendor shipping a system with UEFI
without secure boot, or with UEFI and with secure boot disabled as
supplied or with other keys. I cam imagine for example that folks like
Dell would get asked to ship big blocks of machines to corporates that
alos have an extra company key in them. That makes things like securely
provisioning via PXE much simpler.

Alan

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 11:07 AM
"Eddie O'Connor"
 
Default UEFI bootkit

On Thu, Sep 20, 2012 at 7:09 AM, Alan Cox <alan@lxorguk.ukuu.org.uk> wrote:

> In that case, I feel that many people will start building open source
> bioses for a limited set of mobos. They will provide the software to

> burn the bios into the mobo's eeprom or will even sell mobo's which
> them modify and install their own bios prom on. I think nature abhors
> vaccum.

The required information for almost all X86 devices is not available.

You can't build an open firmware for most x86 platforms from public
information.

Alan

--
users mailing list
users@lists.fedoraproject.org

To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Have a question? Ask away: http://ask.fedoraproject.org


*
*
But it IS possible no?......providing one has the required information about how to do it?....
*
*
EGO II
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 11:09 AM
Alan Cox
 
Default UEFI bootkit

> In that case, I feel that many people will start building open source
> bioses for a limited set of mobos. They will provide the software to
> burn the bios into the mobo's eeprom or will even sell mobo's which
> them modify and install their own bios prom on. I think nature abhors
> vaccum.

The required information for almost all X86 devices is not available.
You can't build an open firmware for most x86 platforms from public
information.

Alan

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 11:10 AM
Matthew Miller
 
Default UEFI bootkit

On Thu, Sep 20, 2012 at 12:06:08PM +0100, Alan Cox wrote:
> On ARM systems the requirement is the reverse - it must not be possible
> to disable it, so those devices will be locked to Windows if shipped that
> way.

Locked to bootloaders signed with the Microsoft key, not _necessarily_ to
Windows, right?


--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm@fedoraproject.org>
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 11:13 AM
"Eddie O'Connor"
 
Default UEFI bootkit

On Thu, Sep 20, 2012 at 7:10 AM, Matthew Miller <mattdm@fedoraproject.org> wrote:

On Thu, Sep 20, 2012 at 12:06:08PM +0100, Alan Cox wrote:
> On ARM systems the requirement is the reverse - it must not be possible

> to disable it, so those devices will be locked to Windows if shipped that
> way.

Locked to bootloaders signed with the Microsoft key, not _necessarily_ to
Windows, right?



--
Matthew Miller *☁☁☁ *Fedora Cloud Architect *☁☁☁ *<mattdm@fedoraproject.org>
--
users mailing list
users@lists.fedoraproject.org

To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Have a question? Ask away: http://ask.fedoraproject.org


*
So then basically there's no REAL way to get a "modern" PC / laptop WITHOUT this UEFI on it? Right? And the only way to be able to iunstall/boot another OS would be to turn the UEFI off....but without the proper key....that is impossible? Just trying to understand what this means when it's time for me to upgrade my laptop....would like to know that I can install the latest version of Fedora without any problems or issues hardware-wise.

*
*
EGO II
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 11:27 AM
Heinz Diehl
 
Default UEFI bootkit

On 20.09.2012, Eddie O'Connor wrote:

> Right? And the only way to be able to iunstall/boot
> another OS would be to turn the UEFI off....but without the proper
> key....that is impossible?

To be able to boot any other system than Windows, you have to turn
off secure boot or you could use your own keys signed by Microsoft.
It's not (U)EFI which is the problem, it's the "secure boot".


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 11:29 AM
jdow
 
Default UEFI bootkit

On 2012/09/20 04:13, Eddie O'Connor wrote:



On Thu, Sep 20, 2012 at 7:10 AM, Matthew Miller <mattdm@fedoraproject.org
<mailto:mattdm@fedoraproject.org>> wrote:

On Thu, Sep 20, 2012 at 12:06:08PM +0100, Alan Cox wrote:
> On ARM systems the requirement is the reverse - it must not be possible
> to disable it, so those devices will be locked to Windows if shipped that
> way.

Locked to bootloaders signed with the Microsoft key, not _necessarily_ to
Windows, right?


--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm@fedoraproject.org
<mailto:mattdm@fedoraproject.org>>
--
users mailing list
users@lists.fedoraproject.org <mailto:users@lists.fedoraproject.org>
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
<http://ask.fedoraproject.org/>


So then basically there's no REAL way to get a "modern" PC / laptop WITHOUT this
UEFI on it? Right? And the only way to be able to iunstall/boot another OS would
be to turn the UEFI off....but without the proper key....that is impossible?
Just trying to understand what this means when it's time for me to upgrade my
laptop....would like to know that I can install the latest version of Fedora
without any problems or issues hardware-wise.
EGO II


That is why I like my unique to the machine key that is supplied to the
user along with the board serial number. So he can make changes. But the
changes for his system cannot affect other systems. That would make
custom signed Linux kernels possible for a person testing kernel builds
or compiling in obscure filesystems, such as I do from time to time.

{^_^}
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 11:37 AM
Alan Cox
 
Default UEFI bootkit

> So then basically there's no REAL way to get a "modern" PC / laptop WITHOUT
> this UEFI on it? Right? And the only way to be able to iunstall/boot
> another OS would be to turn the UEFI off....but without the proper
> key....that is impossible? Just trying to understand what this means when
> it's time for me to upgrade my laptop....would like to know that I can
> install the latest version of Fedora without any problems or issues
> hardware-wise.

Most new PCs already have UEFI on them as their firmware and run Linux
fine. The new generation PC ones (not ARM) you'll need to go into the
firmware and click/press/whatever the options to disable "secure" booting.


Alan
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 01:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org