FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 09-20-2012, 11:38 AM
Alan Cox
 
Default UEFI bootkit

On Thu, 20 Sep 2012 07:10:00 -0400
Matthew Miller <mattdm@fedoraproject.org> wrote:

> On Thu, Sep 20, 2012 at 12:06:08PM +0100, Alan Cox wrote:
> > On ARM systems the requirement is the reverse - it must not be possible
> > to disable it, so those devices will be locked to Windows if shipped that
> > way.
>
> Locked to bootloaders signed with the Microsoft key, not _necessarily_ to
> Windows, right?

Unclear to me. I'd suggest asking ARM for clarification on that one.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 11:39 AM
Alan Cox
 
Default UEFI bootkit

> But it IS possible no?......providing one has the required information
> about how to do it?....

Clearly because the firmware vendors do it but with access to all the
needed documentation and signing arrangements that may be present.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 11:45 AM
Matthew Miller
 
Default UEFI bootkit

On Thu, Sep 20, 2012 at 04:29:47AM -0700, jdow wrote:
> That is why I like my unique to the machine key that is supplied to the
> user along with the board serial number. So he can make changes. But the
> changes for his system cannot affect other systems. That would make
> custom signed Linux kernels possible for a person testing kernel builds
> or compiling in obscure filesystems, such as I do from time to time.

You will be able to do this -- at least, on x86. Some lobbying on the ARM
front is needed.

It won't be a key that's supplied to the user, though. The user will be able
to add their own.

--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm@fedoraproject.org>
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 12:24 PM
jdow
 
Default UEFI bootkit

On 2012/09/20 04:45, Matthew Miller wrote:

On Thu, Sep 20, 2012 at 04:29:47AM -0700, jdow wrote:

That is why I like my unique to the machine key that is supplied to the
user along with the board serial number. So he can make changes. But the
changes for his system cannot affect other systems. That would make
custom signed Linux kernels possible for a person testing kernel builds
or compiling in obscure filesystems, such as I do from time to time.


You will be able to do this -- at least, on x86. Some lobbying on the ARM
front is needed.

It won't be a key that's supplied to the user, though. The user will be able
to add their own.


As long as the key is unique to one single machine the idea is sound
except for the "user too stupid to live" cases.

{^_^}
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 01:22 PM
Dave Ihnat
 
Default UEFI bootkit

Once, long ago--actually, on Thu, Sep 20, 2012 at 06:39:59AM CDT--Alan Cox (alan@lxorguk.ukuu.org.uk) said:
> Clearly because the firmware vendors do it but with access to all the
> needed documentation and signing arrangements that may be present.

Note that there are already open-source BIOS versions available. One such
is:

http://www.openfirmware.info

There are others as well.

Cheers,
--
Dave Ihnat
dihnat@dminet.com
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 06:09 PM
James Wilkinson
 
Default UEFI bootkit

nomnex wrote:
> I also read that (most?) vendor will allow Secure boot to be switch off
> on the BIOS.
>
> When I purchase a notebook (Prior to Secure boot), I erase the
> partition. I boot from a Live CD. If everything seems to work, and if I
> like the DE, I install the OS.
>
> And that's my question with these new UEFI+Secure boot machines: If I
> turn Secure boot OFF, can I install a live CD as I used to do. Or is
> there more?

As I understand it, yes. You should also be able to do that without
turning Secure Boot off (which is the point of the work that Matthew
Garrett has been doing).

As always, though, the proof of the pudding is in the eating, so how
reliable it will be in practice remains to be seen.

As Linus Torvalds wrote (on a different subject) on the linux-kernel
mailing list: “Do you have any reason to expect that all BIOS’es are
bug-free in this area?

That would be a first.”

and

“BIOS writers tend to have been on pain medication for so long that they
can hardly remember their own name, much less actually make sure they
follow all the documentation.”

James.

--
E-mail: james@ | "Security question ... What's your dog's maiden name?"
aprilcottage.co.uk | -- Peter Gutmann on bad security designs
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-21-2012, 01:53 AM
"Eddie G. O'Connor Jr."
 
Default UEFI bootkit

On 09/20/2012 07:27 AM, Heinz Diehl wrote:

On 20.09.2012, Eddie O'Connor wrote:


Right? And the only way to be able to iunstall/boot
another OS would be to turn the UEFI off....but without the proper
key....that is impossible?

To be able to boot any other system than Windows, you have to turn
off secure boot or you could use your own keys signed by Microsoft.
It's not (U)EFI which is the problem, it's the "secure boot".



AAAhhh!! NOW I think I understand!......


EGO II
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-21-2012, 01:56 AM
"Eddie G. O'Connor Jr."
 
Default UEFI bootkit

On 09/20/2012 08:24 AM, jdow wrote:

On 2012/09/20 04:45, Matthew Miller wrote:

On Thu, Sep 20, 2012 at 04:29:47AM -0700, jdow wrote:

That is why I like my unique to the machine key that is supplied to the
user along with the board serial number. So he can make changes. But
the

changes for his system cannot affect other systems. That would make
custom signed Linux kernels possible for a person testing kernel builds
or compiling in obscure filesystems, such as I do from time to time.


You will be able to do this -- at least, on x86. Some lobbying on the
ARM

front is needed.

It won't be a key that's supplied to the user, though. The user will
be able

to add their own.


As long as the key is unique to one single machine the idea is sound
except for the "user too stupid to live" cases.

{^_^}

LoL!....I agree!


EGO II
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-21-2012, 02:38 AM
JD
 
Default UEFI bootkit

On 09/20/2012 07:56 PM, Eddie G. O'Connor Jr. wrote:

On 09/20/2012 08:24 AM, jdow wrote:

On 2012/09/20 04:45, Matthew Miller wrote:

On Thu, Sep 20, 2012 at 04:29:47AM -0700, jdow wrote:
That is why I like my unique to the machine key that is supplied to
the
user along with the board serial number. So he can make changes.
But the

changes for his system cannot affect other systems. That would make
custom signed Linux kernels possible for a person testing kernel
builds

or compiling in obscure filesystems, such as I do from time to time.


You will be able to do this -- at least, on x86. Some lobbying on
the ARM

front is needed.

It won't be a key that's supplied to the user, though. The user will
be able

to add their own.


As long as the key is unique to one single machine the idea is sound
except for the "user too stupid to live" cases.

{^_^}



What is it that will check "uniqueness" of the key?
Over the internet? Check with what/who ?

Thanx,

JD
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-21-2012, 04:04 AM
jdow
 
Default UEFI bootkit

On 2012/09/20 19:38, JD wrote:


On 09/20/2012 07:56 PM, Eddie G. O'Connor Jr. wrote:

On 09/20/2012 08:24 AM, jdow wrote:

On 2012/09/20 04:45, Matthew Miller wrote:

On Thu, Sep 20, 2012 at 04:29:47AM -0700, jdow wrote:

That is why I like my unique to the machine key that is supplied to the
user along with the board serial number. So he can make changes. But the
changes for his system cannot affect other systems. That would make
custom signed Linux kernels possible for a person testing kernel builds
or compiling in obscure filesystems, such as I do from time to time.


You will be able to do this -- at least, on x86. Some lobbying on the ARM
front is needed.

It won't be a key that's supplied to the user, though. The user will be able
to add their own.


As long as the key is unique to one single machine the idea is sound
except for the "user too stupid to live" cases.

{^_^}



What is it that will check "uniqueness" of the key?
Over the internet? Check with what/who ?


Nothing. The user would have the option in the BIOS to generate, somehow,
a random number. He's told to type keys on the keyboard, any keys at all,
with the intervals feeding some randomness into the system. Then the key
for signing is presented on the screen for the user to copy down, pen and
paper mode. (Yeah, that is SO centuries ago. But, it's not in electronic
form, yet, so it is quite secure. If the machine makes sure nothing is
plugged in other than keyboard, mouse, and monitor it's not likely to be
siphoned off by monitoring malware.)

{^_^}
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 02:35 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org