UEFI bootkit
 

And in today's news:

http://www.theregister.co.uk/2012/09/19/win8_rootkit/

A few things in particular stood out to me:

1) "Writing a bootkit couldn't be an easier task for virus writers with
the UEFI framework available, much easier than before when they needed
to code in pure assembly."


2) "... unless SecureBoot is used to ensure that only digitally signed
UEFI bootloaders can be executed at the system bootup.


3) "... enabling SecureBoot by default effectively limits user choice."

Great! MS shoots self in foot, others in head. We saw it coming :/
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

UEFI bootkit
 

On Wed, Sep 19, 2012 at 11:05 AM, Mike Wright wrote:
> Great! MS shoots self in foot, others in head. We saw it coming :/

Shoots themselves in the foot? Limiting user choice sounds like it's
working just the way they wanted. (Shooting everyone else in the head
was a part of their plan.)
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

UEFI bootkit
 

On 2012/09/19 14:52, Alan Evans wrote:

On Wed, Sep 19, 2012 at 11:05 AM, Mike Wright wrote:

Great! MS shoots self in foot, others in head. We saw it coming :/


Shoots themselves in the foot? Limiting user choice sounds like it's
working just the way they wanted. (Shooting everyone else in the head
was a part of their plan.)


The proper way to do this is to issue a unique key for each board
that has the private signing key included for the users who wish to
add personally signed software. Their key does not work on any other
machine, of course. Distros could sign their material. And if the user
wishes to recompile a kernel they can sign it with their own key and
still boot with it.

{^_^}
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

UEFI bootkit
 

> The proper way to do this is to issue a unique key for each board
> that has the private signing key included for the users who wish to
> add personally signed software. Their key does not work on any other
> machine, of course. Distros could sign their material. And if the user
> wishes to recompile a kernel they can sign it with their own key and
> still boot with it.

While they made a right mess of it and IMHO tried to play ugly cynical
games (and still are on ARM) the underlying concern isn't entirely bogus.
The signing extends through the system including all the firmware. That
means that the firmware you get is the firmware the vendor intended you
to get which cuts out an interesting (and it seems growing) like of
attacks based upon shipping people computers with trojaned firmware.

Now given a lot of this will be built in countries that the USA doesn't
trust, by people they don't trust I'm not sure what impact it will have
on the really "interesting" uses of such technology, but it cuts out some
stuff.

And there is a real issue because as other security improves and systems
with interesting stuff on become highly isolated firmware attacks and
shipping people "pre trojanned" systems into banks etc becomes a rather
attractive attack model.

Alan
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

UEFI bootkit
 

On 09/19/2012 05:00 PM, Alan Cox wrote:

The proper way to do this is to issue a unique key for each board
that has the private signing key included for the users who wish to
add personally signed software. Their key does not work on any other
machine, of course. Distros could sign their material. And if the user
wishes to recompile a kernel they can sign it with their own key and
still boot with it.

While they made a right mess of it and IMHO tried to play ugly cynical
games (and still are on ARM) the underlying concern isn't entirely bogus.
The signing extends through the system including all the firmware. That
means that the firmware you get is the firmware the vendor intended you
to get which cuts out an interesting (and it seems growing) like of
attacks based upon shipping people computers with trojaned firmware.

Now given a lot of this will be built in countries that the USA doesn't
trust, by people they don't trust I'm not sure what impact it will have
on the really "interesting" uses of such technology, but it cuts out some
stuff.

And there is a real issue because as other security improves and systems
with interesting stuff on become highly isolated firmware attacks and
shipping people "pre trojanned" systems into banks etc becomes a rather
attractive attack model.

Alan

What you say is indeed a very ppssible scenario, as the US has
lost a lot of friends recently, especially among the countries that
manufacture the high tech we buy.

The question I have is, can the buyer simply choose NOT to
use uefi (i.e. blow it off the system) and boot any OS of choice
which will not insist on the presence of any UEFI?
I think the answer to this question is more important as it provides
an "opt-out" choice to the consumer.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

UEFI bootkit
 

> On Wed, 19 Sep 2012 11:05:39 -0700
> Mike Wright <mike.wright@mailinator.com> wrote:
>
> And in today's news:
>
> http://www.theregister.co.uk/2012/09/19/win8_rootkit/
>
> A few things in particular stood out to me:
>
> 1) "Writing a bootkit couldn't be an easier task for virus writers
> with the UEFI framework available, much easier than before when they
> needed to code in pure assembly."
>
> 2) "... unless SecureBoot is used to ensure that only digitally
> signed UEFI bootloaders can be executed at the system bootup.
>
> 3) "... enabling SecureBoot by default effectively limits user
> choice."
>
> Great! MS shoots self in foot, others in head. We saw it coming :/

I am still unclear about secure boot. As I will probably delay my
purchase of a new notebook until next year, I worry.

I read the efforts of the fedora team to allow >F18 to boot on UEFI
+Secure boot enabled devices (the machines with the W8 stinker on them).

I also read that (most?) vendor will allow Secure boot to be switch off
on the BIOS.

When I purchase a notebook (Prior to Secure boot), I erase the
partition. I boot from a Live CD. If everything seems to work, and if I
like the DE, I install the OS.

And that's my question with these new UEFI+Secure boot machines: If I
turn Secure boot OFF, can I install a live CD as I used to do. Or is
there more?

--
nomnex <nomnex@gmail.com>
Freenode: nomnex
Registered Linux user #505281. Be counted at: http://linuxcounter.net
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

UEFI bootkit
 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 06:43 PM, JD wrote:
>
>
> The question I have is, can the buyer simply choose NOT to
> use uefi (i.e. blow it off the system) and boot any OS of choice
> which will not insist on the presence of any UEFI?
> I think the answer to this question is more important as it provides
> an "opt-out" choice to the consumer.
>
>

If I understand things correctly, UEFI takes the place of the BIOS,
so you have to use UEFI to boot. So it would be blowing off the
BIOS. Would it be possible to replace the stock UEFI with an open
source version like you can replace the stock BIOS with an open
source version on some motherboards? That may be something to look
into. I am not sure what hoops you have to jump through to
change/upgrade the UEFI image...

Mikkel
- --
Do not meddle in the affairs of dragons, for thou art crunchy and
taste good with Ketchup!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBacPoACgkQqbQrVW3JyMRrHwCfdO6TU3WspS GVpbvVJm6vTPRh
YCgAn1p3zU9YwXD2DzlA7dDOKIKTzEaE
=Pu1R
-----END PGP SIGNATURE-----

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

UEFI bootkit
 

On 09/19/2012 02:05 PM, Mike Wright wrote:

And in today's news:

http://www.theregister.co.uk/2012/09/19/win8_rootkit/

A few things in particular stood out to me:

1) "Writing a bootkit couldn't be an easier task for virus writers
with the UEFI framework available, much easier than before when they
needed to code in pure assembly."


2) "... unless SecureBoot is used to ensure that only digitally signed
UEFI bootloaders can be executed at the system bootup.


3) "... enabling SecureBoot by default effectively limits user choice."

Great! MS shoots self in foot, others in head. We saw it coming :/



Or.......maybe this was a little "skit" to help make the push for
universal UEFI enforcement?.....this way Linux users are locked out, the
landscape once again returns to the Windows vs Apple conflict
eliminating the biggest threat to both of them in one hatchet swing! I
for one am going to be looking into way to get around this thing.....I
see no reason to be locked into using a particular brand or service JUST
because someone ELSE thinks I should!



EGO II
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

UEFI bootkit
 

On 09/19/2012 08:30 PM, Eddie G. O'Connor Jr. wrote:

On 09/19/2012 02:05 PM, Mike Wright wrote:

And in today's news:

http://www.theregister.co.uk/2012/09/19/win8_rootkit/

A few things in particular stood out to me:

1) "Writing a bootkit couldn't be an easier task for virus writers
with the UEFI framework available, much easier than before when they
needed to code in pure assembly."


2) "... unless SecureBoot is used to ensure that only digitally
signed UEFI bootloaders can be executed at the system bootup.


3) "... enabling SecureBoot by default effectively limits user choice."

Great! MS shoots self in foot, others in head. We saw it coming :/



Or.......maybe this was a little "skit" to help make the push for
universal UEFI enforcement?.....this way Linux users are locked out,
the landscape once again returns to the Windows vs Apple conflict
eliminating the biggest threat to both of them in one hatchet swing! I
for one am going to be looking into way to get around this thing.....I
see no reason to be locked into using a particular brand or service
JUST because someone ELSE thinks I should!



EGO II
I think there will be at least a few mobo manufacturers who will provide
the buyer the option
of either uefi or traditional bios. Not so sure about laptop
manufacturers. Perhaps

one or more may choose to offer that choice.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

UEFI bootkit
 

On 09/19/2012 10:47 PM, JD wrote:


On 09/19/2012 08:30 PM, Eddie G. O'Connor Jr. wrote:

On 09/19/2012 02:05 PM, Mike Wright wrote:

And in today's news:

http://www.theregister.co.uk/2012/09/19/win8_rootkit/

A few things in particular stood out to me:

1) "Writing a bootkit couldn't be an easier task for virus writers
with the UEFI framework available, much easier than before when they
needed to code in pure assembly."


2) "... unless SecureBoot is used to ensure that only digitally
signed UEFI bootloaders can be executed at the system bootup.


3) "... enabling SecureBoot by default effectively limits user choice."

Great! MS shoots self in foot, others in head. We saw it coming :/



Or.......maybe this was a little "skit" to help make the push for
universal UEFI enforcement?.....this way Linux users are locked out,
the landscape once again returns to the Windows vs Apple conflict
eliminating the biggest threat to both of them in one hatchet swing!
I for one am going to be looking into way to get around this
thing.....I see no reason to be locked into using a particular brand
or service JUST because someone ELSE thinks I should!



EGO II
I think there will be at least a few mobo manufacturers who will
provide the buyer the option
of either uefi or traditional bios. Not so sure about laptop
manufacturers. Perhaps

one or more may choose to offer that choice.




And if there's no "options" out there?.....then what? do I just go ahead
and install my OWN version of a BIOS and hope for the best?...



EGO II
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org