| 1 |
On 2012-06-02 22:10, Michael Mol wrote: |
| 2 |
|
| 3 |
> I expect the chief mechanism is at the manufacturer's end; blacklisted |
| 4 |
> keys get included on shipment. |
| 5 |
|
| 6 |
Makes sense. |
| 7 |
|
| 8 |
> It's also probable that the OS kernel can tell the UEFI BIOS about new |
| 9 |
> keys to blacklist. I expect that'll be a recurring thing in the |
| 10 |
> Monthly batch of security updates Microsoft puts out. (Makes sense, |
| 11 |
> really; if malware is using a key, blacklist that key.) |
| 12 |
|
| 13 |
Yes, would expect something like this. Secure boot supposedly prevents |
| 14 |
"unauthorized firmware, operating systems or UEFI drivers" at boot time. |
| 15 |
So if I interpret this correctly it would mean that if I have, say, an |
| 16 |
old graphics card with an old firmware (vga bios) I can't use it with |
| 17 |
"secure boot". More interestingly, how is an "operating system" defined? |
| 18 |
Does it mean only the kernel itself or does it mean a full-blown OS with |
| 19 |
init and other supporting software? What does that mean to a source |
| 20 |
based "distro"? Also, I would assume a legitimate key would be able to |
| 21 |
sign pretty much any binary so a key that Fedora uses could be used to |
| 22 |
sign malware for Windows, which then would be blacklisted by |
| 23 |
Microsoft... and how is malware defined? Anything that would be |
| 24 |
detrimental to Microsoft? |
| 25 |
|
| 26 |
> Someone linked to some absolutely terrible stuff being built into |
| 27 |
> Intel's Ivy Bridge...it's plausible it will be possible to deploy |
| 28 |
|
| 29 |
You mean: |
| 30 |
https://en.wikipedia.org/wiki/Intel_insider#Intel_Insider_and_remote-control |
| 31 |
|
| 32 |
? |
| 33 |
|
| 34 |
> blacklist key updates over the network within a couple years. |
| 35 |
|
| 36 |
Well, UEFI already implements remote management: |
| 37 |
http://www.uefi.org/news/UEFI_Overview.pdf (page 13) |
| 38 |
... so implementing an automatic update over the network, preferably via |
| 39 |
SMM/SMI so that the operating system cannot intervene would be possible |
| 40 |
already today... and you've lost control of your computer. |
| 41 |
|
| 42 |
I'm putting on my tinfoil hat now and I'm going to pretend it's |
| 43 |
raining... :-/ |
| 44 |
|
| 45 |
Best regards |
| 46 |
|
| 47 |
Peter K |
Archives