1 |
On 2012-06-02 22:10, Michael Mol wrote: |
2 |
|
3 |
> I expect the chief mechanism is at the manufacturer's end; blacklisted |
4 |
> keys get included on shipment. |
5 |
|
6 |
Makes sense. |
7 |
|
8 |
> It's also probable that the OS kernel can tell the UEFI BIOS about new |
9 |
> keys to blacklist. I expect that'll be a recurring thing in the |
10 |
> Monthly batch of security updates Microsoft puts out. (Makes sense, |
11 |
> really; if malware is using a key, blacklist that key.) |
12 |
|
13 |
Yes, would expect something like this. Secure boot supposedly prevents |
14 |
"unauthorized firmware, operating systems or UEFI drivers" at boot time. |
15 |
So if I interpret this correctly it would mean that if I have, say, an |
16 |
old graphics card with an old firmware (vga bios) I can't use it with |
17 |
"secure boot". More interestingly, how is an "operating system" defined? |
18 |
Does it mean only the kernel itself or does it mean a full-blown OS with |
19 |
init and other supporting software? What does that mean to a source |
20 |
based "distro"? Also, I would assume a legitimate key would be able to |
21 |
sign pretty much any binary so a key that Fedora uses could be used to |
22 |
sign malware for Windows, which then would be blacklisted by |
23 |
Microsoft... and how is malware defined? Anything that would be |
24 |
detrimental to Microsoft? |
25 |
|
26 |
> Someone linked to some absolutely terrible stuff being built into |
27 |
> Intel's Ivy Bridge...it's plausible it will be possible to deploy |
28 |
|
29 |
You mean: |
30 |
https://en.wikipedia.org/wiki/Intel_insider#Intel_Insider_and_remote-control |
31 |
|
32 |
? |
33 |
|
34 |
> blacklist key updates over the network within a couple years. |
35 |
|
36 |
Well, UEFI already implements remote management: |
37 |
http://www.uefi.org/news/UEFI_Overview.pdf (page 13) |
38 |
... so implementing an automatic update over the network, preferably via |
39 |
SMM/SMI so that the operating system cannot intervene would be possible |
40 |
already today... and you've lost control of your computer. |
41 |
|
42 |
I'm putting on my tinfoil hat now and I'm going to pretend it's |
43 |
raining... :-/ |
44 |
|
45 |
Best regards |
46 |
|
47 |
Peter K |