| 1 |
On Sat, Jun 2, 2012 at 6:50 PM, pk <peterk2@××××××××.se> wrote: |
| 2 |
> On 2012-06-02 22:10, Michael Mol wrote: |
| 3 |
|
| 4 |
[snip] |
| 5 |
|
| 6 |
>> It's also probable that the OS kernel can tell the UEFI BIOS about new |
| 7 |
>> keys to blacklist. I expect that'll be a recurring thing in the |
| 8 |
>> Monthly batch of security updates Microsoft puts out. (Makes sense, |
| 9 |
>> really; if malware is using a key, blacklist that key.) |
| 10 |
> |
| 11 |
> Yes, would expect something like this. Secure boot supposedly prevents |
| 12 |
> "unauthorized firmware, operating systems or UEFI drivers" at boot time. |
| 13 |
> So if I interpret this correctly it would mean that if I have, say, an |
| 14 |
> old graphics card with an old firmware (vga bios) I can't use it with |
| 15 |
> "secure boot". |
| 16 |
|
| 17 |
It's probable that a system using an IOMMU and virtualization tech |
| 18 |
could emulate the real-mode requirements needed to execute that VGA |
| 19 |
BIOS safely. |
| 20 |
|
| 21 |
Gets more interesting...my understanding of things like Firewire is |
| 22 |
that it's almost trivially easy to crack a system on the bus, because |
| 23 |
of the way DMA is implemented. |
| 24 |
|
| 25 |
> More interestingly, how is an "operating system" defined? |
| 26 |
> Does it mean only the kernel itself or does it mean a full-blown OS with |
| 27 |
> init and other supporting software? |
| 28 |
|
| 29 |
The BIOS will only load a signed bootloader. The signed bootloader |
| 30 |
will only load a signed kernel. The signed kernel will...do whatever |
| 31 |
you tell it to do. |
| 32 |
|
| 33 |
> What does that mean to a source based "distro"? |
| 34 |
|
| 35 |
It's going to make building and installing grub and the kernel |
| 36 |
trickier; you'll have to get them signed. And that's going to be a |
| 37 |
PITA for anyone who does developers. |
| 38 |
|
| 39 |
What it *really* means is that someone who wants to run Linux as a |
| 40 |
hobbyist or developer is going to disable "SecureBoot", and then fall |
| 41 |
back to business as usual. |
| 42 |
|
| 43 |
> Also, I would assume a legitimate key would be able to |
| 44 |
> sign pretty much any binary so a key that Fedora uses could be used to |
| 45 |
> sign malware for Windows, which then would be blacklisted by |
| 46 |
> Microsoft... |
| 47 |
|
| 48 |
If Fedora allows their key to sign crap, then their key will get revoked. |
| 49 |
|
| 50 |
What I hope (I don't know) is whether or not the signing system |
| 51 |
involved allows chaining. i.e., with SSL, I can generate my own key, |
| 52 |
get it signed by a CA, and then bundle the CA's public key and my |
| 53 |
public key when I go on to sign _another_ key. |
| 54 |
|
| 55 |
So, could I generate a key, have Fedora sign it, and then use my key |
| 56 |
to sign my binaries? If my key is used to do malicious things, |
| 57 |
Fedora's off the hook, and it's only my key which gets revoked. |
| 58 |
|
| 59 |
> and how is malware defined? Anything that would be |
| 60 |
> detrimental to Microsoft? |
| 61 |
|
| 62 |
Dunno. I imagine it comes down to whatever the chief key's owner |
| 63 |
doesn't want running on the same hardware while SecureBoot is enabled. |
| 64 |
Rootkits come to mind. |
| 65 |
|
| 66 |
> |
| 67 |
>> Someone linked to some absolutely terrible stuff being built into |
| 68 |
>> Intel's Ivy Bridge...it's plausible it will be possible to deploy |
| 69 |
> |
| 70 |
> You mean: |
| 71 |
> https://en.wikipedia.org/wiki/Intel_insider#Intel_Insider_and_remote-control |
| 72 |
> |
| 73 |
> ? |
| 74 |
|
| 75 |
The vPro stuff relates, yeah. |
| 76 |
|
| 77 |
> |
| 78 |
>> blacklist key updates over the network within a couple years. |
| 79 |
> |
| 80 |
> Well, UEFI already implements remote management: |
| 81 |
> http://www.uefi.org/news/UEFI_Overview.pdf (page 13) |
| 82 |
> ... so implementing an automatic update over the network, preferably via |
| 83 |
> SMM/SMI so that the operating system cannot intervene would be possible |
| 84 |
> already today... and you've lost control of your computer. |
| 85 |
|
| 86 |
You still own your network, so you have at least some control over it. |
| 87 |
These features are intended to be managed by the system network |
| 88 |
administrator. |
| 89 |
|
| 90 |
This is going to be a matter of caveat emptor. Don't buy a Tivo or |
| 91 |
Kindle and expect to be able to repurpose it. (And don't buy hardware |
| 92 |
from Oracle, I expect. Though I suspect you may eventually not get a |
| 93 |
choice is you want to run their software.) |
| 94 |
|
| 95 |
If you don't know whether or not you can expect to reformat a device |
| 96 |
before you buy it, then you haven't been paying attention to mobile |
| 97 |
tech over the last five years, and you didn't do your homework. |
| 98 |
Apologies for the lack of sympathy. :( |
| 99 |
|
| 100 |
-- |
| 101 |
:wq |
Archives