1 |
On Sat, Jun 2, 2012 at 6:50 PM, pk <peterk2@××××××××.se> wrote: |
2 |
> On 2012-06-02 22:10, Michael Mol wrote: |
3 |
|
4 |
[snip] |
5 |
|
6 |
>> It's also probable that the OS kernel can tell the UEFI BIOS about new |
7 |
>> keys to blacklist. I expect that'll be a recurring thing in the |
8 |
>> Monthly batch of security updates Microsoft puts out. (Makes sense, |
9 |
>> really; if malware is using a key, blacklist that key.) |
10 |
> |
11 |
> Yes, would expect something like this. Secure boot supposedly prevents |
12 |
> "unauthorized firmware, operating systems or UEFI drivers" at boot time. |
13 |
> So if I interpret this correctly it would mean that if I have, say, an |
14 |
> old graphics card with an old firmware (vga bios) I can't use it with |
15 |
> "secure boot". |
16 |
|
17 |
It's probable that a system using an IOMMU and virtualization tech |
18 |
could emulate the real-mode requirements needed to execute that VGA |
19 |
BIOS safely. |
20 |
|
21 |
Gets more interesting...my understanding of things like Firewire is |
22 |
that it's almost trivially easy to crack a system on the bus, because |
23 |
of the way DMA is implemented. |
24 |
|
25 |
> More interestingly, how is an "operating system" defined? |
26 |
> Does it mean only the kernel itself or does it mean a full-blown OS with |
27 |
> init and other supporting software? |
28 |
|
29 |
The BIOS will only load a signed bootloader. The signed bootloader |
30 |
will only load a signed kernel. The signed kernel will...do whatever |
31 |
you tell it to do. |
32 |
|
33 |
> What does that mean to a source based "distro"? |
34 |
|
35 |
It's going to make building and installing grub and the kernel |
36 |
trickier; you'll have to get them signed. And that's going to be a |
37 |
PITA for anyone who does developers. |
38 |
|
39 |
What it *really* means is that someone who wants to run Linux as a |
40 |
hobbyist or developer is going to disable "SecureBoot", and then fall |
41 |
back to business as usual. |
42 |
|
43 |
> Also, I would assume a legitimate key would be able to |
44 |
> sign pretty much any binary so a key that Fedora uses could be used to |
45 |
> sign malware for Windows, which then would be blacklisted by |
46 |
> Microsoft... |
47 |
|
48 |
If Fedora allows their key to sign crap, then their key will get revoked. |
49 |
|
50 |
What I hope (I don't know) is whether or not the signing system |
51 |
involved allows chaining. i.e., with SSL, I can generate my own key, |
52 |
get it signed by a CA, and then bundle the CA's public key and my |
53 |
public key when I go on to sign _another_ key. |
54 |
|
55 |
So, could I generate a key, have Fedora sign it, and then use my key |
56 |
to sign my binaries? If my key is used to do malicious things, |
57 |
Fedora's off the hook, and it's only my key which gets revoked. |
58 |
|
59 |
> and how is malware defined? Anything that would be |
60 |
> detrimental to Microsoft? |
61 |
|
62 |
Dunno. I imagine it comes down to whatever the chief key's owner |
63 |
doesn't want running on the same hardware while SecureBoot is enabled. |
64 |
Rootkits come to mind. |
65 |
|
66 |
> |
67 |
>> Someone linked to some absolutely terrible stuff being built into |
68 |
>> Intel's Ivy Bridge...it's plausible it will be possible to deploy |
69 |
> |
70 |
> You mean: |
71 |
> https://en.wikipedia.org/wiki/Intel_insider#Intel_Insider_and_remote-control |
72 |
> |
73 |
> ? |
74 |
|
75 |
The vPro stuff relates, yeah. |
76 |
|
77 |
> |
78 |
>> blacklist key updates over the network within a couple years. |
79 |
> |
80 |
> Well, UEFI already implements remote management: |
81 |
> http://www.uefi.org/news/UEFI_Overview.pdf (page 13) |
82 |
> ... so implementing an automatic update over the network, preferably via |
83 |
> SMM/SMI so that the operating system cannot intervene would be possible |
84 |
> already today... and you've lost control of your computer. |
85 |
|
86 |
You still own your network, so you have at least some control over it. |
87 |
These features are intended to be managed by the system network |
88 |
administrator. |
89 |
|
90 |
This is going to be a matter of caveat emptor. Don't buy a Tivo or |
91 |
Kindle and expect to be able to repurpose it. (And don't buy hardware |
92 |
from Oracle, I expect. Though I suspect you may eventually not get a |
93 |
choice is you want to run their software.) |
94 |
|
95 |
If you don't know whether or not you can expect to reformat a device |
96 |
before you buy it, then you haven't been paying attention to mobile |
97 |
tech over the last five years, and you didn't do your homework. |
98 |
Apologies for the lack of sympathy. :( |
99 |
|
100 |
-- |
101 |
:wq |