| 1 |
On Sat, Jun 2, 2012 at 3:51 PM, pk <peterk2@××××××××.se> wrote: |
| 2 |
> On 2012-06-02 15:12, Florian Philipp wrote: |
| 3 |
> |
| 4 |
>> According to [1] it is SHA-256 and RSA-2048. If I understand it |
| 5 |
>> correctly, there are means to blacklist compromised keys. That's |
| 6 |
>> why |
| 7 |
> |
| 8 |
> Just curious, how is a "compromised" key supposed to be blacklisted? |
| 9 |
> Does the bios contact Microsoft, or is it through some other mean (via |
| 10 |
> OS which means it needs to have some sort of service to check for this |
| 11 |
> blacklist)? Smells like trouble to me... :-/ |
| 12 |
|
| 13 |
I expect the chief mechanism is at the manufacturer's end; blacklisted |
| 14 |
keys get included on shipment. |
| 15 |
|
| 16 |
It's also probable that the OS kernel can tell the UEFI BIOS about new |
| 17 |
keys to blacklist. I expect that'll be a recurring thing in the |
| 18 |
Monthly batch of security updates Microsoft puts out. (Makes sense, |
| 19 |
really; if malware is using a key, blacklist that key.) |
| 20 |
|
| 21 |
Someone linked to some absolutely terrible stuff being built into |
| 22 |
Intel's Ivy Bridge...it's plausible it will be possible to deploy |
| 23 |
blacklist key updates over the network within a couple years. |
| 24 |
|
| 25 |
|
| 26 |
-- |
| 27 |
:wq |
Archives