Select models of:
Acer
Dell
Gigabyte
Intel
Supermicro
aopen
formelife
You’re welcome.
Even Intel lmao
o7
Doing the lord’s work here!
Secure Boot is a broken concept by design.
To this day, key players in security—among them Microsoft and the US National Security Agency—regard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments, including in industrial control and enterprise networks.
You dare question a monopoly corporation and the spymasters of this country??
(/s)
Yes, surely randoms on Lemmy know better than Microsoft and the NSA in regards to security.
Oh anyone who doesn’t trust Microsoft with their life is a complete idiot. And the NSA only illegally spied on everyone until Bush the II made it legal! So of course we should unquestioningly follow their configuration guides. I mean - haha - we don’t wanna get disappeared! Haha ha. Not. Not that that’s ever happened. That we know of. For sure. Probably.
in regards to security
in regards to security
in regards to security
in regards to security
Just wanted to make sure you saw it this time because you went off on a tangent there.
It doesn’t matter if they know about security (which they do). A burglar could know about locks and home security systems, would you take his advice?
Their positions on security of others is dismissed on grounds of trust not of competence.
The NSA has two jobs.
The first is to break into any computer or communications stream that they feel the need to for “national security needs”. A lot of leeway for bad behavior there, and yes, they’ve done, and almost certainly continue to do, bad things. Note that in theory that is only allowed for foreign targets, but they always seem to find ways around that.
The second, and less well known, job is to ensure that nobody but them can do that to US computers and communications streams. So if they say something will make your computer more secure, it’s probably true, with the important addition of “except from them”.
I won’t pretend I like any of this, but most people are much more likely to be targeted by scammers, bitcoin miners, and ransomware than they are by the NSA itself, so in that sense, following the NSA’s recommendation here is probably better than not.
A burglar could know about locks and home security systems, would you take his advice?
Literally, yes. There was even a TV show about it.
Hey what is that, some kinda tangent
Can you explain more (don’t doubt you)
Ok, so I am not an expert, and I am not the OP. But my understanding is that Secure Boot is checking with a relatively small list of trustworthy signing certificates to make sure that the OS and hardware are what they claim to be on boot. One of those certificates belongs to a Microsoft application called Shim, which can be updated regularly as new stuff comes out. And technically you can whitelist other certificates, too, but I have no idea how you might do that.
The problem is, there’s no real way to get around the reality that you’re trusting Microsoft to not be compromised, to not go evil, to not misuse their ubiquity and position of trust as a way to depress competition, etc. It’s a single point of failure that’s presents a massive and very attractive target to attackers, since it could be used to intentionally do what CrowdStrike did accidentally last week.
And it’s not necessarily proven that it can do what it claims to do, either. In fact, it might be a quixotic and ultimately impossible task to try and prevent boot attacks from UEFI.
But OP might have other reasons in mind, I dunno.
To use secure boot correctly, you need disable or delete the keys that come preinstalled and add your own keys. Then you have to sign the kernel and any drivers yourself. It is possible to automate the signing the kernel and kernel modules though. Just make sure the private key is kept secure. If someone else gets a hold of it, they can create code that your computer will trust.
The kernel modules usually are signed with a different key. That key is created at build time and its private key is discarded after the build (and after the modules have been signed) and the kernel uses the public key to validate the modules IIRC. That is how Archlinux enables can somewhat support Secure Boot without the user needing to sign every kernel module or firmware file (it is also the reason why all the kernel packages aren’t reproducible).
And technically you can whitelist other certificates, too, but I have no idea how you might do that.
When you enter the UEFI somewhere there will be a Secure Boot section, there there is usually a way to either disable Secure Boot or to change it into “Setup Mode”. This “Setup Mode” allows enrolling new keys, I don’t know of any programs on Windows that can do it, but
sbctl
can do it and thesystemd-boot
bootloader both can enroll your own custom keys.
lol at the DO NOT TRUST keys.
I’ve learnt over the years that you have to make the example code fail to compile or print out huge user-visible warnings or something like that, otherwise people can and will use it as-is in production, hard-coded keys and all.
Even if you make it print out a huge message, some manufacturers will just comment that out while keeping all the other dummy example data.
I’ve seen several production OAuth/OpenID servers that accepted an app ID and secret from a “how to set up an OAuth server” tutorial, and in one case the company was using that app ID for all their production services.
That’s on the company for paying pennies for their dev and production roles.
The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text.
It’s like installing a top-of-the-line alarm system for your house with camera, motion detector, alarm, and immobilizing gas, then leaving the unlock password on a PostIt under the welcome mat.
immobilizing gas
BRB, setting up a new automation in Homeassistant…
Send yaml
This needs to be a thing
ESP32 running ESPHome connected to a MOSFET and relay, which operates a solenoid valve on the canister of gas. Don’t let dreams be dreams.
As long as there’s some left for the dr. A little delphic courage
It’s totally a thing, bro. Here take a hit off this immobilizing gas bubble pipe
CrystalLit
K-rapy garboge!:
There’s little that users of an affected device can do other than install a patch if one becomes available from the manufacturer.
Gentoo gives extensive instructions:
Arch:
NIST (US government guides cover POSIX/Windows with a layperson explanation and guide):
- https://csrc.nist.gov/projects/key-management
- https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt3r1.pdf
The technical documentation about Secure Boot says that SB is not a mechanisms to steal ownership of your device. It is a spurious claim because the design specification is only a reference and not a requirement. Gentoo has further documentation that can be found describing KeyTool, a package that enables booting directly into UEFI to change the keys manually if your implemented UEFI bootloader lacks the functional implementation required to sign your own keys. I’ve never tried it personally. I merely know of its existence.
200+ models from 5 big device makers
Nearly 500 device models use them anyway.
Bleeping Computer reports 813 products from 10 vendors.
Checked the BIOS update file of a Gigabyte motherboard I have here (Z170X - Gaming 7):
DETECTED PKfail untrusted certificate
Issuer: CN=DO NOT TRUST - AMI Test PK
What is Secure Boot actually good for? Serious question.
It’s supposed to prevent unsigned files from being loaded by the UEFI (AFAIK) which could possibly help with rootkits, if it doesn’t somehow sign itself. However, these are pretty rare if you don’t allow sketchy software to access your boot partition, and will often cause issues with non major Linux distros.
I had dell pc refuse to boot Linux mint because of secure boot
Then you haven’t set it up right
Nah man, it didn’t even allowed to boot iso from ventoy until i disabled secure boot
With Debian I think I was able to load the appropriate keys after installing the OS and then re-enable secureboot in the bios. Might be worth checking into.
i like how the manufacturers who responded to the author’s queries basically said ‘tough shit, that product is out of support’
“It’s a big problem,” said Martin Smolár, a malware analyst specializing in rootkits who reviewed the Binarly research and spoke to me about it. “It’s basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically… execute any malware or untrusted code during system boot. Of course, privileged access is required, but that’s not a problem in many cases.”
I mean, I don’t really have much interest in requiring that my BIOS code be signed, but I have a hard time believing that this Martin Smolár guy is correct. Just entirely disable firmware updates in the BIOS, and re-enable just for the one boot where you update your BIOS while booting off a trusted USB key. You’d never put your OS in a position of being able to push an update to the BIOS.
EDIT: Actually, if current BIOSes can update without booting to an OS at all, just selecting a file on a filesystem that they can understand – IIRC my last Asus motherboard could do that – you never need to enable it for even that.
I think Secure boot is intended to check that the boot loader itself is signed.
This is a way to mitigate viruses and malware that infects the boot loader so it can reinstall itself if it’s removed by AV, or something else.
If you can create a boot loader that is signed in such a way that secure boot can’t tell it’s invalid then you can do some nasty stuff.
Closest analogy I can think of is verisigns private key being leaked and there’s no fast and easy way to revoke and replace it without wreaking havoc on currently installed OS’s machines.