Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for December 5, 2013
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
An update on UEFI secure boot
Posted Oct 27, 2011 15:05 UTC (Thu) by simlo (guest, #10866)
We have a boot chain:
firmware -> bootloader -> OS -> applications -> server
Each have some build in certificates to verify from left to right: The firmware have a certificate for the bootloader, the bootloader have certificate(s) for the kernel etc. In secure boot, if the signature doesn't match, stop the boot process.
To have "trusted computing" you also need to be able to verify from right to left: The server shall be able to be able to see that the application is correctly signed.
So to interpret the difference between secure boot and trusted computing:
The firmware can tell the bootloader that it was correctly signed. The bootloaded can tell the OS etc. But the bootloaded can lie to you in "secure boot": Secure boot might actually have been turned off in the firmware, but the bootloader have also been changed to lie to the OS that it was correctly signed.
Or the user can tell the server that the stack is correctly signed, because there is no way the server can verify it.
If that is the case, where is the security? It should be "simple" to either manipulate the firmware to switch off secure boot on specific systems, or trick the user into doing so, while flipping the bits in the bootloader, OS etc. It is harder to install malware on such a system, but far from impossible if you know which bits to flip - and hackers do. The only real things which makes it harder is to figure out how to disable secure boot on many different versions of the firmware. I bet you can manipulate the setting from software, if you know how.
Posted Oct 27, 2011 15:15 UTC (Thu) by mjg59 (subscriber, #23239)
Posted Oct 27, 2011 23:50 UTC (Thu) by giraffedata (subscriber, #1954)
The bootloader can tell the OS [that it was correctly signed] etc.
But the bootloader can lie to you in "secure boot":
Not quite. The bootloader can't tell the OS that it was correctly signed and the OS can't ask. Implementing that function would be ridiculous, since the bootloader could lie. It would be like a prostitute asking a potential client if he is a cop.
That's the difference between secure boot and trusted computing. With trusted computing, the program can determine it is running on a platform the program trusts; with secure boot, the user can ensure everything running on his computer is something he trusts.
Posted Nov 20, 2011 20:51 UTC (Sun) by oak (guest, #2786)
Posted Nov 20, 2011 21:11 UTC (Sun) by mjg59 (subscriber, #23239)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds