LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

An update on UEFI secure boot

An update on UEFI secure boot

Posted Oct 27, 2011 15:05 UTC (Thu) by simlo (subscriber, #10866)
In reply to: An update on UEFI secure boot by mjg59
Parent article: An update on UEFI secure boot

Let me see if I understand it correctly:

We have a boot chain:

firmware -> bootloader -> OS -> applications -> server

Each have some build in certificates to verify from left to right: The firmware have a certificate for the bootloader, the bootloader have certificate(s) for the kernel etc. In secure boot, if the signature doesn't match, stop the boot process.

To have "trusted computing" you also need to be able to verify from right to left: The server shall be able to be able to see that the application is correctly signed.

So to interpret the difference between secure boot and trusted computing:
The firmware can tell the bootloader that it was correctly signed. The bootloaded can tell the OS etc. But the bootloaded can lie to you in "secure boot": Secure boot might actually have been turned off in the firmware, but the bootloader have also been changed to lie to the OS that it was correctly signed.
Or the user can tell the server that the stack is correctly signed, because there is no way the server can verify it.

If that is the case, where is the security? It should be "simple" to either manipulate the firmware to switch off secure boot on specific systems, or trick the user into doing so, while flipping the bits in the bootloader, OS etc. It is harder to install malware on such a system, but far from impossible if you know which bits to flip - and hackers do. The only real things which makes it harder is to figure out how to disable secure boot on many different versions of the firmware. I bet you can manipulate the setting from software, if you know how.

(Log in to post comments)

An update on UEFI secure boot

Posted Oct 27, 2011 15:15 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

The security comes from the requirement that the user enter the BIOS to disable the feature. If the firmware is implemented in such a way that you can modify this from the OS then it's obviously circumventable, but the design is intended to be such that this is impossible.

An update on UEFI secure boot

Posted Oct 27, 2011 23:50 UTC (Thu) by giraffedata (subscriber, #1954) [Link]

The bootloader can tell the OS [that it was correctly signed] etc. But the bootloader can lie to you in "secure boot":

Not quite. The bootloader can't tell the OS that it was correctly signed and the OS can't ask. Implementing that function would be ridiculous, since the bootloader could lie. It would be like a prostitute asking a potential client if he is a cop.

That's the difference between secure boot and trusted computing. With trusted computing, the program can determine it is running on a platform the program trusts; with secure boot, the user can ensure everything running on his computer is something he trusts.

An update on UEFI secure boot

Posted Nov 20, 2011 20:51 UTC (Sun) by oak (subscriber, #2786) [Link]

That's where DRM comes in. The content is crypted so that only your firmware which has the correct keys can decrypt it. Firmware will do that only if boot was secured. "Content" can be anything; challenge from your internet bank, video stream, code loaded on game startup etc.

An update on UEFI secure boot

Posted Nov 20, 2011 21:11 UTC (Sun) by mjg59 (subscriber, #23239) [Link]

Given the way UEFI works, it'd be trivial for you to extract the decryption key in any such scenario.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds