Not logged in
Log in now
Create an account
Subscribe to LWN
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
every kernel hole will require that its certificate be revoked.
Fedora, secure boot, and an insecure future
Posted Jun 5, 2012 22:42 UTC (Tue) by slashdot (guest, #22014)
But if it is a dual-boot system, then either Windows Update can update Linux and apt-get/yum can update Windows, or the other system will be made unbootable once the CRL is applied.
I guess that in principle it should be possible to store the kernels as EFI applications along with an update URL and do exactly that (and then have the kernel alone be capable of updating the rest of the system before it loads it), but I wonder if anyone really thought about this.
In addition, it won't be possible to install operating systems from disk media without an Internet connection, since the kernel on the disk would be almost surely revoked, but that's probably not such a huge concern.
IMHO this whole mess will just get disabled by anyone tech-savvy.
Posted Jun 5, 2012 22:49 UTC (Tue) by rahvin (subscriber, #16953)
Digital signatures aren't all they're cracked up to be. IMO Secure boot will ultimately be as successful as all the other failed systems. As soon as someone reverses the Microsoft secret key and releases it in the wild 3 years after secure boot has been in the wild you'll see the futility in the system. Doesn't matter if they have revocation lists because unless you are receiving mandatory BIOS updates you aren't going to get them.
I hope everyone can see the futility it trying to put the security into the part of the system that almost no one actually updates (BIOS). This doesn't even touch on BIOS security or code quality. All secure boot is going to do is make BIOS the target and I doubt the BIOS producers can survive the scrutiny.
All secure boot is going to do is cause there the creation of hundreds of Malware that target and exploit the BIOS. Can you imagine a world where you have to apply security updates to your BIOS on a regular basis or Windows won't load?
Posted Jun 5, 2012 23:39 UTC (Tue) by neilbrown (subscriber, #359)
One of the freedoms that I want for my computing experience is the freedom not to run any malware. I have enjoyed that so far largely because Windows is a much bigger target than Linux. However that has not been a complete protection and will not necessarily continue to be any protection. Recent events show that with enough resources, almost anything is possible. Maybe my ethernet card already has a back-door that is allowing unfriendlies in.
One of the things that we do with software is to make unreliable systems more reliable. TCP does this for networks. RAID does this for storage. Multi-path does it for cabling. UPS does it for power (that isn't software though).
Is there some approach that can leverage redundancy or extra analysis or some extra strong segregation that is structurally immune to all non-physical-access attacks?
Or can we look forward to an unending arms race for control of our computers?
Posted Jun 6, 2012 9:21 UTC (Wed) by steveriley (subscriber, #83540)
Posted Jun 6, 2012 12:23 UTC (Wed) by alonz (subscriber, #815)
The security field is full of misconceptions, miscommunications, and improperly-understood ideas. This is one of the major examples: a hardware root-of-trust means that the principal who put his keys in the hardware module can trust (transitively) any software running on the device. But note that the extra security is only enjoyed by the owner of the keys—not by anyone else! So, unless you give the keys to the end-user (owner of the hardware), and trust them to determine what software is trustworthy and sign this software, you end up with a vendor-locked system. (And if you do trust the end-user, I have a bridge to sell you.)
(On the other hand, if you trust the vendor, I have another bridge…)
Secure boot is currently being sold as a magic security solution. It's not magic, and thus can't work as advertised; unfortunately, a good security solution will be more complex to engineer (and thus nobody has an incentive to develop it).
(Full disclosure: I am chief architect at a security solutions company.)
Posted Jun 6, 2012 12:29 UTC (Wed) by hummassa (subscriber, #307)
It's not security, and it's not a solution... :-) people still did not understand that there is no such thing as shrink-wrapped security?? It is a process, not a product...
Posted Jun 6, 2012 5:29 UTC (Wed) by AndreE (subscriber, #60148)
If implementing this drives the creation of better BIOS/UEFI firmware, then all the better.
It's like saying that implementing a password system invites attacks on passwords, or implementing SELinux makes SELinux exploits a target. Well that is a truism. Any security mechanism will obviously become a target for those wanting to break it. That's not any reason for opting against one though.
Maybe Fedora should stop signing its distribution packages. After all, someone will reverse their secret key, and unless I am receiving mandatory updates I'm not going to be aware of this anyway
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds