LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora, secure boot, and an insecure future

Fedora, secure boot, and an insecure future

Posted Jun 5, 2012 22:49 UTC (Tue) by rahvin (subscriber, #16953)
In reply to: Fedora, secure boot, and an insecure future by dashesy
Parent article: Fedora, secure boot, and an insecure future

Or better yet, the Windows Flame Malware that's using a Microsoft signed software update to hijack windows update and push Malware onto new machines using a Microsoft signed chunk of Malware.

Digital signatures aren't all they're cracked up to be. IMO Secure boot will ultimately be as successful as all the other failed systems. As soon as someone reverses the Microsoft secret key and releases it in the wild 3 years after secure boot has been in the wild you'll see the futility in the system. Doesn't matter if they have revocation lists because unless you are receiving mandatory BIOS updates you aren't going to get them.

I hope everyone can see the futility it trying to put the security into the part of the system that almost no one actually updates (BIOS). This doesn't even touch on BIOS security or code quality. All secure boot is going to do is make BIOS the target and I doubt the BIOS producers can survive the scrutiny.

All secure boot is going to do is cause there the creation of hundreds of Malware that target and exploit the BIOS. Can you imagine a world where you have to apply security updates to your BIOS on a regular basis or Windows won't load?

(Log in to post comments)

Fedora, secure boot, and an insecure future

Posted Jun 5, 2012 23:39 UTC (Tue) by neilbrown (subscriber, #359) [Link]

I think you are saying that secure boot isn't really a solution, and I think I agree. However it seems that there is still a problem and I wonder if anyone has any ideas that might actually work.

One of the freedoms that I want for my computing experience is the freedom not to run any malware. I have enjoyed that so far largely because Windows is a much bigger target than Linux. However that has not been a complete protection and will not necessarily continue to be any protection. Recent events show that with enough resources, almost anything is possible. Maybe my ethernet card already has a back-door that is allowing unfriendlies in.

One of the things that we do with software is to make unreliable systems more reliable. TCP does this for networks. RAID does this for storage. Multi-path does it for cabling. UPS does it for power (that isn't software though).

Is there some approach that can leverage redundancy or extra analysis or some extra strong segregation that is structurally immune to all non-physical-access attacks?

Or can we look forward to an unending arms race for control of our computers?

Fedora, secure boot, and an insecure future

Posted Jun 6, 2012 9:21 UTC (Wed) by steveriley (subscriber, #83540) [Link]

This is rather the opposite of the prevailing view that software requires a hardware root of trust (https://startpage.com/do/search?query=hardware+root+of+trust). Although I actually think you're onto something here. Must ponder this one for a bit...

Fedora, secure boot, and an insecure future

Posted Jun 6, 2012 12:23 UTC (Wed) by alonz (subscriber, #815) [Link]

Since when has “prevailing view” come to mean “right”…?

The security field is full of misconceptions, miscommunications, and improperly-understood ideas. This is one of the major examples: a hardware root-of-trust means that the principal who put his keys in the hardware module can trust (transitively) any software running on the device. But note that the extra security is only enjoyed by the owner of the keys—not by anyone else! So, unless you give the keys to the end-user (owner of the hardware), and trust them to determine what software is trustworthy and sign this software, you end up with a vendor-locked system. (And if you do trust the end-user, I have a bridge to sell you.)

(On the other hand, if you trust the vendor, I have another bridge…)

Secure boot is currently being sold as a magic security solution. It's not magic, and thus can't work as advertised; unfortunately, a good security solution will be more complex to engineer (and thus nobody has an incentive to develop it).

(Full disclosure: I am chief architect at a security solutions company.)

Fedora, secure boot, and an insecure future

Posted Jun 6, 2012 12:29 UTC (Wed) by hummassa (subscriber, #307) [Link]

> Secure boot is currently being sold as a magic security solution. It's not magic,

It's not security, and it's not a solution... :-) people still did not understand that there is no such thing as shrink-wrapped security?? It is a process, not a product...

Fedora, secure boot, and an insecure future

Posted Jun 6, 2012 5:29 UTC (Wed) by AndreE (subscriber, #60148) [Link]

Actually such a world exists. MBR malware has existed for a while, and BIOS malware has already surfaced in the wild. That's the whole motivation for secure or trusted path booting in the first place.

If implementing this drives the creation of better BIOS/UEFI firmware, then all the better.

It's like saying that implementing a password system invites attacks on passwords, or implementing SELinux makes SELinux exploits a target. Well that is a truism. Any security mechanism will obviously become a target for those wanting to break it. That's not any reason for opting against one though.

Maybe Fedora should stop signing its distribution packages. After all, someone will reverse their secret key, and unless I am receiving mandatory updates I'm not going to be aware of this anyway

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds