| |||||||||||||
Present user testPresent user testPosted Oct 11, 2012 8:11 UTC (Thu) by epa (subscriber, #39769)Parent article: The Linux Foundation's UEFI secure boot system
It sounds like the 'present user test' consists of requiring a couple of keystrokes to select a menu item. If so, a one-dollar USB device could send the keypresses at startup, allowing you to boot the OS of your choice without manual intervention.
(Log in to post comments)
Present user test Posted Oct 11, 2012 9:33 UTC (Thu) by dgm (subscriber, #49227) [Link]
Am I the only one that thinks that this is absurd?
Present user test Posted Oct 11, 2012 13:21 UTC (Thu) by pjones (guest, #31722) [Link]
No. The entire point of requiring user input - and in both cases it should be non-trivial user input - is to prove that there's a live user present. If something is deployed that wildly circumvents that, the likely outcome is that a hash of the binary in question winds up on the blacklist.
Present user test Posted Oct 11, 2012 17:23 UTC (Thu) by Flukas88 (guest, #87138) [Link]
No, you're not.
Present user test Posted Oct 11, 2012 13:27 UTC (Thu) by gidoca (subscriber, #62438) [Link]
How is plugging a USB device not a manual intervention?
Present user test Posted Oct 11, 2012 14:33 UTC (Thu) by pjones (guest, #31722) [Link]
There's no distinction at system bootup between plugging a device in and already having a device plugged in.
Present user test Posted Oct 11, 2012 14:45 UTC (Thu) by pjones (guest, #31722) [Link]
To elaborate - current generation systems don't enumerate USB in the firmware unless there's a reason to - either you've got a boot entry that points to a usb device or your software calls ReadKeyStroke()/WaitForKey()/etc. So the point at which you want to say "I'm waiting for this device to be inserted" would wind up being right after you've asked it to enumerate the USB bus. At that point, if the device is already inserted, you're still going to get a new event when it shows up. There's no distinction.
Present user test Posted Oct 11, 2012 14:52 UTC (Thu) by epa (subscriber, #39769) [Link]
I meant there is no need for manual intervention at every startup. So you can install Linux on your server without worrying about it being stuck at a menu every time it reboots.
Clearly, if you can plug in a USB key then you have physical access to the machine. The criterion for defeating malware is surely that you can't change the bootloader without physical access. Somebody with that access could equally well install a keylogger or (in principle) just replace the motherboard with a trojaned one.
In fact, you could argue that physically plugging something in is how it should have worked from the beginning. Like an old Nintendo console, your PC or tablet device could come with a Windows cartridge installed, and if you want to boot something else you have to remove that and plug in a different cartridge (which may still allow booting Windows if you wish). Unfortunately that would make the devices a couple of dollars more expensive, so we have these shenanigans with signed bootloaders instead.
Present user test Posted Oct 11, 2012 15:09 UTC (Thu) by raven667 (subscriber, #5198) [Link]
Actually that sounds a lot like the smartcards used for satellite TV decryption. That would have been an interesting direction for the industry to go in.
Present user test Posted Oct 11, 2012 15:07 UTC (Thu) by raven667 (subscriber, #5198) [Link]
Well, that's physically present, isn't it? Malware didn't get the ability to manifest USB devices out of thin air like in the movies last time I checked 8-).
Present user test Posted Oct 11, 2012 15:37 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
Technically, some 'programmable' keyboards now have a CPU and a decent amount of RAM and can be subverted.
Present user test Posted Oct 11, 2012 19:14 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
this isn't new, I heard of malware doing this to apple keyboards years ago
|
|||||||||||||