LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

A pair of UEFI updates

A pair of UEFI updates

Posted Feb 3, 2013 0:32 UTC (Sun) by mjg59 (subscriber, #23239)
In reply to: A pair of UEFI updates by dlang
Parent article: A pair of UEFI updates

Nonsense. There's somewhere in the region of 6 secure boot implementations in existence, and most of those are probably based on Intel's. Decompress the firmware image (which is in a conveniently documented format), identify the code block containing the security policy, flip the value, regenerate the checksums, put it back together and then leave it up to the user to figure out how to actually flash it. I can promise you that this is easier than figuring out how a given board's embedded controller is supposed to interface with anything.

(Log in to post comments)

A pair of UEFI updates

Posted Feb 3, 2013 0:43 UTC (Sun) by dlang (✭ supporter ✭, #313) [Link]

now you have to do that not only for every motherboard, you have to do it for every BIOS revision released for that motherboard. And when new BIOS updates are released, you have to re-do the hack.

you are talking as if the secure boot is a nicely delineated chunk of the BIOS, when everything is just the optimized binary blob, the location of this chunk may vary from BIOS to BIOS.

the source code implementations may be few, but the resulting binary chunks will vary a lot more.

A pair of UEFI updates

Posted Feb 3, 2013 0:55 UTC (Sun) by mjg59 (subscriber, #23239) [Link]

"you are talking as if the secure boot is a nicely delineated chunk of the BIOS, when everything is just the optimized binary blob"

That hasn't been true for a long time. It's completely untrue when it comes to UEFI.

A pair of UEFI updates

Posted Feb 3, 2013 5:23 UTC (Sun) by theophrastus (guest, #80847) [Link]

Thank you both. (i think we always learn more watching a spirited discussion than if everyone just tediously agrees)

i lost track of LinuxBIOS and am glad to see that work on it continues. of course, i was thinking more of an unlikely... -patch- to remove, or jumper around, UEFI, instead of the full nuclear option; but that might be the only way in the final analysis. as long as hardware makers are willing manufacture to suit a narrow, (yet fat), market.

A pair of UEFI updates

Posted Feb 3, 2013 11:22 UTC (Sun) by khim (subscriber, #9252) [Link]

You can not "jump around" UEFI because it's the only thing there is.

BIOS is emulated on top of UEFI, not the other way around. Which means that all the hardware is initialized in the UEFI.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds