User: Password:
|
|
Subscribe / Log in / New account

Implementing UEFI Secure Boot in Fedora

Implementing UEFI Secure Boot in Fedora

Posted Jun 2, 2012 14:11 UTC (Sat) by DavidS (guest, #84675)
In reply to: Implementing UEFI Secure Boot in Fedora by micka
Parent article: Implementing UEFI Secure Boot in Fedora

Because a bootloader which will load _anything_ will be blacklisted faster than you can say "Secure Malware Boot".

As it should.


(Log in to post comments)

Implementing UEFI Secure Boot in Fedora

Posted Jun 2, 2012 16:25 UTC (Sat) by micka (subscriber, #38720) [Link]

> As it should.

I suppose we won't agree on this.

This equates "malware" with "unsigned software", while it's trivially false.

Implementing UEFI Secure Boot in Fedora

Posted Jun 2, 2012 17:25 UTC (Sat) by mjg59 (subscriber, #23239) [Link]

Malware is a subset of unsigned software. If you can mechanically distinguish between unsigned malware and unsigned white hat software, I suspect there's a very big bag of money waiting for you somewhere.

Implementing UEFI Secure Boot in Fedora

Posted Jun 2, 2012 17:33 UTC (Sat) by micka (subscriber, #38720) [Link]

Sure, but this criteria has an exceptionally bad (high) false positive rate.

Implementing UEFI Secure Boot in Fedora

Posted Jun 2, 2012 17:36 UTC (Sat) by mjg59 (subscriber, #23239) [Link]

That's true, but the obvious alternative has an unacceptable (>0) false negative rate.

Implementing UEFI Secure Boot in Fedora

Posted Jun 2, 2012 17:59 UTC (Sat) by micka (subscriber, #38720) [Link]

OK, let's say it like that : some people who install wireshark/nessus/whatever use it to crack into systems, so people should be forbidden to get those programs...

That's the same reasoning.

Implementing UEFI Secure Boot in Fedora

Posted Jun 2, 2012 18:02 UTC (Sat) by mjg59 (subscriber, #23239) [Link]

Nobody's forbidding anyone from running anything. It's a matter of default policy. The default policy being imposed here is that only signed code should be able to directly influence hardware behaviour. Signing a bootloader that then executes unsigned code is a pretty obvious circumvention of that policy.

Implementing UEFI Secure Boot in Fedora

Posted Jun 2, 2012 23:42 UTC (Sat) by hummassa (subscriber, #307) [Link]

> Malware is a subset of unsigned software.

Wrong.

I can be an authorized developer and erroneously sign a piece of software that contains some malware. Typical cases being disgruntled employers pushing vulnerabilities obfuscated in source code, and another example being the development/deployment machine being infected and infecting all generated executables prior to signing -- this way the malware is always present and always signed.

> If you can mechanically distinguish between unsigned malware and unsigned white hat software, I suspect there's a very big bag of money waiting for you somewhere.

There is no way (signatures or not) to distinguish malware from white hat software. It's an undecidable problem even to be solved by humans. The referred bag of money will stay put for a loooooooooong time.

Implementing UEFI Secure Boot in Fedora

Posted Jun 3, 2012 0:19 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

>I can be an authorized developer and erroneously sign a piece of software that contains some malware.
Then you won't be authorized developer for long.

In reality, Windows malware is very rarely signed (literally only in single cases) because it provides a traceable link to the developer.

Implementing UEFI Secure Boot in Fedora

Posted Jun 3, 2012 2:56 UTC (Sun) by hummassa (subscriber, #307) [Link]

One word: bollocks.
Better, another word: Stuxnet.

> , Duqu and Flame are not normal, everyday malware, of course. All three of them were most likely developed by a Western intelligence agency as part of covert operations that weren’t meant to be discovered. The fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications. And instead of trying to protect their code with custom packers and obfuscation engines—which might have drawn suspicion to them—they hid in plain sight. In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware.

Read it at http://arstechnica.com/security/2012/06/why-antivirus-com...

Implementing UEFI Secure Boot in Fedora

Posted Jun 3, 2012 13:30 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

Yeah, Stuxnet is an exception. So?

Most of malware is still unsigned (and that's not likely to change).

Implementing UEFI Secure Boot in Fedora

Posted Jun 4, 2012 0:13 UTC (Mon) by hummassa (subscriber, #307) [Link]

Your overtly wrong point is that it's not likely to change. There is no *need* for a lot of signed malware today. If, in the future, malware had to be signed to run, then it *will* be signed.

What is not likely to change is that malware will exist and will infect a lot of our computers just like it does today. And cryptographically signing code does absolutely nothing to stop that. Why? Because if every software have to be signed to run, all malware will get signed. Even if the OS refuse to run a single non-signed bit of code, malware will still exist. The stuxnet & friends example I gave were a cautionary tale. There is malware in a lot of signed-only software platforms.

The only thing signed-only platforms bring to the software world is that it turns much more easy to get a scapegoat. No fool will sign malware with his own signature, but it's always good to steal your bosses and coworkers' private keys, you know, just in case...

Implementing UEFI Secure Boot in Fedora

Posted Jun 4, 2012 4:20 UTC (Mon) by dilinger (subscriber, #2867) [Link]

Implementing UEFI Secure Boot in Fedora

Posted Jun 4, 2012 5:13 UTC (Mon) by raven667 (subscriber, #5198) [Link]

Turns out secure boot is probably not secure against Uncle Sam. The real world is looking more like the world of Brazil every day.

http://en.wikipedia.org/wiki/Brazil_(film)

Implementing UEFI Secure Boot in Fedora

Posted Jun 4, 2012 14:34 UTC (Mon) by hummassa (subscriber, #307) [Link]

> Turns out secure boot is probably not secure against Uncle Sam.

Let me enforce this once again:

So-called "secure" boot is not secure at all.

So-called "secure" boot means ATPM "booting only cryptographically signed binaries". But for any general-purpose computation device be remotely useful, it has to have variable input and output, IOW: somewhere there will be a bug lurking and enabling some sort of exploit by clever manipulation of said IO. Booting only signed binaries does not enhance the security. You don't need Uncle Sam powers to jailbreak iPhones and iPads. At one moment (I assure it, this is still possible) I jailbroke my iPad just by acessing a cleverly-design website. I. e., no need for physical access, if the jailbreak developer was a malware developer, they could have sent a lot of "Caroline Dieckmann nude pics" links via e-mail, twitter and facebook and pwned a lot of iPads and iPhones all around.

So-called "secure" boot means if a key is appropriated by a malware developer, you have a patsy to say "hey, that is Jon's key! Fire him! Sue him!" and CYA.

There is no way -- and there will never be any way, without limiting deeply what computers can do -- to guarantee that all software you have in a computing device is what you think it is and does only what you think it does.

Implementing UEFI Secure Boot in Fedora

Posted Jun 4, 2012 19:00 UTC (Mon) by raven667 (subscriber, #5198) [Link]

I'm not sure how security is implemented in iOS and whether or not it is directly comparable to this scheme. UEFI secure boot only validates the bootloader, everything beyond that is going to be OS specific and out of scope of UEFI. Other systems have implemented this kind of cryptographically protected security, such as the Sony PS3, and have been very resilient in the face of persistant attack. AFAIK the PS3 has only had one successful attack in 5+ years, and that wasn't able to persist on the system, the secure update mechanism remained intact and was able to clean off the exploit and prevent re-exploitation. I would hope that our rockstar Linux devs could build a system at least as resistant to attack as that, if not more so.

Implementing UEFI Secure Boot in Fedora

Posted Jun 4, 2012 19:21 UTC (Mon) by hummassa (subscriber, #307) [Link]

> I'm not sure how security is implemented in iOS and whether or not it is directly comparable to this scheme. UEFI secure boot only validates the bootloader, everything beyond that is going to be OS specific and out of scope of UEFI.

That is *exactly* how iOS boot security works. It only loads cryptographically-signed OS images. I. e., except when it's exploited and then it does not.

> Other systems have implemented this kind of cryptographically protected security, such as the Sony PS3, and have been very resilient in the face of persistant attack. AFAIK the PS3 has only had one successful attack in 5+ years, and that wasn't able to persist on the system, the secure update mechanism remained intact and was able to clean off the exploit and prevent re-exploitation. I would hope that our rockstar Linux devs could build a system at least as resistant to attack as that, if not more so.

Nobody told that to my (still using Linux) PS3.

I repeated over and over, I really don't think that writing a general-purpose OS and computer that resists to attacks and that not would run *any* unsigned code in the time-frame of two years or more is a possible goal.

The timeframe for iDevices jailbreak is usually at most two months after a new version of the bootloader is out (the developers usually keep some of the vulnerabilities on the bootloader secret so when Apple plugs a hole, they have another to exploit). This is exactly what will happen in the case of OS-locked general-purpose computers, if they are as popular as iDevices...

Implementing UEFI Secure Boot in Fedora

Posted Jun 4, 2012 19:49 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

Until you run out of bugs.

Boot protection on iDevices is half-hearted at best. Apple doesn't really care about you jailbreaking their hardware.

Now, try to jailbreak XBox360 hypervisor - it's impossible or very close to it.

Implementing UEFI Secure Boot in Fedora

Posted Jun 4, 2012 20:13 UTC (Mon) by raven667 (subscriber, #5198) [Link]

> That is *exactly* how iOS boot security works. It only loads cryptographically-signed OS images. I. e., except when it's exploited and then it does not

I don't think either of us have enough details to speak intelligently on the subject of iOS boot security, the details matter.

> Nobody told that to my (still using Linux) PS3.

So you are both running Linux and recent games, PSN, etc. or did you just stop updating your machine?


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds