User: Password:
|
|
Subscribe / Log in / New account

No signed kernel, just a signed boot loader

No signed kernel, just a signed boot loader

Posted Jun 24, 2012 17:33 UTC (Sun) by mjg59 (subscriber, #23239)
In reply to: No signed kernel, just a signed boot loader by droundy
Parent article: Details on Ubuntu's UEFI secure boot plan

No. If they directly alter the Windows bootloader or kernel then booting Windows will fail. If they alter Windows userspace then the malware checking code that's started before any other userspace will notice.


(Log in to post comments)

No signed kernel, just a signed boot loader

Posted Jun 25, 2012 21:00 UTC (Mon) by dashesy (guest, #74652) [Link]

If they alter Windows userspace then the malware checking code that's started before any other userspace will notice.
Sure it should not be hard to fool malware checking code to believe that nothing is tinkered with, otherwise we already could have perfect anti-malware but we do not.

If Windows user space program can be changed, Windows registry hives would be the target. Registry among other things controls many aspects of the NT kernel and some drivers, and maybe the secureboot itself

BTW, I am not sure if Microsoft can afford denying its superusers from changing registry because in the practical world one most likely will need it

No signed kernel, just a signed boot loader

Posted Jun 25, 2012 21:12 UTC (Mon) by raven667 (subscriber, #5198) [Link]

Sure, anti-malware isn't perfect but if the system is thoroughly owned before the anti-malware starts and lies to it then you don't even have a chance. At least you have a small base system that's likely to be intact you can defend from before malware has a chance to subvert the system.

No signed kernel, just a signed boot loader

Posted Jun 25, 2012 22:47 UTC (Mon) by dashesy (guest, #74652) [Link]

True, but if secure boot relies on some sort of access controls or file protection (applied by NT kernel) any root access to the file-system can be used to circumvent the integrity of the entire system. OS kernel alone is not interesting. Malware can for example add its root certificate and set a startup service to install a driver on the next boot, there are probably some more creative ways to achieve the same thing.

No signed kernel, just a signed boot loader

Posted Jun 25, 2012 23:01 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

No it can't. Device drivers (and other critical system code) have to be signed.

No signed kernel, just a signed boot loader

Posted Jun 25, 2012 23:22 UTC (Mon) by dashesy (guest, #74652) [Link]

I am assuming Malware is running under a legitimate Linux kernel (with no bugs) messing with Windows partition with full access right. So something like DISABLE_INTEGRITY_CHECKS in boot.ini no longer works on Windows 8? Also root can no longer use CertMgr to add custom certificate for custom signed drivers?

My point is that, with the complexity of NT, by having root access to those bits and bytes the attack surface is so tremendous there is probably no need to have an unsigned Linux kernel

No signed kernel, just a signed boot loader

Posted Jun 25, 2012 23:27 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

>I am assuming Malware is running under a legitimate Linux kernel (with no bugs) messing with Windows partition with full access right. So something like DISABLE_INTEGRITY_CHECKS in boot.ini no longer works on Windows 8? Also root can no longer use CertMgr to add custom certificate for custom signed drivers?
Nope. Neither DDISABLE_INTEGRITY_CHECKS nor installing your own certificates will work if secure boot is enabled.

Drivers have to be signed by MS's certificate to be installable.

>My point is that, with the complexity of NT, by having root access to those bits and bytes the attack surface is so tremendous there is probably no need to have an unsigned Linux kernel
There will be vulnerabilities, of course. But MS took care to close all the obvious loopholes.

No signed kernel, just a signed boot loader

Posted Jun 25, 2012 23:27 UTC (Mon) by mjg59 (subscriber, #23239) [Link]

DISABLE_INTEGRITY_CHECKS no longer works unless you disable secure boot. Ditto any custom certificates.

No signed kernel, just a signed boot loader

Posted Jun 26, 2012 6:45 UTC (Tue) by slashdot (guest, #22014) [Link]

How about just installing a Windows service or putting something in the Startup folder or CurrentVersion\Run or /etc/init or .config/autostart in Linux, etc.?

Will anything prevent that software from starting and then going full screen and imitating the normal Windows GUI while behaving arbitrarily at the discretion of the malware writer?

If they block any autostart of non-Microsoft-signed programs, they'll break a ton of existing setups, while otherwise secure boot will provide no security whatsoever.

No signed kernel, just a signed boot loader

Posted Jun 26, 2012 13:29 UTC (Tue) by mjg59 (subscriber, #23239) [Link]

Windows starts the malware checking code before it launches any other userspace.

No signed kernel, just a signed boot loader

Posted Jun 25, 2012 23:12 UTC (Mon) by mjg59 (subscriber, #23239) [Link]

Yes, so it's a good thing that secure boot doesn't rely on that. Really, commenting on this without at least skimming the spec does not further the discussion.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds