|
|
Subscribe / Log in / New account

updates

updates

Posted Sep 13, 2012 9:41 UTC (Thu) by micka (subscriber, #38720)
Parent article: LSS: Secure Boot

I'm wondering how the key database (those called db and dbx in the article) are updated.
Is the OS able to trigger that update ? Otherwise, I can't see how a key can even be blacklisted.

Another question : if you install your own kek, don't you need to also sign your windows kernel (for example in case of a dual-boot system) ?

And in case of a dual-boot, what happens for example if an update triggered by an OS (in case the first answer is affirmative) blacklists the second one ? How do i upgrade the second one ?

Oww, questions keep piling : What happens if a kek is broken or leaked ? Or a pk ?

Are firmware writer "trusted" to write bug-free firmwares ?

to post comments

updates

Posted Sep 13, 2012 13:36 UTC (Thu) by pjones (subscriber, #31722) [Link] (3 responses)

> I'm wondering how the key database (those called db and dbx in the article) are updated. Is the OS able to trigger that update ? Otherwise, I can't see how a key can even be blacklisted.

It's stored in a variable, and there's an "append only" update to it. The arguments to the /call/ to update it must be signed by a key that's in KEK, which will typically include the platform vendor and MS. So basically we get updates from the CA and apply them.

Of course as a user you can completely disable that if you want, and this is still more of "the plan" than "the implementation" at this point.

> Oww, questions keep piling : What happens if a kek is broken or leaked ? Or a pk ?

Then your vendor ships a firmware update (which is signed by a different PK pair) that removes that key from PK/KEK and adds a new one in. If you're very lucky they don't trash everything else that's there.

> Are firmware writer "trusted" to write bug-free firmwares ?

We certainly expect a time period after the Windows 8 launch in which some exploits are found, but if vendors act responsibly it should taper off as bugs are fixed in individual firmwares and the reference implementation from which they are derived. That's already begun happening, actually.

updates

Posted Oct 5, 2012 10:29 UTC (Fri) by oak (guest, #2786) [Link] (2 responses)

What happens when the blacklist key database gets full?

updates

Posted Oct 5, 2012 13:59 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

It's possible to push out an update that wipes the existing blacklist and instead revokes the key at the root of that trust. That would be inconvenient (everyone with valid signed material would need to get it resigned) but possible.

updates

Posted Oct 5, 2012 15:28 UTC (Fri) by raven667 (subscriber, #5198) [Link]

The only code for which key material is in EFI is code that is run from EFI, firmware and bootloaders, which doesn't get updated very often as a practical matter. Revocations are likely to be rare. Drivers and other OS code which is more likely to have vulnerabilities and patches is handled by whatever OS specific mechanisms each OS decides on.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds