User: Password:
|
|
Subscribe / Log in / New account

A pair of UEFI updates

A pair of UEFI updates

Posted Feb 3, 2013 0:24 UTC (Sun) by dlang (subscriber, #313)
In reply to: A pair of UEFI updates by mjg59
Parent article: A pair of UEFI updates

hacking every version of every motherboards BIOS to disable secure boot would be considerably more effort than porting coreboot to each motherboard.

looking at just one version of BIOS for one motherboard, hacking the BIOS is less work, but once you get coreboot running, future changes are much simpler.

I'm not saying that either is a practical option (in addition to what you listed, the manpower required is unreasonable.

but the post I was replying to was asking why some linux person didn't just create a new BIOS version to solve this problem. They have, but they solution does not run on many systems.


(Log in to post comments)

A pair of UEFI updates

Posted Feb 3, 2013 0:32 UTC (Sun) by mjg59 (subscriber, #23239) [Link]

Nonsense. There's somewhere in the region of 6 secure boot implementations in existence, and most of those are probably based on Intel's. Decompress the firmware image (which is in a conveniently documented format), identify the code block containing the security policy, flip the value, regenerate the checksums, put it back together and then leave it up to the user to figure out how to actually flash it. I can promise you that this is easier than figuring out how a given board's embedded controller is supposed to interface with anything.

A pair of UEFI updates

Posted Feb 3, 2013 0:43 UTC (Sun) by dlang (subscriber, #313) [Link]

now you have to do that not only for every motherboard, you have to do it for every BIOS revision released for that motherboard. And when new BIOS updates are released, you have to re-do the hack.

you are talking as if the secure boot is a nicely delineated chunk of the BIOS, when everything is just the optimized binary blob, the location of this chunk may vary from BIOS to BIOS.

the source code implementations may be few, but the resulting binary chunks will vary a lot more.

A pair of UEFI updates

Posted Feb 3, 2013 0:55 UTC (Sun) by mjg59 (subscriber, #23239) [Link]

"you are talking as if the secure boot is a nicely delineated chunk of the BIOS, when everything is just the optimized binary blob"

That hasn't been true for a long time. It's completely untrue when it comes to UEFI.

A pair of UEFI updates

Posted Feb 3, 2013 5:23 UTC (Sun) by theophrastus (guest, #80847) [Link]

Thank you both. (i think we always learn more watching a spirited discussion than if everyone just tediously agrees)

i lost track of LinuxBIOS and am glad to see that work on it continues. of course, i was thinking more of an unlikely... -patch- to remove, or jumper around, UEFI, instead of the full nuclear option; but that might be the only way in the final analysis. as long as hardware makers are willing manufacture to suit a narrow, (yet fat), market.

A pair of UEFI updates

Posted Feb 3, 2013 11:22 UTC (Sun) by khim (subscriber, #9252) [Link]

You can not "jump around" UEFI because it's the only thing there is.

BIOS is emulated on top of UEFI, not the other way around. Which means that all the hardware is initialized in the UEFI.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds