Bottomley: Owning your Windows 8 UEFI Platform [LWN.net]

Bottomley: Owning your Windows 8 UEFI Platform

Posted Feb 18, 2013 19:53 UTC (Mon) by hummassa (guest, #307)
In reply to: Bottomley: Owning your Windows 8 UEFI Platform by dsommers
Parent article: Bottomley: Owning your Windows 8 UEFI Platform

> True too. But you then ignore that secure boot removes an attack vector.

No, it doesn't, and the proof for that is Apple's products jailbreaks. One of them used a simple crafted PDF that subverted the "secure boot" infrastructure.

> That attack vector has not been used as much as it was during the DOS times,

This has a reason: while it may be practical in an embedded and usually homogeneous environment, in a standard-PC env, the attacker must have code to read every one of the one hundred different filesystems if he wants to compromise the system via boot. IOW, the attacker must be an entire OS.

> where BIOS vendors after a while added features to block writes to the boot sector.

This had not detained nor even slowed down malware at that time (yes, I am that old) and it was considered just a nuisance because it difficulted NECESSARY system updates; you know, to patch vulnerabilities &c... Many, many people turned this off in BIOS. Ah, and once you entered another OS, this was not effective because the other OS bypassed BIOS and talked directly to the hardware. THAT is the reason this is not in effect in today's PCs...

> Secure boot ensures that the core OS loaded is unmodified.

Yes. But from a security standpoint, this would ONLY be a good thing if the core OS loaded was PROVEN secure. If you load a swiss cheese of vulnerabilities, unmodified, this is a BAD thing.

> Which can even be seen as an extension of this old "don't write to boot sector" feature.

Yes. Equally uneffective, equally a nuisance, equally time-consuming for no good reason.

to post comments

Bottomley: Owning your Windows 8 UEFI Platform

Posted Feb 18, 2013 20:21 UTC (Mon) by raven667 (subscriber, #5198) [Link]

>> True too. But you then ignore that secure boot removes an attack vector.
>No, it doesn't, and the proof for that is Apple's products jailbreaks. One of them used a simple crafted PDF that subverted the "secure boot" infrastructure.

Are you sure? Are you saying that there were jailbreaks that were permanent and that can't be removed or detected and that persist across reboots and upgrades of the OS? Are you sure it was the boot infrastructure that was being bypassed, rather than the OS kernel?

>> Secure boot ensures that the core OS loaded is unmodified.
>Yes. But from a security standpoint, this would ONLY be a good thing if the core OS loaded was PROVEN secure. If you load a swiss cheese of vulnerabilities, unmodified, this is a BAD thing.

That is an absurd position to take because you and I both know that the OS kernel is not and never will be "proven" secure, also this is not a claim which is being made by secure boot proponents or by the spec so to defend against claims which weren't made is the creation of a straw man on your part.

Secure Boot can only help prevent permanent, undetectable modification of the firmware and stage 1 bootloader by those not authorized by the system owner (such as malware), what the OS kernel and later code does with this known good system state is up to the implementor, usually they are going to want to push the known good state as far as they can (until arbitrary code which can be under the control of an attacker is run and re-compromises the system), by doing their own signature checking and whatnot.