|
|
Log in / Subscribe / Register

Garrett: Secure Boot and Restricted Boot

Garrett: Secure Boot and Restricted Boot

Posted Apr 10, 2013 6:43 UTC (Wed) by paulj (subscriber, #341)
In reply to: Garrett: Secure Boot and Restricted Boot by mathstuf
Parent article: Garrett: Secure Boot and Restricted Boot

That's one legitimate use-case, agreed. With that in mind is why I wrote "user-owner" in some previous comments. :)

Personally, I'm happy to forego this use-case. I don't think the non-owner-user should necessarily be limited from using the device either. Further, generally it'd be better to keep restrict sensitive software to stay on owner-controlled servers as much as possible, rather than rely on "Restricted Boot", from a security perspective. When the device is returned, the owner can wipe and re-install.

to post comments

Garrett: Secure Boot and Restricted Boot

Posted Apr 10, 2013 14:08 UTC (Wed) by mathstuf (subscriber, #69389) [Link] (3 responses)

> When the device is returned, the owner can wipe and re-install.

How do you know that you didn't just install to some malicious hypervisor? That's what Secure Boot helps with. With a blue pill virus, you have to wipe BIOS to be sure you are running what you installed. And if the user had full access, that's certainly a possibility.

Garrett: Secure Boot and Restricted Boot

Posted Apr 10, 2013 20:30 UTC (Wed) by paulj (subscriber, #341) [Link]

Yes, "Secure Boot" would make "blue pill" harder, and provide a window during which to be able to detect OS subversion. However, you don't need "Secure Boot" to wipe & re-install - firmware usually provides a way to do this independent of any existing media.

If you say the firmware could be exploited then "Secure Boot" might not help either, if there is any unsigned, modifiable data that is parsed by the firmware. The firmware then may be as open to re-exploitation as the base OS.

Garrett: Secure Boot and Restricted Boot

Posted Apr 10, 2013 20:33 UTC (Wed) by paulj (subscriber, #341) [Link]

Oh, the Linux foundation shim loader should make blue pill attacks viable, even with "Secure Boot". So we'll see how long it stays signed and useable...

Garrett: Secure Boot and Restricted Boot

Posted Apr 10, 2013 21:36 UTC (Wed) by PaXTeam (guest, #24616) [Link]

> How do you know that you didn't just install to some malicious hypervisor?

hypervisors are trivial to detect, no need for SB.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds