Reworking kexec for signatures [LWN.net]

Reworking kexec for signatures

Posted Jun 26, 2014 16:11 UTC (Thu) by raven667 (subscriber, #5198)
In reply to: Reworking kexec for signatures by paulj
Parent article: Reworking kexec for signatures

Not quite. The locally present end user can modify their machine however they wish, the question is can attackers modify the machine remotely without raising any alarm to the end user.

to post comments

Reworking kexec for signatures

Posted Jun 27, 2014 17:01 UTC (Fri) by paulj (subscriber, #341) [Link] (5 responses)

True, at present users can still add their own keys to *some* UEFI key databases or disable SecureBoot on *some* UEFI systems (some UEFI systems do not allow one or both, either by design (e.g. ARM) or by bug/accident).

How long local users will still be allowed to subvert Windows SecureBoot on UEFI PCs, we shall see. I hope I'm proven to be an unnecessarily alarmist skeptic, however the number of systems afflicted by DRM/locked-down-computing seems to keep steadily increasing over the decades, rather than decreasing.

Reworking kexec for signatures

Posted Jun 27, 2014 17:43 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

Which x86 UEFI systems have you seen that shipped with secure boot enabled and have no way to disable secure boot and modify the key database?

Reworking kexec for signatures

Posted Jun 28, 2014 2:14 UTC (Sat) by zlynx (guest, #2285) [Link] (2 responses)

You aren't doing any "subverting" if you turn it off or change the keys. Windows 8 will not boot until reinstalled and then it won't be in secure mode. So it isn't subverted. It just won't work.

I don't deny that there are some motherboard makers that really truly SUCK at software quality control and won't listen to bug reports about non-Windows operating systems. I just don't like the word "subvert" here.

Reworking kexec for signatures

Posted Oct 7, 2014 1:48 UTC (Tue) by linuxrocks123 (subscriber, #34648) [Link] (1 responses)

What? Windows won't boot if you disable SecureBoot? That doesn't sound right ... why wouldn't it just warn you you're not in "secure" mode, disable some DRM shite, and be done with it? I never heard before that it required a REINSTALL!

...and I have a fairly recent system which booted Windows once or twice before I bulldozed it and installed Linux. And it booted with not just Secure Boot disabled but with the legacy BIOS support enabled. What systems have you seen that didn't allow this?

Reworking kexec for signatures

Posted Oct 7, 2014 3:36 UTC (Tue) by mjg59 (subscriber, #23239) [Link]

> That doesn't sound right

It's not right.

Reworking kexec for signatures

Posted Jul 1, 2014 22:47 UTC (Tue) by jwarnica (subscriber, #27492) [Link]

I don't buy systems that have 2 or less DIMM slots; I wouldn't buy a motherboard that doesn't allow UEFI manipulation. Yet my computer today has only 2 of its slots populated, and I might trash the motherboard before I upgrade the memory. I have no plans to ever use the... I have no idea, 38 SW/HW/JOBD SATA ports the beast has. But some people would, apparently, and there is a huge market for hackable systems.

That set-top boxes aren't today easily SW hackable is largely irrelevant; not being able to add memory or an additional drive largely makes them not legitimate targets for playing with. Except outside of some circle-jerk geekathon type scenario.