Garrett: Producing a trustworthy x86-based Linux appliance
Garrett: Producing a trustworthy x86-based Linux appliance
Posted Jun 2, 2021 19:39 UTC (Wed) by nim-nim (subscriber, #34454)In reply to: Garrett: Producing a trustworthy x86-based Linux appliance by st
Parent article: Garrett: Producing a trustworthy x86-based Linux appliance
Well, read the article then. It is *not* a simple or cheap endeavor, it requires quite a lot of infrastructure, there’s no way the casual paranoïd user will ever leverage this.
Far cheaper to buy single-use burner hardware, you need scale (and lots of identical systems to protect) to make the thing semi worthwhile.
Posted Jun 2, 2021 22:03 UTC (Wed)
by st (guest, #96477)
[Link]
Posted Jun 3, 2021 5:12 UTC (Thu)
by gdt (subscriber, #6284)
[Link] (6 responses)
It's not all addition of complexity either. Tying disk encryption keys to the mainboard's TPM makes administration of disk encryption simpler since there's no need to find an out-of-band way to enter the keys upon boot. Using your own secure boot keys and deleting the default keys means that stolen laptops can't be re-imaged and resold and provides a positive marker of removal of the laptop from the fleet (firm's keys removed, firms BIOS password cleared, default keys added, standard OS installed).
On the embedded systems side, it's notable that Cisco and Juniper have vastly improved the integrity checking of their operating systems due to instances of supply-chain attacks (the best-documented of these was in US NSA slides leaked by Snowden).
Posted Jun 3, 2021 6:53 UTC (Thu)
by patrakov (subscriber, #97174)
[Link] (5 responses)
I was going to do that on my own machines, but this statement in the Arch wiki has stopped me:
> Warning: Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the UEFI/BIOS settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware is signed using Microsoft's key.
https://wiki.archlinux.org/index.php?title=Unified_Extens...
Is it accurate? How to check in advance whether it is safe to replace the default keys on a particular desktop or laptop?
Posted Jun 3, 2021 11:03 UTC (Thu)
by leromarinvit (subscriber, #56850)
[Link] (1 responses)
1. Buy computer
Posted Jun 24, 2021 12:15 UTC (Thu)
by immibis (subscriber, #105511)
[Link]
Posted Jun 4, 2021 18:50 UTC (Fri)
by JanC_ (guest, #34940)
[Link]
Posted Jun 4, 2021 20:54 UTC (Fri)
by thwalker3 (subscriber, #89491)
[Link] (1 responses)
I've actually had much better luck with this with laptops (Lenovo X1s in particular), presumably because everything is integrated. Tried it on a desktop once and found it wouldn't POST until I removed the 3rd party graphics card because or the MS signed option ROM. Unfortunately, the MS cert that is used for these ROMs is the same as that used for shim, so leaving it in db means anyone can boot their favorite distro via USB if they can get it into the boot order.
If you're trying this for the first time on hardware that you don't know how it will behave, it is wise to dump the UEFI ROM with an external programmer before you change the keys so that you can restore it to working order if you find that removing the MS cert leaves you with an unbootable system.
Posted Jun 9, 2021 14:16 UTC (Wed)
by JanC_ (guest, #34940)
[Link]
(If they are separate keys, it would be possible to blacklist it.)
Garrett: Producing a trustworthy x86-based Linux appliance
Garrett: Producing a trustworthy x86-based Linux appliance
Garrett: Producing a trustworthy x86-based Linux appliance
Garrett: Producing a trustworthy x86-based Linux appliance
2. Replace keys
3a. It works? Good!
3b. It doesn't? Return it as broken, because it is. Tell people not to buy $BRAND (or at least $MODEL) and why.
Garrett: Producing a trustworthy x86-based Linux appliance
3b.iii: sue the store.
3b.iv: lose.
Garrett: Producing a trustworthy x86-based Linux appliance
Garrett: Producing a trustworthy x86-based Linux appliance
Garrett: Producing a trustworthy x86-based Linux appliance