This is only a risk for Linux users that have not patched their boot packages in the last 2 years
This is only a risk for Linux users that have not patched their boot packages in the last 2 years
Posted Aug 21, 2024 20:58 UTC (Wed) by dskoll (subscriber, #1630)In reply to: This is only a risk for Linux users that have not patched their boot packages in the last 2 years by mussell
Parent article: "Something has gone seriously wrong," dual-boot systems warn after Microsoft update (Ars Technica)
One scenario that you might worry about is PCs that have physical access by not entirely trustworthy people. Think library catalog workstations or Internet access machines, for example.
This is very difficult to defend against for sure, but secure boot is a part of the defense.
Posted Aug 21, 2024 21:13 UTC (Wed)
by yeltsin (guest, #171611)
[Link] (5 responses)
Posted Aug 21, 2024 21:16 UTC (Wed)
by mb (subscriber, #50428)
[Link] (4 responses)
The UEFI boot source settings.
Posted Aug 21, 2024 21:26 UTC (Wed)
by yeltsin (guest, #171611)
[Link] (3 responses)
And "secure" boot helps here… how? Either you allow booting from USB devices (and other sources), and the bad guy can boot into any signed image, even if it's the Windows installer (where you can get a shell and do whatever to the system), or you don't snd secure boot is simply unnecessary.
I'm not claiming the world doesn't need it, but I haven't found a use case for it during the 10 or 12 years it's been around, and remembering how much concern it raised when it was introduced I have a feeling we somehow talked ourselves into believing it's a good thing since it was forced down upon us.
Posted Aug 21, 2024 21:30 UTC (Wed)
by mb (subscriber, #50428)
[Link]
It's not supposed to.
Posted Aug 22, 2024 15:32 UTC (Thu)
by pflugstad (subscriber, #224)
[Link] (1 responses)
If I disable secure boot, I no longer have access to the TPM keys, so I cannot access the C: drive.
I'm sure there are holes in this, but I think that's the main reason.
So this makes your basic evil maid attack more difficult.
Posted Aug 23, 2024 21:40 UTC (Fri)
by NYKevin (subscriber, #129325)
[Link]
The upshot is that you only have to type your password once (at login time) instead of twice (once at boot to decrypt, and then once at login), while still getting nearly all of the protection of full disk encryption, plus rate-limiting and some ability to deploy additional countermeasures in software (e.g. you can remotely log all login attempts, remotely wipe lost or stolen devices, etc.). While businesses generally tend to be more interested in those use cases than consumers, end users do benefit from smartphones becoming harder to steal.
The only attack I can think of that fails against traditional full disk encryption but might succeed against TPM-based encryption is a cold boot attack. Apparently at least one group has demonstrated[1] that this is possible. But that paper was presented over 15 years ago,[2] so modern systems might use TPMs differently. On top of that, modern smartphones are accidentally highly tamper evident (because manufacturers value thinness over repairability and use glue instead of more reasonable construction techniques).
[1]: https://www.usenix.org/legacy/event/sec08/tech/full_paper...
Posted Aug 22, 2024 0:53 UTC (Thu)
by raven667 (subscriber, #5198)
[Link]
This is only a risk for Linux users that have not patched their boot packages in the last 2 years
This is only a risk for Linux users that have not patched their boot packages in the last 2 years
This is only a risk for Linux users that have not patched their boot packages in the last 2 years
This is only a risk for Linux users that have not patched their boot packages in the last 2 years
BitLocker encryption
BitLocker encryption
[2]: https://www.usenix.org/legacy/events/sec08/sec08_sponsor.pdf
This is only a risk for Linux users that have not patched their boot packages in the last 2 years