Results 1 to 10 of 18

Thread: Secure Boot Breaks Kexec, Hibernate Support On Linux

Hybrid View

  1. #1
    Join Date
    Jan 2007
    Posts
    15,080

    Default Secure Boot Breaks Kexec, Hibernate Support On Linux

    Phoronix: Secure Boot Breaks Kexec, Hibernate Support On Linux

    A set of "controversial" patches were published by Matthew Garrett this morning for the Linux kernel. One of the patch series will disable the kernel's support for kexec and hibernate support when running in a UEFI Secure Boot environment...

    http://www.phoronix.com/vr.php?view=MTI4NjE

  2. #2
    Join Date
    Aug 2007
    Posts
    6,641

    Default

    Basically Secure Boot with physical access to the system is a joke anyway for several reasons:

    a) You can boot Ubuntu (but not Kubuntu), Fedora and whatever other distro that ships binaries with MS key - then feel free do modifiy whatever you like.

    b) If you use mjg59's shim to add a key/hash it was impossible for me to reset this without reflashing the firmware to a state before. When added it is in for all times (tested with ami uefi - one of the boards tested was an asrock b75 board). So it will always accept your efi binaries.

    c) Some boards like Asrock keep the CSM enabled by default even with Secure Boot on (btw. would you search it under ACPI options???) - just boot via a normal loader.

    d) Even if you don't have a SB enabled iso you can just switch it off in 99% of all cases because there is no firmware password set anyway.

    Even if you only allow signed kernels to be booted from hd you would need to encrypt it. And what protects you from a modified initrd? Maybe it would be more useful to sign that with a personal key, set a uefi password (if it helps - i know boards with password skip jumper...). A tiny bit hard could be a password set on the hd, but when suspend is used that password if often stored as well. Better forget security on local pcs

  3. #3
    Join Date
    Apr 2011
    Posts
    114

    Default

    Yes, Secure Boot does nothing to protect against physical attack. Nobody's ever claimed otherwise.

  4. #4
    Join Date
    Aug 2007
    Posts
    6,641

    Default

    And how to you exploit hibernate remotely? Usually you are already root there to do so...

  5. #5
    Join Date
    Apr 2011
    Posts
    114

    Default

    You can gain root remotely.

  6. #6
    Join Date
    Aug 2012
    Location
    Pennsylvania, United States
    Posts
    1,909

    Default

    Secure Boot is all about protecting against longterm remote exploits (Someone hacks you and replaces a kernel module that you use with one that has a backdoor, or something along those lines) If they've got physical access...you got screwed long before they sat down at your desk.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •