Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Secure Boot Breaks Kexec, Hibernate Support On Linux

  1. #11

    Default Misleading headline

    Phoronix, "Secure Boot Breaks Kexec, Hibernate Support On Linux" is a very misleading headline.

    Implementing SB does not 'break' those things. The problem is that those features make it trivial to circumvent SB protections. It's not that these things have to be disabled for SB to 'work'; it's that if you want to have the actual protection of SB, it logically requires that those features be disabled until they are improved from a security perspective. As long as those things are enabled, an attack could circumvent the protections SB is intended to provide.

  2. #12
    Join Date
    Aug 2007
    Posts
    6,675

    Default

    Don't you think that when you are root you cant do enough things already?

  3. #13
    Join Date
    Apr 2011
    Posts
    114

    Default

    Quote Originally Posted by Kano View Post
    Don't you think that when you are root you cant do enough things already?
    Secure Boot is intended to prevent you booting untrusted bootloaders. A kernel that will execute arbitrary code is effectively an untrusted bootloader. Userspace code, even if run by root, isn't.

  4. #14
    Join Date
    Aug 2007
    Posts
    6,675

    Default

    Well you know that you have usally cant use precompiled kernel modules for binary drivers? If you sign em on your own you usually store the key on the hd - easy to find in the bash history. Basically you can skip this test then when an attacker can find it. One other thing nobody mentioned, several boards can be flashed using flashrom, not all but the number is growing. You have direct access to the firmware then...

  5. #15
    Join Date
    Apr 2011
    Posts
    114

    Default

    Quote Originally Posted by Kano View Post
    Well you know that you have usally cant use precompiled kernel modules for binary drivers? If you sign em on your own you usually store the key on the hd - easy to find in the bash history. Basically you can skip this test then when an attacker can find it. One other thing nobody mentioned, several boards can be flashed using flashrom, not all but the number is growing. You have direct access to the firmware then...
    Modern boards can't be flashed with flashrom, because the SPI controller will only allow write access when you're in system management mode. You produce a distro, so I guess you get to figure out how you're going to handle key management for third party modules.

  6. #16
    Join Date
    Aug 2007
    Posts
    6,675

    Default

    My testboard with EFI Secure Boot can be flashed (the only way how i can reset the keys i added) also my ASUS P8Z68-V - i guess all ASUS boards with 64 mbit flash work with flashrom.

  7. #17
    Join Date
    Apr 2011
    Posts
    114

    Default

    Quote Originally Posted by Kano View Post
    My testboard with EFI Secure Boot can be flashed (the only way how i can reset the keys i added) also my ASUS P8Z68-V - i guess all ASUS boards with 64 mbit flash work with flashrom.
    That's nice, but such boards aren't Windows 8 logo compliant.

  8. #18
    Join Date
    May 2008
    Posts
    215

    Default

    Having helped with Flashrom, there's two big issues with flashing modern machines:
    1. Laptops
    2. Intel's Management Engine

    The Management Engine is the easier of the two (which is only because there's no generic way to handle the laptop issue). Virtually every manufacturer follows Intel's recommendations on how to lockdown the permissions on the various areas of the flash chip, which involve making the ME (Management engine region) read-only, which is quite a problem because you can't be sure of a successful flash unless you can get the ME to stop itself (and you don't know if there's an ME update inside the update which needs to be applied), and you can't just overwrite the region in software.

    Again, with physical access you can bypass all of these issues, but unless you're prepared to break out a soldering iron, programmer, and ready & able to make backups of your chips, you're stuck.

    Laptops are hard because the BIOS usually shares space with the EC (embedded controller), which controls lots of important things like your keyboard, lighting, battery, and fans. If that goes, you'll probably have a nice brick. You need to know how to stop the EC, which requires datasheets that usually aren't available, and may be missing important info.
    Combine the two, and you've got a nearly impossible situation.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •