EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

04.07.13

UEFI Restricted Boot No Longer Valid for Security, Keys Leaked

Posted in Antitrust, GNU/Linux, Microsoft, Security at 2:30 pm by Dr. Roy Schestowitz

As much about security as multimedia DRM

Drip

Summary: Antitrust offences with UEFI restricted boot can no longer be defended as an act of enhancing security because keys are leaking

A Fedora developer was the first to embrace Microsoft’s restricted boot, so Fedora was usually ahead of the curve when it comes to it and it shows.

Torvalds criticised Red Hat for complicity with Microsoft [1, 2] after he had slammed restricted boot as something that would not improve security. He was right. Keys were inevitably leaked, leaving UEFI restricted boot (which former Novell/SUSE developers too helped promote) in a position where it is only an antitrust issue and nothing to do with computer security, just protectionism. As one new article puts it, the “Linux Lawsuit Shines Uncomfortable Light on UEFI Standard” and a Restricted Boot proponent leads with this news about UEFI signing keys getting leaked:

A hardware vendor apparently had a copy of an AMI private key on a public FTP site. This is concerning, but it’s not immediately obvious how dangerous this is for a few reasons. The first is that this is apparently the firmware signing key, not any of the Secure Boot keys. That means it can’t be used to sign a UEFI executable or bootloader, so can’t be used to sidestep Secure Boot directly. The second is that it’s AMI’s key, not a board vendor – we don’t (yet) know if this key is used to sign any actual shipping firmware images, or whether it’s effectively a reference key. And, thirdly, the code apparently dates from early 2012 – even if it was an actual signing key, it may have been replaced before any firmware based on this code shipped.

But there’s still the worst case scenario that this key is used to sign most (or all) AMI-based vendor firmware. Can this be used to subvert Secure Boot? Plausibly. The attack would involve producing a new, signed firmware image with Secure Boot either disabled or with an additional key installed, and then to reflash that firmware. Firmware images are very board-specific, so unless you’re engaging in a very targeted attack you either need a large repository of firmware for every board you want to attack, or you need to perform in-place modification.

Now we know that UEFI restrictions had nothing to do with security and eventually became just a competition barrier. Rather than cracking we are seeing leaking as the end of UEFI restricted boot’s (or ‘secure’ boot’s) reputation.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New

  1. Ahead of Supreme Court Decision, the Patent Microcosm is Trying to Scandalise PTAB

    The Patent Trial and Appeal Board (PTAB), which defends many businesses from bogus patents and patent trolls, comes under fire from protectors of the trolls (or those who profit from patent Armageddon/legal chaos)

  2. Benoît Battistelli's Misbehaviour Condemned the UPC to Death

    Press coverage regarding the cause for Germany's decision to halt UPC ratification, with suspension pending in part owing to the serious abuses in Munich and Berlin

  3. The Patent Microcosm is Pushing Hard to Weaken Alice and Revoke PTAB's Authority Using an Upcoming Supreme Court Case

    Patent profiteers (not inventors) continue their shameful campaign against Alice and PTAB now that software patents are in shambles and many get invalidated without them being used litigiously

  4. News About Patents Dominated by Patent Trolls/Aggressors, Their Press Releases, and Sympathisers

    A collection of news items from yesterday, demonstrating just to what degree the narrative of patent trolls (or aggressors) is being spread by paying for distribution

  5. Amazon's 1-Click Patent Continues to Tarnish the Image of the USPTO and of Patents in General

    Public ridicule and scorn over the shallowness of patents granted in the US is inevitable (Amazon has a patent even on white background in photographs), demonstrating that patent maximalism does nobody a favour, only a great disservice to both patenters and the public at large

  6. Bristows LLP Tries Hard to Maintain the Illusion That UPC is Alive, Using Media Placements and Paid Plugs

    Ever-so-desperate efforts to keep the Unitary Patent (UPC) in headlines, even though nothing is happening and nothing is likely to happen any time soon

  7. Links 22/8/2017: Linux 4.13 RC6, Mesa 17.1.7, Wine 2.15, Android O

    Links for the day

  8. IRC Proceedings: July 2nd – July 29th 2017

    Many IRC logs

  9. IRC Proceedings: June 4th – July 1st, 2017

    Many IRC logs

  10. IRC Proceedings: May 7th – June 3rd, 2017

    Many IRC logs

  11. IRC Proceedings: April 9th, 2017 – May 6th, 2017

    Many IRC logs

  12. Patent Scope Recognised as Essential For Patent Quality, But Software Patents Continue to be Granted

    Patents that are toothless, clawless lions are being accumulated by companies that should know various courts would scrutinise these enough to rule them invalid

  13. Litigation and Patenting Versus Research and Development

    reminder of who's 'stealing' jobs from engineers and who it is done for (who benefits from mass taxation rather than actual production)

  14. The Federal Circuit Has Become the Go-To Place For Patent Appeals Arising From USPTO Errors

    Patent appeals that come to CAFC as a result of bad Patent Office decisions now outnumber the appeals coming from district courts (an extraordinary situation)

  15. The Truly Odd Concept of Design Patents, Which the US Supreme Court Might Crush Very Soon

    The epidemic of shallow patents, which has already resulted in patents on mere designs, be soon end; but not before an unprecedented gold rush for such patents

  16. Quality of European Patents Has Sunk, Value Diminished

    The trouble associated with declining patent quality at the European Patent Office and early warnings about it from the staff union

  17. The Notorious 1-Click Buying Patent Expired Rather Than Invalidated

    As proof of the fact that many bogus patents (typically on software) are worthless but not invalidated, we now have Amazon's patents reaching their end of life

  18. PTAB Crushes Software Patents and Patent Extremists Are Not Happy About It

    The Patent Trial and Appeal Board (PTAB), a legal facility which invalidates many software patents, still faces opposition from those who profit from software patents (not software developers)

  19. Software Patents and Patent Trolls Are Almost the Same Problem (Still)

    Apple just got sued again, Microsoft-connected patent trolls continue serial litigation against Microsoft's competitors, and a bike shop gets sued using software patents

  20. Links 20/8/2017: KStars 2.8.1, Fedora Design Interns

    Links for the day

  21. Lack of Independent Judiciary Under the Unitary Patent (Like Boards of Appeal Under Battistelli, in Defiance of the EPC) Will Possibly Kill the Unified Patent Court

    Germany, a key player in UPC negotiations (most patents at stake), cannot proceed to ratification and Britain's expected exit from the European Union further restricts any progress

  22. The Staff Union of the EPO Has Long Warned About Declining Patent Quality

    The quality of granted European Patents (EPs) has been declining sharply and the EPO's staff representatives have warned about it for a long time, only to find themselves severely reprimanded for telling the truth

  23. The EPO's Management Needs a Perception of Security Crisis

    The EPO follows that familiar pattern of writing about every Islamic terror attack in Europe (and in the US too) while media in Munich tells a story where facts are yet uncertain

  24. Links 18/8/2017: Wallpaper of Plasma 5.11, Oracle Liberates Java EE a Bit

    Links for the day

  25. Links 17/8/2017: Krita 3.2.0, New Raspbian GNU/Linux OS

    Links for the day

  26. Corruption at the European Patent Office and Systematic Bullying That Leads People to Suicide/Bankruptcy

    A look back at 3 years of intensive EPO coverage and what's coming up next (suppression of truth behind closed doors in the courtrooms)

  27. Supreme Court Decision on TC Heartland v Kraft Food Brands Group Already Vacates the Eastern District of Texas

    Patent trolls are losing their mojo as patent lawsuits drop 21% in the Eastern District of Texas and this collapse is expected to accelerate

  28. Media Dominated by the Patent Microcosm Spreads Myths and Defends Patent Trolls, Collectors

    Popular culture myths, such as Edison being a prolific inventor, and what we all ought to know about an actual patent epidemic (vast increase in the number of patents granted, bringing the total to over 10 million in the US)

  29. The Patent Trial and Appeal Board Squashes Many Software Patents (Abstract) and §101 Seems Safe From Lobbying by the Patent Microcosm

    The Patent Trial and Appeal Board (PTAB), together with the Alice-inspired §101, is an efficient eliminator of bogus patents on software and there is no end to that in sight

  30. Ericsson Hired From the World's Largest Patent Troll and Became a Massive Troll in Europe

    Ericsson's patent aggression campaign (even in Europe) carries on; it turns out the person behind this strategy came from Intellectual Ventures

CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts