EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

04.07.13

UEFI Restricted Boot No Longer Valid for Security, Keys Leaked

Posted in Antitrust, GNU/Linux, Microsoft, Security at 2:30 pm by Dr. Roy Schestowitz

As much about security as multimedia DRM

Drip

Summary: Antitrust offences with UEFI restricted boot can no longer be defended as an act of enhancing security because keys are leaking

A Fedora developer was the first to embrace Microsoft’s restricted boot, so Fedora was usually ahead of the curve when it comes to it and it shows.

Torvalds criticised Red Hat for complicity with Microsoft [1, 2] after he had slammed restricted boot as something that would not improve security. He was right. Keys were inevitably leaked, leaving UEFI restricted boot (which former Novell/SUSE developers too helped promote) in a position where it is only an antitrust issue and nothing to do with computer security, just protectionism. As one new article puts it, the “Linux Lawsuit Shines Uncomfortable Light on UEFI Standard” and a Restricted Boot proponent leads with this news about UEFI signing keys getting leaked:

A hardware vendor apparently had a copy of an AMI private key on a public FTP site. This is concerning, but it’s not immediately obvious how dangerous this is for a few reasons. The first is that this is apparently the firmware signing key, not any of the Secure Boot keys. That means it can’t be used to sign a UEFI executable or bootloader, so can’t be used to sidestep Secure Boot directly. The second is that it’s AMI’s key, not a board vendor – we don’t (yet) know if this key is used to sign any actual shipping firmware images, or whether it’s effectively a reference key. And, thirdly, the code apparently dates from early 2012 – even if it was an actual signing key, it may have been replaced before any firmware based on this code shipped.

But there’s still the worst case scenario that this key is used to sign most (or all) AMI-based vendor firmware. Can this be used to subvert Secure Boot? Plausibly. The attack would involve producing a new, signed firmware image with Secure Boot either disabled or with an additional key installed, and then to reflash that firmware. Firmware images are very board-specific, so unless you’re engaging in a very targeted attack you either need a large repository of firmware for every board you want to attack, or you need to perform in-place modification.

Now we know that UEFI restrictions had nothing to do with security and eventually became just a competition barrier. Rather than cracking we are seeing leaking as the end of UEFI restricted boot’s (or ‘secure’ boot’s) reputation.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. Links 19/4/2014: Slow Easter News Day

    Links for the day



  2. Links 18/4/2014: New KDE, Kubuntu, and More

    Links for the day



  3. Some Perspective on Heartbleed®

    Our views on the whole Heartbleed® bonanza, which seems like partly a PR stunt (for multiple stakeholders)



  4. Microsoft is Leaving Windows -- Including Vista 8.1 -- Vulnerable to Non-Government Crackers, Not Only to NSA

    Microsoft makes it ever more evident that securing users of Windows is not at all a priority, and perhaps not even a desire



  5. Links 17/4/2014: Android RDP, New Ubuntu, RHEL 7 Milestone

    Links for the day



  6. Racing to 1984: Mass Surveillance, Cracking, 'Targeted' Assassinations, and Illegal Torture

    Links for the day



  7. More Microsoft Subsidies to Patent Troll Intellectual Ventures

    Microsoft hands money to Bill Gates' close friend who is the world's largest patent troll



  8. Aiding Microsoft Under the Disguise of 'Pro-FOSS'

    Not everything which is FOSS necessary becomes, by virtue of existence, a positive contribution, as we are constantly reminded by projects that help proprietary software and/or restrictions get a strong grip on FOSS



  9. Links 16/4/2014: Red Hat PR, Ubuntu LTS Imminent

    Links for the day



  10. Links 15/4/2014: Lots of PCLinuxOS Releases, Ukraine Updates

    Links for the day



  11. Apple and Microsoft Actively Lobbying Against Patent Reform in the US

    Apple and Microsoft are reportedly intervening/interfering with US law in order to ensure that the law is Free/libre software-hostile



  12. Lawsuit by Microsoft Shareholder Targets Fine for Crimes Rather Than the Crimes Themselves

    A new lawsuit by a Microsoft shareholder shows everything that's wrong with today's model of accountability, where those who are responsible for crimes are accused of not avoiding fines rather than committing the crimes



  13. Public Institutions Must Dump PRISM-Associated Software

    Another reminder that taxpayers-subsidised services should refuse, as a matter of principle, to pay anything for -- let alone deploy -- proprietary software with back doors



  14. GNU/Linux News: The Opportunities Amid XP EOL

    Links for the day



  15. Microsoft Gets Its Money's Worth From Xamarin: PlayStation 4 Now Polluted by Microsoft

    The Trojan horse of Microsoft, Xamarin, is pushing .NET into Microsoft's console competitor



  16. After Brendan Eich Comes Chris Beard

    Having removed Brendan Eich using bullying and blackmail tactics, his foes inside Mozilla achieved too little as we have yet another man (coming from inside Mozilla) acting as CEO



  17. Healthcare News: Free Software in Health, Humanitarian Causes

    Links for the day



  18. Links 14/4/2014: MakuluLinux, Many Games, More Privacy News and Pulitzer Prize for NSA Revelations

    Links for the day



  19. TechBytes Episode 87: Catching up With Surveillance (NSA, GCHQ et al.)

    The first audio episode in a very long time covers some of the latest happenings when it comes to privacy and, contrariwise, mass surveillance



  20. Server News: KVM, ElasticHosts, Other GNU/Linux Items, and Open Network Linux

    Links for the day



  21. Hardware News: Freedom, Modding, Hackability on the Rise

    Links for the day



  22. Distributions News: GNU/Linux Distros

    Links for the day



  23. GNOME News: Financial Issues, Mutter-Wayland, West Coast Summit, Community Participation

    Links for the day



  24. KDE News: Kubuntu at the Centre Again KDE Applications Updated

    Links for the day



  25. Techrights Rising

    Effective immediately, Techrights will do what it takes to bring back old volume and pace of publishing



  26. Links: Surveillance, Intervention, Torture and Drones

    Links for the day



  27. Mobile Linux Not Just Android: Jolla, WebOS, and Firefox OS News

    Links for the day



  28. Google's Linux Revolution: New Gains for Android, Chrome OS (GNU/Linux)

    Links for the day



  29. Free/Libre Databases News: MongoDB, NoSQL, and MySQL Branches/Forks

    Links for the day



  30. Open Access on the Rise: Textbooks, Journals, Etc.

    Links for the day


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts