Bonum Certa Men Certa

UEFI Restricted Boot No Longer Valid for Security, Keys Leaked

As much about security as multimedia DRM

Drip



Summary: Antitrust offences with UEFI restricted boot can no longer be defended as an act of enhancing security because keys are leaking

A Fedora developer was the first to embrace Microsoft's restricted boot, so Fedora was usually ahead of the curve when it comes to it and it shows.



Torvalds criticised Red Hat for complicity with Microsoft [1, 2] after he had slammed restricted boot as something that would not improve security. He was right. Keys were inevitably leaked, leaving UEFI restricted boot (which former Novell/SUSE developers too helped promote) in a position where it is only an antitrust issue and nothing to do with computer security, just protectionism. As one new article puts it, the "Linux Lawsuit Shines Uncomfortable Light on UEFI Standard" and a Restricted Boot proponent leads with this news about UEFI signing keys getting leaked:

A hardware vendor apparently had a copy of an AMI private key on a public FTP site. This is concerning, but it's not immediately obvious how dangerous this is for a few reasons. The first is that this is apparently the firmware signing key, not any of the Secure Boot keys. That means it can't be used to sign a UEFI executable or bootloader, so can't be used to sidestep Secure Boot directly. The second is that it's AMI's key, not a board vendor - we don't (yet) know if this key is used to sign any actual shipping firmware images, or whether it's effectively a reference key. And, thirdly, the code apparently dates from early 2012 - even if it was an actual signing key, it may have been replaced before any firmware based on this code shipped.

But there's still the worst case scenario that this key is used to sign most (or all) AMI-based vendor firmware. Can this be used to subvert Secure Boot? Plausibly. The attack would involve producing a new, signed firmware image with Secure Boot either disabled or with an additional key installed, and then to reflash that firmware. Firmware images are very board-specific, so unless you're engaging in a very targeted attack you either need a large repository of firmware for every board you want to attack, or you need to perform in-place modification.


Now we know that UEFI restrictions had nothing to do with security and eventually became just a competition barrier. Rather than cracking we are seeing leaking as the end of UEFI restricted boot's (or 'secure' boot's) reputation.

Recent Techrights' Posts

Microsoft's Chatbot Strategy Resulted in Massive Losses, So Now It's Trying to Reinvent Itself as 'Hardware Company' (Once Again, Years After XBox, KIN, Windows Phone and Surface Failed Miserably)
revenues associated with Windows has fallen sharply
This Week's Letter to António Campinos About Mean-Spirited Line Managers at the European Patent Office (EPO)
Seems like a way to get rid of staff. Some will resign in anger.
 
Links 23/02/2024: 227 Microsoft Layoffs Noted in Santa Clara and Disaster in Rivian
Links for the day
IRC Proceedings: Thursday, February 22, 2024
IRC logs for Thursday, February 22, 2024
Over at Tux Machines...
GNU/Linux news for the past day
[Meme] It's NOT Your PC
losing control of hardware
Gemini Links 22/02/2024: Removing Radio Ads and Being Seen on the Internet
Links for the day
Mark Shuttleworth and the Question of Liability (Debian Volunteers He Pressured Before the Suicides)
Humanity for me
Mark Shuttleworth's (MS) Canonical Running Microsoft (MS) Ads, Mischaracterising Mass Surveillance as 'Confidential' (the Usual Lie)
The money talks, so the facts are absent
Ads as 'Articles'
Money buys perception manipulation (or reputation laundering) campaigns
Abraham Raji & Debian, DebConf kayak death: search abandoned, evading liability
Reprinted with permission from Daniel Pocock
Links 22/02/2024: Chatbots Failing 'Big Time' and More Condemnations Appear of Bill Gates
Links for the day
There May be Close to 100,000,000 Laptops and Desktops Running GNU/Linux Around the World in 2024
hard to track the number
Search Engine Market Share Worldwide Shows How Badly Microsoft's Chatbot Strategy (Hopes) and Vapourware Have Failed
Bing, which was marketed as the forefront "product" for chatbots (Microsoft paid the media a lot of money for hype campaigns), gained nothing at Google's expense
[Meme] Demoralising and Putting Down Your Staff
unproductive and dangerous approach
Software in the Public Interest (SPI) & Debian obfuscated structure fooled suicide victim's family: the ultimate example of bad faith
Reprinted with permission from Daniel Pocock
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, February 21, 2024
IRC logs for Wednesday, February 21, 2024
Gemini Links 22/02/2024: What We Pass On and HTTP Header Viewer
Links for the day
Manuel Estrada Sainz (ranty), Andres Garcia (ErConde) & Debian Deaths overworking
Reprinted with permission from Daniel Pocock
GNU/Linux Rising to 8% of Desktops/Laptops in Jordan?
what statCounter shows
[Meme] If Iraq Launches an Investigation Into How Microsoft Bought OpenAI Without Paying for It
fake "money" from Microsoft
Windows Has Fallen to 13% Market Share in Iraq (It was 100% Just 15 Years Ago), GNU/Linux Rose Sharply in Recent Years
In recent years Iraq was developing its own GNU/Linux distro
Springtime is Next, Here's What We Plan for March and April
This month and next month we expect to publish something unique about EPO abuses every day
Studying the Freedom of firefox-123.0.tar.bz2
The "F" in Firefox
Abraham Raji, Jens Schmalzing & debian-private cover-ups after deaths, accidents, suicides
Reprinted with permission from Daniel Pocock
Microsoft Bribes, Keeping Regulators at Bay
crime and corruption
[Meme] The Quotas Came From Above
EPO targets
EPO Talent Planning & Architecture is Another Attack on EPO Staff and the Central Staff Committee (CSC) Explains Why
ignore the flowery words
[Meme] Just Following Orders From "The Fu**ing President" António Campinos
Salary? OBEY!
Links 21/02/2024: China Working on West-less Tech Future, More Bounties on Patent Troll Leigh M. Rothschild (Which IBM et al Failed to Dismantle at the Root)
Links for the day
Links 21/02/2024: Encryption Backdoors Deemed Not Legal, Decentralised Web Under Attack
Links for the day
Games:Steam Audio as Free Software, Hazard Pay, ChipWits, and More
7 stories for today
Julian Assange, Wikileaks & Debian-private
Reprinted with permission from Daniel Pocock
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, February 20, 2024
IRC logs for Tuesday, February 20, 2024
Links 21/02/2024: Microsoft Sued for Monopolistic Policies, More Layoffs Planned for Next Month
Links for the day