UEFI Restricted Boot No Longer Valid for Security, Keys Leaked

Dr. Roy Schestowitz

2013-04-07 19:30:26 UTC
Modified: 2013-04-07 20:01:45 UTC

As much about security as multimedia DRM

Drip

Summary: Antitrust offences with UEFI restricted boot can no longer be defended as an act of enhancing security because keys are leaking

A Fedora developer was the first to embrace Microsoft's restricted boot, so Fedora was usually ahead of the curve when it comes to it and it shows.

Torvalds criticised Red Hat for complicity with Microsoft [1, 2] after he had slammed restricted boot as something that would not improve security. He was right. Keys were inevitably leaked, leaving UEFI restricted boot (which former Novell/SUSE developers too helped promote) in a position where it is only an antitrust issue and nothing to do with computer security, just protectionism. As one new article puts it, the "Linux Lawsuit Shines Uncomfortable Light on UEFI Standard" and a Restricted Boot proponent leads with this news about UEFI signing keys getting leaked:

A hardware vendor apparently had a copy of an AMI private key on a public FTP site. This is concerning, but it's not immediately obvious how dangerous this is for a few reasons. The first is that this is apparently the firmware signing key, not any of the Secure Boot keys. That means it can't be used to sign a UEFI executable or bootloader, so can't be used to sidestep Secure Boot directly. The second is that it's AMI's key, not a board vendor - we don't (yet) know if this key is used to sign any actual shipping firmware images, or whether it's effectively a reference key. And, thirdly, the code apparently dates from early 2012 - even if it was an actual signing key, it may have been replaced before any firmware based on this code shipped.

But there's still the worst case scenario that this key is used to sign most (or all) AMI-based vendor firmware. Can this be used to subvert Secure Boot? Plausibly. The attack would involve producing a new, signed firmware image with Secure Boot either disabled or with an additional key installed, and then to reflash that firmware. Firmware images are very board-specific, so unless you're engaging in a very targeted attack you either need a large repository of firmware for every board you want to attack, or you need to perform in-place modification.

Now we know that UEFI restrictions had nothing to do with security and eventually became just a competition barrier. Rather than cracking we are seeing leaking as the end of UEFI restricted boot's (or 'secure' boot's) reputation. ⬆

Maintenance Reminder: We'll carry on publishing
EPO "Cocaine Communication Manager" - Part VIII - Mobbing and Silencing of Dissenting Staff: that's the very cornerstone of functional democracies with real opposition parties
Reader Shares Recent Memes on Slop and 'Coding' by LLMs: "just some funny memes I thought were relevant to current coverage."
Invitation to General Assembly After 1,200 EPO Workers Participated in the Demonstration 3 Days Ago: "the strike of 19 March was also very well followed."
Gemini Links 22/03/2026: LLM Slop Attacks USENET, Announcing Pig (New Game in Gemini Protocol): Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Saturday, March 21, 2026: IRC logs for Saturday, March 21, 2026
SLAPP Censorship - Part 18 Out of 200: Third Parties Funding Attacks on the Messengers, Lawsuits Against GAFAM-Critical Voices That Uphold Real National Security: Women are like kryptonite to them
Never Trust People Who Write Their Own Wikipedia Pages (Vanity Pages About Themselves) or Ask Friends to Do So. Also: Jono Bacon is Married to Microsoft.: We'd hardly be the first to point out Wikipedia isn't what it seems
No Tolerance for Attacks on Family Members: Being a Free software activist ought not lead to "collateral damage" like attacks on family members, including doxing
Sirius Open Source is Just a Zombie Firm With Shell Entities: Many companies fake their health and their size
Communities Can Only Survive When Trust Prevails: PCLinuxOS is still a vibrant and authentic community
Techrights Was Always a Community Site: The harder we're attacked, the more people participate in the site
Behind the PR Smokescreen and Microsoft-Sponsored Chaff, Microsoft Layoffs in "AI" Alleged This Month: In an age when ~1,000 simultaneous layoffs aren't enough to receive any media coverage, what can we expect remaining publishers to tell us about Microsoft layoffs in 2026?
Bluewashing at Confluent: Some Workers to Leave Within 3 Months (IBM Mass Layoffs): Is the "era of AI" an era when none of the media will mention over 800 layoffs? [...] There's a lesson here about the state of the contemporary media, not just IBM and bluewashing
Microsoft OpenAI, Drowning in Debt and Forced to Make Significant Cuts (as Reports Reveal This Month), Does Hiring Disguised as "Takeovers" to Fake Value or Alleged Potential: Remember what happened to Skype last year
Slop Does Not Replace Art, It Contaminates Everything With Reckless Nonsense: many Computer Scientists do not want programs to get contaminated by slop
Coders Don't Just Reject 'Vibe Coding' Because They're "Luddites", They Just Know the True Cost of Slop: if some programmer says slop sucks, don't rush to assume selfishness or defence of one's occupation
When Nobody Else Covers the News: There's an obvious "media blackout" regarding the mass layoffs
Links 21/03/2026: David Botstein Dies, Slop as Censorship Apparatus: Links for the day
Links 21/03/2026: Metastablecoin Fragmentation and Crescent Moon: Links for the day
Gemini Links 21/03/2026: Historic Ada Docs; The Lurking LLM on the SmolNet: Links for the day
HSBC the Latest Failed Bank Using Slop as Excuse for Its Financial Failure: "HSBC is planning on cutting as many as 20,000 jobs in the near future as the company allies with AI revolution."
A/Prof Susan G Kleinmann, Enkelena Haxhija & Debian-private risk to MIT: Reprinted with permission from Daniel Pocock
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Friday, March 20, 2026: IRC logs for Friday, March 20, 2026
SLAPP Censorship - Part 17 Out of 200: A Long Track Record of Online Abuse, Then Choosing a Low-Cost Law Firm to Muzzle People Who Have Illuminated This Abuse for Over a Decade: Censorship by targeting ISPs and webhosts isn't unprecedented
Plagiarism in "Linux" Clothing (LLM Slop in linuxiac.com, LinuxTeck.com, and linuxsecurity.com): The net effect of those slopfarms is very negative
Links 20/03/2026: Facebook Weaponised Politically, Openwashing by LF and NVIDIA, Encyclopedia Britannica Sues Microsoft Proxy for Plagiarism: Links for the day
The EPO's Local Staff Committee Munich (LSCMN) Explains to the Administrative Council (AC) How Bad Things Have Become at Europe's Second-Largest Institution, Biggest Patent Office, and Corruption/Cocaine Hub (Jobs Sold to Friends): We'll say a bit more tomorrow
IBM's Red Hat Diversity: Only 3 Women (Out of 11 Leaders): For comparison's sake, the FSF is about 50% female
Symptom of Publishers Dying: They Move to Adopt Slop. Symptom of Software Companies Dying: They Move to Adopt Slop ('Vibe').: It'll always fail. It's hype. It's a bubble.
Under IBM, Red Hat Replaces Code With LLM Slop, Fedora is Slopware: Not even hiding it, those things are in plain sight
Gemini Links 20/03/2026: Depictions of Culture and The Social Smolnet: Links for the day
SimilarWeb Was Never a Reliable Yardstick for Traffic: 5RB may need some "house-cleaning"
Strangulation, suffocation, Jonathan Carter & Debian toxic culture confirmed: Reprinted with permission from Daniel Pocock
Reports or Hearsay Suggest Ogilvy Broke Up With IBM and Insiders Report Mass Layoffs in "Infrastructure" (Might Impact Red Hat Entrants): hearsay in Social Control Media
Scheduled Server Maintenance Tomorrow Night: Starting 9PM
None of the Above (NotA) & Debian snubbing Sruthi Chandran: Reprinted with permission from Daniel Pocock
Links 20/03/2026: Cryptography Pioneers Win Turing Award and BMG Sues Anthropic for Copyright Infringement: Links for the day
Even Uganda Understands That Journalists Never Belong in Prison: "Ugandan authorities must respect the spirit of this ruling and abandon any measures that seek to jail Ugandans for the free flow of ideas."
Inaction Helps Your Enemies: Without freedom, there's nothing else left
Windows Down From 99% to ~50% in Republic of Seychelles (République des Seychelles): Windows fell by a lot
"systemd is essentially a corporate IBM/Redhat project and corporations of course will comply": Microsoft and IBM care about users' freedom like Cheeto Lump cares about the US Constitution
Confluent Insiders: IBM Laid Over Over 800 at Confluent, Not Just 800: For the record, the layoffs at Confluent won't be over. After the bluewashing there will be "IBM RAs" impacting Confluent folks, aside from PIPs
The Layoffs at IBM Carry on (Shades of Enron): Is IBM another Enron?
"IBM boss Arvind Krishna... financial package valued at $38 million in calendar 2025 - equivalent to the average collective pay of 765 Big Blue workers.": continues to ruin the company to enrich himself while pretending he has a strategy
Gemini Links 20/03/2026: Digital Identity Bifurcation and a "Return to Gemini": Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Thursday, March 19, 2026: IRC logs for Thursday, March 19, 2026

UEFI Restricted Boot No Longer Valid for Security, Keys Leaked

Recent Techrights' Posts