Conversation
Notices
-
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 10-Dec-2023 19:13:07 JST 
翠星石
>Proprietary UEFI's have turned out to be even more insecure than proprietary BIOS's despite all the added digital handcuffs
What a surprise.-
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 10-Dec-2023 22:08:30 JST
翠星石
@evochkauwu Via trivial fuzzing it has been determined that every single proprietary UEFI implementation uses custom jpeg and/or png rendering libraries that are full of vulnerabilities.
I guess I came across this myself years ago without realizing it when I flashed a UEFI image with a custom png that the library couldn't handle and therefore crashed the UEFI on boot (the dualbios recovery was automatic).
As it turns out, it seems you can craft an image file containing UEFI-specific exploit instructions, that the UEFI jumps to and therefore has ring -1(?) access, which is complete computer compromise and of course all the signing keys (which the manufacturer holds) are completely bypassed, as you can't exactly allow for a custom boot logo without the logo being unsigned (such could have potentially been avoided if the user could use their own keys to sign the whole UEFI including their custom logo, but it's about restricting the user with digital handcuffs and not security it seems)0.
UEFI also has a slightly-standardized filesystem interface and it seems that for many UEFI implementations, if a logo image is copied to the correct folder, that'll get copied to the SPI flash automatically.
This means that writing a UEFI rootkit that reliably works on most computers is mildly difficult, as pretty much all UEFI's seem to use the same shoddy UEFI codebase and crafting a few different images (with the same payload) for the few different buggy image rendering libraries in use isn't very difficult.
This means less security than proprietary BIOS's, as a reliable, broadly generic BIOS rootkits are very difficult to write, as every single motherboard has a different way to flash the SPI flash (with some containing EC software in one section that you want to avoid writing anything but a EC rootkit to if you don't want to brick the computer) and BIOS's don't really offer a somewhat generic API interface like UEFI does (a lot of proprietary BIOS's seem to be based off a version from "American Megatrends", but each manufacturer seems to have made heavy modifications).
A few proprietary UEFI's don't seem to be affected by not allowing for custom logos, but I doubt many of them bothered to sign all the sections, including the "non-executable" image and text data, so slightly more complicated exploits for those computers are likely to be possible too.
Free BIOS's like GNUboot seem to be a better idea really, as you can flash a known good image to the SPI flash chip and lift the WP pin and put tape under and you're looking pretty good.
An article with more details is here (they write "Windows and Linux" but the OS or kernel in use has no relevance to the exploit); https://arstechnica.com/security/2023/12/just-about-every-windows-and-linux-device-vulnerable-to-new-logofail-firmware-attack/ -
Embed this notice
Евочка :trans_comm: (evochkauwu@lamp.leemoon.network)'s status on Sunday, 10-Dec-2023 22:08:40 JST 
Евочка :trans_comm:
-
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 11-Dec-2023 00:21:07 JST
翠星石
@evochkauwu Of course, but you can always find some used hardware and GNUboot it, or find a local GNUbooter (one Canadian quad core mods thinkpads).
The best freedom-respecting computer you can get for a reasonable price is the KGPE-D16 paired with dual 6282 SE's (or better) and lots of ECC RAM, but setting it up takes skill, different kinds of Chinese motherboards have different quality and ACPI S3 doesn't yet work, but those aren't much of an issue.
Also, I made a mistake. It seems that the logo images are stored in the ESP partition, which is a FAT32 R/W partition that can sometimes be written to without root access. -
Embed this notice
Евочка :trans_comm: (evochkauwu@lamp.leemoon.network)'s status on Monday, 11-Dec-2023 00:21:09 JST
Евочка :trans_comm:
@Suiseiseki@freesoftwareextremist.com Free BIOS's like GNUboot seem to be a better idea really, as you can flash a known good image to the SPI flash chip and lift the WP pin and put tape under and you're looking pretty good.It certainly sounds great, but unfortunately not every hardware supports GNUboot, Libreboot or Coreboot, like my laptop
-
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 11-Dec-2023 21:58:56 JST
翠星石
@evochkauwu >This is not very profitable
Is all you think about the profit of billion dollar companies?
If you actually meant that such is not very cheap, obviously freedom isn't cheap.
Old thinkpads are cheaper, same as a specific model of macbook but those have some drawbacks.
Supported hardware is listed here; https://www.gnu.org/software/gnuboot/web/docs/hardware/
>it will be cheaper to take old Xeons from Aliexpress and a Chinese board or build a PC on old AMD Ryzen
Yes, for the reason being that such hardware won't init without proprietary malware, with digital handcuffs to cryptographically prevent its replacement.
Even if you're ultra-stingy, why would you go out of your way to get hardware that doesn't respect your freedom? -
Embed this notice
Евочка :trans_comm: (evochkauwu@lamp.leemoon.network)'s status on Monday, 11-Dec-2023 21:58:57 JST
Евочка :trans_comm:
@Suiseiseki@freesoftwareextremist.com The best freedom-respecting computer you can get for a reasonable price is the KGPE-D16 paired with dual 6282 SE's (or better) and lots of ECC RAM, but setting it up takes skill, different kinds of Chinese motherboards have different quality and ACPI S3 doesn't yet work, but those aren't much of an issue.This is not very profitable, it will be cheaper to take old Xeons from Aliexpress and a Chinese board or build a PC on old AMD Ryzen
-
Embed this notice
All GNU social JP content and data are available under the