i wonder how many people actually try to run their own certificate authority and stuff for their secureboot-enabled hardware
lexi tried that with her thinkpad and the feature is so broken it bricked the laptop to the point your only chance at fixing it is a special $300 programmer for the embedded controller, plus a dump that’s basically a closely-guarded secret among sketchy repair shop owners
on my (much cheaper!) asus laptop it actually works, and will also allow you to reset things if you screw up in a way that would brick it because critical firmware components are signed with the wrong keys (this option disappears after a successful boot)
Conversation
Notices
-
Embed this notice
miauz genyau (mia@movsw.0x0.st)'s status on Sunday, 25-Aug-2024 10:47:02 JST 
miauz genyau
- Haelwenn /элвэн/ :triskell: and Doughnut Lollipop 【記録係】:blobfoxgooglymlem: like this.
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 25-Aug-2024 10:48:38 JST 
Haelwenn /элвэн/ :triskell:
@mia heh maybe there's more people with custom coreboot than people with custom secureboot. -
Embed this notice
miauz genyau (mia@movsw.0x0.st)'s status on Sunday, 25-Aug-2024 10:56:44 JST
miauz genyau
@lanodan yeah i bet. anything related to x.509 is too much of a pain to be worth it even when you’re not dealing with broken implementations (which is probably the majority)
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 25-Aug-2024 10:59:51 JST
Haelwenn /элвэн/ :triskell:
@mia And I guess no vendor would fix bugs related to custom keys, except maybe related to a business contracts as AFAIK secureboot custom keys exists mostly to lock down employees machines. -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 25-Aug-2024 11:19:37 JST
Haelwenn /элвэн/ :triskell:
@mia @anemone Been quite a lot of years but last time I heard about a journalist security setup it was using devboards to read/browse anything that's not your own data.
Which makes sense, they're about the only computer you can get with awful persistance :D -
Embed this notice
miauz genyau (mia@movsw.0x0.st)'s status on Sunday, 25-Aug-2024 11:19:38 JST
miauz genyau
@anemone yeah it’s more of a thing you do when you’re LARPing corporate IT stuff
if i were in that position i would not trust the majority of laptops in the first place. if i had to own and use a personal computer regularly, i’d try to go full paranoia, carefully source risc-v and possibly work with close contacts to design a custom motherboard (might even pull it off). very limited options for radio as well.
speaking of potential off-the-shelf backdoors and sidechannels: thinkpads also have very poor electrical design. they leak a lot over power supply (including noises due to physical vibration, possibly LED PWM clock stability, speaker noise, all the ports, LCD isn’t shielded well enough to suppress RF leakage etc.)… again, worse than the cheap old asus laptop. -
Embed this notice
anemone@ebiverse.social's status on Sunday, 25-Aug-2024 11:19:39 JST 
anemone
@mia@movsw.0x0.st it never seemed worth the hassle to me. if i was a journalist or a whistleblower i would probably try but that aside it just seems pointless
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 25-Aug-2024 11:22:58 JST
Haelwenn /элвэн/ :triskell:
@mia @anemone In fact I'd jokingly say that it might be the only kind of computer where you can fry the main storage (SD/eMMC) and actually have it pass as an accident. -
Embed this notice
miauz genyau (mia@movsw.0x0.st)'s status on Sunday, 25-Aug-2024 11:29:31 JST
miauz genyau
@lanodan asus (or whatever company they’re outsourcing their firmware to) actually fixed quite a few bugs in my laptop’s firmware. most of them not mentioned in the changelog of course
they actually update all the components every time they change anything at all, even just microcode blobs (as they did for intel CPU vulnerabilities). there was an ACPI bug that caused fan control issues after a suspend/resume cycle with non-windows operating systems that got fixed after 10 years. that really surprised meHaelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 25-Aug-2024 11:56:43 JST
Haelwenn /элвэн/ :triskell:
@ignaloidas @mia @anemone boot flash is awfully rare in devboards, kind of thing that I hate on my side of things as it means non-generic boot, that said I'd always expect it to be accessible from flashrom and so wipeable/auditable.
But the point of devboards is more that you can have cheap portable computers that can either be used to browse the web and dangerous files, or be trivially kept airgapped (low power consumption being also nice there).
Kind of like a burner phone but computer side of things. -
Embed this notice
Ignas Kiela (ignaloidas@not.acu.lt)'s status on Sunday, 25-Aug-2024 11:56:45 JST 
Ignas Kiela
@lanodan@queer.hacktivis.me @mia@movsw.0x0.st @anemone@ebiverse.social newer ones still have places where you could hide exploits though, internal boot flash is kinda common
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 25-Aug-2024 12:12:17 JST
Haelwenn /элвэн/ :triskell:
@ignaloidas @mia @anemone Huh and RaspberryPi doesn't even seem to put a hint about it in the product page + PDFs.
Guess that's yet another good reason to stick to ones where they provide schematics. -
Embed this notice
Ignas Kiela (ignaloidas@not.acu.lt)'s status on Sunday, 25-Aug-2024 12:12:19 JST
Ignas Kiela
@lanodan@queer.hacktivis.me @mia@movsw.0x0.st @anemone@ebiverse.social Pi's past 3 have one
Most other boards released over the last couple years have one too
You can maybe still find new-ish ones without, but it's getting rarer
All GNU social JP content and data are available under the