Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://freesoftwareextremist.com/objects/ece4520b-f880-4429-846c-f7a3a7b342e8">翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 21-Aug-2023 23:44:26 JST</a><a href="https://freesoftwareextremist.com/users/Suiseiseki" title="suiseiseki@freesoftwareextremist.com"><img src="https://gnusocial.jp/avatar/789-48-20220724040913.webp" width="48" height="48" alt="翠星石" style="position: absolute; left: 0; top: 0;">翠星石</a><div><a href="https://poa.st/objects/9b7e3542-b86c-4309-8845-4cb251140883" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><a href="https://poa.st/users/niggy">@niggy</a> &gt;these security features do work friend, they make our lives very difficult.<br>Yes, the whole idea is to make it so that computers serve them and not you.<br><br>For now it's possible to disable secure boot and upload your own keys, but such features will eventually be removed, for "security".<br><br>&gt;it's hard to get a malicious UEFI binary signed, it's a significant barrier to the vast majority of attackers.<br>The thing is, plenty of malicious and non-malicious shim binaries are signed.<br><br>It seems like a significant barrier as it's not easy to get x binary signed yourself, but if you think harder, all you really need to do is grab one of the many shim binaries available, upload that and then have the shim load your software.<br><br>There is a version of GNU Grub signed for UEFI with a "vulnerability" where it can be used to load whatever software (a feature really) and you really just need to load that up to boot whatever kernel you want (such binary has been added to the UEFI blacklist, but I'm not sure of any UEFI implementations that actually uses a regularly updated blacklist).<br><br>GNU/Linux previously couldn't be installed on windows ARM tablets, as m$ requires that "secure boot" can't be disabled on ARM tables (for "security"), but eventually someone happened to get a shim binary signed and finally GNU/Linux could be booted on such tablets.<br><br>Eventually m$ will ensure that "secure boot" implementations only boot windows and have a constant internet connection so blacklisted binaries can be added immediately (i.e. when someone finds a bug in the windows boot process that allows jumping to booting GNU/Linux instead, m$ can release a new version that doesn't have that feature and blacklist booting of the old version).<br><br>If you went online and tried now with the right technique, you could indeed do it.<br><br><br>"Secure boot" is only intended to restrict the user, although some parts of the plan are to be implemented later - therefore no real security benefit can be realized from such proprietary signing schemes - only a false sense of security, which is far worse that not having security, but knowing that you don't have it.</article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1972806#notice-3875262">In conversation</a><time datetime="2023-08-21T23:44:26+09:00" title="Monday, 21-Aug-2023 23:44:26 JST">about a year ago</time> <span>from <span><a href="https://freesoftwareextremist.com/objects/ece4520b-f880-4429-846c-f7a3a7b342e8" rel="external" title="Sent from freesoftwareextremist.com via ActivityPub">freesoftwareextremist.com</a></span></span><a href="https://freesoftwareextremist.com/objects/ece4520b-f880-4429-846c-f7a3a7b342e8">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 21-Aug-2023 23:44:26 JST翠星石
in reply to
- :niggy:
@niggy >these security features do work friend, they make our lives very difficult.
Yes, the whole idea is to make it so that computers serve them and not you.

For now it's possible to disable secure boot and upload your own keys, but such features will eventually be removed, for "security".

>it's hard to get a malicious UEFI binary signed, it's a significant barrier to the vast majority of attackers.
The thing is, plenty of malicious and non-malicious shim binaries are signed.

It seems like a significant barrier as it's not easy to get x binary signed yourself, but if you think harder, all you really need to do is grab one of the many shim binaries available, upload that and then have the shim load your software.

There is a version of GNU Grub signed for UEFI with a "vulnerability" where it can be used to load whatever software (a feature really) and you really just need to load that up to boot whatever kernel you want (such binary has been added to the UEFI blacklist, but I'm not sure of any UEFI implementations that actually uses a regularly updated blacklist).

GNU/Linux previously couldn't be installed on windows ARM tablets, as m$ requires that "secure boot" can't be disabled on ARM tables (for "security"), but eventually someone happened to get a shim binary signed and finally GNU/Linux could be booted on such tablets.

Eventually m$ will ensure that "secure boot" implementations only boot windows and have a constant internet connection so blacklisted binaries can be added immediately (i.e. when someone finds a bug in the windows boot process that allows jumping to booting GNU/Linux instead, m$ can release a new version that doesn't have that feature and blacklist booting of the old version).

If you went online and tried now with the right technique, you could indeed do it.

"Secure boot" is only intended to restrict the user, although some parts of the plan are to be implemented later - therefore no real security benefit can be realized from such proprietary signing schemes - only a false sense of security, which is far worse that not having security, but knowing that you don't have it.
In conversationabout a year ago from freesoftwareextremist.compermalink

Public

Embed Notice

HTML Code

Corresponding Notice