You are not logged in.
- Topics: Active | Unanswered
#1 2023-07-30 22:57:37
- xiaohai
- Member
- Registered: 2023-07-30
- Posts: 2
Do the signed EFI binaries run at Non Secure boot env. ?
I read through the article https://wiki.archlinux.org/title/Unifie … ecure_Boot and have some concerns on it :
1. Are the signed EFI binaries (e.g. applications, drivers, unified kernel images) launched at non secure boot enviroment ?
2. Are the signed EFI binaries tamper-proof ?
3. Can the enrolled keys be deleted from the /etc/secureboot/keys afterward ?
Currently secure boot standard proposed by MS (https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot ) doesnot mention the behavior of the signed EFI binaries at non secure boot env. If someone copies everything ( including the EFI system partition of your PC ) to a simliar hardware device , then the original secure boot mechanism can be easily walk around. Is that so ?
Regards !
Xiaohai
Offline
#2 2023-08-06 18:01:46
- ua4000
- Member
- Registered: 2015-10-14
- Posts: 557
Re: Do the signed EFI binaries run at Non Secure boot env. ?
1. if you disable secure boot in BIOS, your arch or windows will still boot.
2. no. Nothing is tamper proof.
3. as root user, or user with access to your drive everything can be modified, added or deleted.
4. secure boot does not protect from copying your data from a to b. Maybe you are searching for data encryption, https://wiki.archlinux.org/title/Data-a … encryption ?
Offline
#3 2023-08-07 22:29:54
- xiaohai
- Member
- Registered: 2023-07-30
- Posts: 2
Re: Do the signed EFI binaries run at Non Secure boot env. ?
Thanks for your suggestion. I am thinking of sealing the encryption key into secure boot's NVRAM and retrieve it at signed kernel or initrd during secure boot. But since the signed binaries are not tamper-proof , this unseal process can be easily walked around. Do you have any idea on how to generate a signed kernel or initrd which is tamper-proof ?
Offline
#4 2023-08-08 02:43:28
- headkase
- Member
- Registered: 2011-12-06
- Posts: 1,986
Re: Do the signed EFI binaries run at Non Secure boot env. ?
Thanks for your suggestion. I am thinking of sealing the encryption key into secure boot's NVRAM and retrieve it at signed kernel or initrd during secure boot. But since the signed binaries are not tamper-proof , this unseal process can be easily walked around. Do you have any idea on how to generate a signed kernel or initrd which is tamper-proof ?
Offline