You are not logged in.

#1 2014-10-09 08:14:17

olive
Member
From: Belgium
Registered: 2008-06-22
Posts: 1,490

UEFI secure boot

To my great surprise, I have just noticed that Ubuntu use a Microsoft signed version of grub that accept to boot unsigned kernel. https://wiki.ubuntu.com/SecurityTeam/SecureBoot. An attacker can easily use the Ubuntu signed version of grub together with an unsigned kernel to do all the evil things he wants. I don't understand how this has been accepted.

Moreover it seems that secure boot has already been hacked http://securityaffairs.co/wordpress/254 … -uefi.html .

Was security the real purpose of secure boot. I can't think so.

Last edited by olive (2014-10-09 08:15:28)

Offline

#2 2014-10-09 12:11:58

teateawhy
Member
From: GER
Registered: 2012-03-05
Posts: 1,138
Website

Re: UEFI secure boot

olive wrote:

An attacker can easily use the Ubuntu signed version of grub together with an unsigned kernel to do all the evil things he wants.

I always thought that this can be avoided by locking the boot entries and boot order in the UEFI/BIOS settings, and configuring a administrator password in the UEFI/BIOS that protects these settings.
Even on a computer that does not use SecureBoot setting an administrator password for the UEFI/BIOS is a good idea to keep others from changing the settings.

The fact that a lot of SecureBoot systems are vulnerable is no surprise to me given the large amount of bugs showing up in the UEFI firmwares. The UEFI bugs can be found in numerous threads on the forums.

Offline

#3 2014-10-09 16:34:01

TheSaint
Member
From: my computer
Registered: 2007-08-19
Posts: 1,523

Re: UEFI secure boot

olive wrote:

Was security the real purpose of secure boot. I can't think so.

It's my thought that the developers became lazy to write BIOS in assembly, so that caused to ask for more space and to will to program in C.
The space was found on a hard disk, which is prone to all kind of hack and attacks. Then the scare of malicious software, that can be easily write onto hard disk, brought the idea to sign the software used to boot.
I regret that Amiga has lost the market, but OS in ROM (or flash) is the best.

Best bibliography that I found for this topic.


do it good first, it will be faster than do it twice the saint wink

Offline

Board footer

Powered by FluxBB