AMIBIOS Source Code and AMI's UEFI Signing Key Leaked

teckk · 04-17-2013, 12:55 PM

http://adamcaudill.com/2013/04/04/se...ky-ftp-server/

http://www.techpowerup.com/182484/AM...ey-Leaked.html

http://ami.com/News/PressRelease/?PrID=392

http://www.pclinuxos.com/forum/index.php?topic=115013.0

Sigg3.net · 04-27-2013, 09:01 AM

Another good reason why open source and the GPL should be advocated

Business secrets are not infallible, 1 weak link like an open FTP at a sub dev team is enough, so at best it's security through obscurity.

jens · 04-27-2013, 10:10 AM

Old news...

While things like this should never happen, do keep in mind that those keys were never meant for end users (they're meant to be replaced by vendors).

Quote:

Another good reason why open source and the GPL should be advocated
Business secrets are not infallible, 1 weak link like an open FTP at a sub dev team is enough, so at best it's security through obscurity.

Those keys have nothing to do with either "security through obscurity" or OSS/GPL (ignoring the almost funny silverlight upload tool).

Sigg3.net · 04-27-2013, 10:16 AM

When 1 hardware key is hard-coded into the firmware, my opinion is that it is security through obscurity. You just need 1 key to defeat the whole house of cards. Remember when the first bluray code was found. If the process was F/OSS it would not be possible to use this approach to security because the source would be available to anyone. That was my point with the GPL reference

Also, proprietary source code is available for purchase on the darker sites of the intarwebz.

Habitual · 04-27-2013, 03:06 PM

http://www.linuxquestions.org/questi...ed-4175456994/

H_TeXMeX_H · 04-28-2013, 02:25 AM

Yes, I do remember posting it as well.

jens · 04-28-2013, 09:53 AM

Quote:

Originally Posted by Sigg3.net

When 1 hardware key is hard-coded into the firmware,

It's revocable.
OEMs can add/change as many keys as they like ...

Quote:

Originally Posted by Sigg3.net

my opinion is that it is security through obscurity.

Even if it would rely on just one key (it doesn't), where's the obscurity?

Quote:

Originally Posted by Sigg3.net

You just need 1 key to defeat the whole house of cards.

That's not true.
They're both revocable and expandable.
You can add a different key for every driver and change/blacklist them later.

Quote:

Originally Posted by Sigg3.net

Remember when the first bluray code was found. If the process was F/OSS it would not be possible to use this approach to security because the source would be available to anyone. That was my point with the GPL reference

I still don't see the similarity.
Do you consider keeping your ssh and gpg keys private as anti-FOSS/GPL as well ... ?

PS: I think you're confusing Secure Boot with the bigger Restricted Boot problem.

Sigg3.net · 04-28-2013, 10:14 AM

Sorry, I thought the hard-coded keys could not be changed. My bad

jens · 04-28-2013, 10:49 AM

Quote:

Originally Posted by Sigg3.net

Sorry, I thought the hard-coded keys could not be changed. My bad

Main reason why all default keys have a Microsoft tag is rather obvious:
They're the only ones providing/selling them (it would be nice and less confusing if this changed, everyone is allowed to do so).

That said, I dislike its current implementation as much as anyone else

sundialsvcs · 04-29-2013, 08:07 PM

I pleasantly and smugly observe that the folks who dreamed up (version 1.0 of ...) this feature definitely were not cryptographers.

Habitual · 04-30-2013, 10:15 AM

Quote:

Originally Posted by sundialsvcs

I pleasantly and smugly observe that the folks who dreamed up (version 1.0 of ...) this feature definitely were not cryptographers.

My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords.