LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   General (http://www.linuxquestions.org/questions/general-10/)
-   -   AMIBIOS Source Code and AMI's UEFI Signing Key Leaked (http://www.linuxquestions.org/questions/general-10/amibios-source-code-and-amis-uefi-signing-key-leaked-4175458511/)

teckk 04-17-2013 12:55 PM

AMIBIOS Source Code and AMI's UEFI Signing Key Leaked
 
http://adamcaudill.com/2013/04/04/se...ky-ftp-server/

http://www.techpowerup.com/182484/AM...ey-Leaked.html

http://ami.com/News/PressRelease/?PrID=392

http://www.pclinuxos.com/forum/index.php?topic=115013.0

Sigg3.net 04-27-2013 09:01 AM

Another good reason why open source and the GPL should be advocated:)
Business secrets are not infallible, 1 weak link like an open FTP at a sub dev team is enough, so at best it's security through obscurity.

jens 04-27-2013 10:10 AM

Old news...

While things like this should never happen, do keep in mind that those keys were never meant for end users (they're meant to be replaced by vendors).

Quote:

Another good reason why open source and the GPL should be advocated
Business secrets are not infallible, 1 weak link like an open FTP at a sub dev team is enough, so at best it's security through obscurity.
Those keys have nothing to do with either "security through obscurity" or OSS/GPL (ignoring the almost funny silverlight upload tool).

Sigg3.net 04-27-2013 10:16 AM

When 1 hardware key is hard-coded into the firmware, my opinion is that it is security through obscurity. You just need 1 key to defeat the whole house of cards. Remember when the first bluray code was found. If the process was F/OSS it would not be possible to use this approach to security because the source would be available to anyone. That was my point with the GPL reference:)

Also, proprietary source code is available for purchase on the darker sites of the intarwebz.

Habitual 04-27-2013 03:06 PM

http://www.linuxquestions.org/questi...ed-4175456994/

H_TeXMeX_H 04-28-2013 02:25 AM

Yes, I do remember posting it as well.

jens 04-28-2013 09:53 AM

Quote:

Originally Posted by Sigg3.net (Post 4940055)
When 1 hardware key is hard-coded into the firmware,

It's revocable.
OEMs can add/change as many keys as they like ...

Quote:

Originally Posted by Sigg3.net (Post 4940055)
my opinion is that it is security through obscurity.

Even if it would rely on just one key (it doesn't), where's the obscurity?

Quote:

Originally Posted by Sigg3.net (Post 4940055)
You just need 1 key to defeat the whole house of cards.

That's not true.
They're both revocable and expandable.
You can add a different key for every driver and change/blacklist them later.

Quote:

Originally Posted by Sigg3.net (Post 4940055)
Remember when the first bluray code was found. If the process was F/OSS it would not be possible to use this approach to security because the source would be available to anyone. That was my point with the GPL reference:)

I still don't see the similarity.
Do you consider keeping your ssh and gpg keys private as anti-FOSS/GPL as well ... ?

PS: I think you're confusing Secure Boot with the bigger Restricted Boot problem.

Sigg3.net 04-28-2013 10:14 AM

Sorry, I thought the hard-coded keys could not be changed. My bad:)

jens 04-28-2013 10:49 AM

Quote:

Originally Posted by Sigg3.net (Post 4940533)
Sorry, I thought the hard-coded keys could not be changed. My bad:)

Main reason why all default keys have a Microsoft tag is rather obvious:
They're the only ones providing/selling them (it would be nice and less confusing if this changed, everyone is allowed to do so).

That said, I dislike its current implementation as much as anyone else ;)

sundialsvcs 04-29-2013 08:07 PM

I pleasantly and smugly observe that the folks who dreamed up (version 1.0 of ...) this feature definitely were not cryptographers.

Habitual 04-30-2013 10:15 AM

Quote:

Originally Posted by sundialsvcs (Post 4941507)
I pleasantly and smugly observe that the folks who dreamed up (version 1.0 of ...) this feature definitely were not cryptographers.

My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords.


All times are GMT -5. The time now is 11:46 AM.