LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-26-2012, 09:06 PM   #1
Agon
EZIM Maintainer
 
Registered: Jul 2007
Distribution: Slackware64 14.0
Posts: 10

Rep: Reputation: 0
Do We Need Secure Boot?


There are ongoing debates on how one needs to protect his/her computer from malicious code which modifies pre-boot process(es). There are also articles and blogs talking about what we (alternative OS users) can do to tackle the troubles secure boot will bring us. However, as long as I understand it, the whole mess is forced down our throat only to cover a single company's a**, who is not doing a good job protecting its crappy flagship product. We don't really have that kind of malware in the *nix land so far which is feasible in a technical perspective, do we?

Also, I'm thinking of replacing my old machine (desktop) and I'm going to build from parts. Are there any new motherboards available out there without the mentioned trouble (i.e. secure boot)?
 
Old 11-26-2012, 09:24 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,013

Rep: Reputation: Disabled
"Secure Boot" prevents the boot loader on a motherboard from loading non-signed boot code. No more, no less. If the only malicious software in existence were programs modifying the boot loader then yes, that would protect users from malware.

However, if malicious software can exploit security flaws in the OS or device drivers, then "Secure Boot" offers absolutely no protection. And of course, that's exactly how most malware works.

The idea behind "Secure Boot" is to establish a trust chain from pre-boot to a user session. Users can be prevented from loading software and drivers by OS enforced signing mechanisms, and the OS itself cannot be modified without compromising the boot signature. Result: The user has very little control over the environment in which his/her software runs, and that is the entire point. No way to circumvent DRM.
 
1 members found this post helpful.
Old 11-26-2012, 09:26 PM   #3
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,614
Blog Entries: 2

Rep: Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070
Quote:
Originally Posted by Ser Olmy View Post
Result: The user has very little control over the environment in which his/her software runs, and that is the entire point. No way to circumvent DRM.
And no way to circumvent corporate policies. In corporate environments Secure Boot actually makes sense. Most home users forget that not every machine is standing in a private environment.
 
Old 11-26-2012, 09:45 PM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,013

Rep: Reputation: Disabled
Quote:
Originally Posted by TobiSGD View Post
And no way to circumvent corporate policies. In corporate environments Secure Boot actually makes sense. Most home users forget that not every machine is standing in a private environment.
Corporate policies are enforced by the OS. I don't see how Secure Boot improves security in that scenario.

A user who intentionally tries to circumvent corporate policy will probably be able to do so, Secure Boot nonwithstanding, provided he/she has access to the right tools or the knowledge to create them. After all, if malware can exploit security vulnerabilities in the OS (or in drivers or applications) so can a user, especially one with physical access to the hardware.
 
Old 11-26-2012, 10:01 PM   #5
frankbell
Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Mageia, Mint
Posts: 8,085

Rep: Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533
Quote:
In corporate environments Secure Boot actually makes sense. Most home users forget that not every machine is standing in a private environment.
That does not justify requiring all machines, even those purchased for home use, to have Secure Boot implemented.

That only justification for that is to conclude that the forces behind Secure Boot are attempting to implement their own walled orchard, a la Apple. Whatever the theoretical dangers of root kits may be, the impulse behind requiring Secure Boot as a condition of sale ("Windows Certified") is clearly anticompetitive.
 
Old 11-26-2012, 10:18 PM   #6
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,614
Blog Entries: 2

Rep: Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070
Quote:
Originally Posted by Ser Olmy View Post
Corporate policies are enforced by the OS. I don't see how Secure Boot improves security in that scenario.

A user who intentionally tries to circumvent corporate policy will probably be able to do so, Secure Boot nonwithstanding, provided he/she has access to the right tools or the knowledge to create them. After all, if malware can exploit security vulnerabilities in the OS (or in drivers or applications) so can a user, especially one with physical access to the hardware.
Corporate policies enforced in the OS are worth nothing if a part-time admin is able to boot the machine with a Knoppix CD. This approach does not work, not even after resetting the BIOS with the usual tricks, when Secure Boot is enabled without leaving traces.

Quote:
That does not justify requiring all machines, even those purchased for home use, to have Secure Boot implemented.

That only justification for that is to conclude that the forces behind Secure Boot are attempting to implement their own walled orchard, a la Apple. Whatever the theoretical dangers of root kits may be, the impulse behind requiring Secure Boot as a condition of sale ("Windows Certified") is clearly anticompetitive.
If Secure Boot must be implemented is more or less meaningless when the same standard that enforces the implementation enforces that there must be a possibility to disable it and a possibility to add custom keys.
 
Old 11-26-2012, 10:27 PM   #7
frankbell
Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Mageia, Mint
Posts: 8,085

Rep: Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533Reputation: 1533
Quote:
If Secure Boot must be implemented is more or less meaningless when the same standard that enforces the implementation enforces that there must be a possibility to disable it and a possibility to add custom keys.
The key word there is "must."

The "must" is a marketing requirement of a software company whose marketing practices have long been less than sterling, not the recommendations of a neutral security taskforce or certification organization.

Keywords: marketing requirement.

Whatever the pros of Secure Boot may be, the motives for it are--er--unlikely to result from the disinterested concern of Microsoft in the sterling computer habits of its users.
 
Old 11-26-2012, 10:43 PM   #8
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,614
Blog Entries: 2

Rep: Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070
There are two simple reasons why there must be an option to disable Secure Boot that have nothing to do with marketing:
1. Many of their customers will do the same as always, they will buy Windows 8 licenses with options to downgrade to Windows 7 or Vista (whichever they deploy in their corporate environment). This will not be possible if Secure Boot can't be disabled.
2. The EU would sue the hell out of them for abusing their monopoly, may be even with a prohibition to sell boards that don't have the option. But they have made the option to disable Secure Boot mandatory for their certification program to prevent that.

There are also simple reasons why they have made it mandatory to provide options to implement custom keys: So that larger customers can use their own keys if wanted, may be deploying a Linux or BSD system, may be ordering Windows versions with a different key than the standard key, so that the users aren't able to boot a standard Windows install DVD.
 
Old 11-26-2012, 10:49 PM   #9
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,013

Rep: Reputation: Disabled
Quote:
Originally Posted by TobiSGD View Post
Corporate policies enforced in the OS are worth nothing if a part-time admin is able to boot the machine with a Knoppix CD. This approach does not work, not even after resetting the BIOS with the usual tricks, when Secure Boot is enabled without leaving traces.
With Secure Boot, you can still boot the system with a Knoppix CD using the Linux Foundation bootloader. And that same, signed bootloader can most likely be installed on the hard drive and used to inject a rootkit into the boot process.

The rule "physical access equals full access" is still valid, and the best solution is still terminal (or possibly web-based) environments and/or physically locked-down clients.
Quote:
Originally Posted by TobiSGD View Post
If Secure Boot must be implemented is more or less meaningless when the same standard that enforces the implementation enforces that there must be a possibility to disable it and a possibility to add custom keys.
Exactly. I believe Secure Boot is really all about DRM, and that all talk about "malware protection", "security" and "hacker proofing" are just attempts to obfuscate the issue. Because, as you point out, there's just no way it can possibly work as advertised.
 
Old 11-26-2012, 11:56 PM   #10
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,614
Blog Entries: 2

Rep: Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070
Quote:
Originally Posted by Ser Olmy View Post
With Secure Boot, you can still boot the system with a Knoppix CD using the Linux Foundation bootloader. And that same, signed bootloader can most likely be installed on the hard drive and used to inject a rootkit into the boot process.

The rule "physical access equals full access" is still valid, and the best solution is still terminal (or possibly web-based) environments and/or physically locked-down clients.
The signed bootloader from the Linux Foundation is not to make it easier for corporate environments. Corporate admins should be able to learn easily how to handle Secure Boot keys and can easily remove the Linux Foundation key (and any other unwanted keys). In that case, "physical access equals full access" is not longer valid.

Quote:
Exactly. I believe Secure Boot is really all about DRM, and that all talk about "malware protection", "security" and "hacker proofing" are just attempts to obfuscate the issue. Because, as you point out, there's just no way it can possibly work as advertised.
The Windows 8 logo certification requires that it must not be possible to change any Secure Boot key or even disable Secure Boot from Software. So malware or hackers that attack the boot process don't have a chance to get their rootkits into that process.
 
Old 11-27-2012, 12:37 AM   #11
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,013

Rep: Reputation: Disabled
Quote:
Originally Posted by TobiSGD View Post
The Windows 8 logo certification requires that it must not be possible to change any Secure Boot key or even disable Secure Boot from Software. So malware or hackers that attack the boot process don't have a chance to get their rootkits into that process.
This leaves OS and driver security vulnerabilities, which are by far the most common attack vectors for serious malware (corporate espionage and major fraud rather than annoying "your system is infected by viruses and you must purchase the full version of this bogus tool" trojans). For that reason, I believe Secure Boot is only marginally useful in a corporate security setting.

However, if ones primary concern is not to improve system security or stability, but rather to create a walled garden, restricting users ability to install non-signed low-level drivers (including DRM circumvention tools), Secure Boot may be the answer. (If one chooses to ignore empirical evidence regarding the effectiveness of such measures, that is; the jailbreak community has been quite successful in circumventing similar mechanisms on various smartphones.)
 
Old 11-27-2012, 12:50 AM   #12
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,614
Blog Entries: 2

Rep: Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070
And the jailbreak community are home-users, not corporate users. As I said, at corporate level Secure Boot makes sense. If you want to use it at home is a different thing, but thanks to the Linux Foundation (if you want dual boot with Windows 8) and thanks to Microsoft (if you want to run Linux only or dual boot using your own keys) it shouldn't be such a problem as most people cry it out.
 
Old 11-27-2012, 01:19 AM   #13
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,013

Rep: Reputation: Disabled
Quote:
Originally Posted by TobiSGD View Post
And the jailbreak community are home-users, not corporate users.
These are actually the same people in different contexts.

My comment about jailbreaking was just meant to illustrate that signed binaries are only as effective as the OS they load, and history teaches us that security vulnerabilities are quite common. One of the first (if not THE first) driver signing circumventions on the Vista x64 platform was related to a buggy (and signed) video driver from AMD.

Quote:
Originally Posted by TobiSGD View Post
As I said, at corporate level Secure Boot makes sense.
If circumvention/jailbreaking tools become readily available, which is quite likely, and Secure Boot offers no significant malware protection anyway due to the inevitable discovery of security vulnerabilities in the OS and in applications, how does Secure Boot improve security in a corporate environment?
 
Old 11-27-2012, 01:38 AM   #14
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,614
Blog Entries: 2

Rep: Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070Reputation: 4070
How do you jailbreak a machine without leaving traces? And if there are traces it will be very likely that you will get fired and maybe sued.
 
Old 11-27-2012, 03:39 AM   #15
Agon
EZIM Maintainer
 
Registered: Jul 2007
Distribution: Slackware64 14.0
Posts: 10

Original Poster
Rep: Reputation: 0
I'm sorry people, but I think my questions still remain:

1) Is there any exploit code that works on Linux which can modify the boot sector without acknowledge of the end user? And how feasible is it?

2) Are there any newly manufactured motherboards without Secure Boot (not being able to disable the feature) available on the market today?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Now You Can Boot Any Linux Distro On UEFI Secure Boot PCs LXer Syndicated Linux News 2 12-16-2012 07:47 AM
[SOLVED] Does anyone understand Secure Boot? AlleyTrotter Slackware 32 10-16-2012 06:28 PM
First Secure Boot PC in Germany available TobiSGD General 2 07-22-2012 05:58 PM
LXer: 'Secure' boot: much to be scared about LXer Syndicated Linux News 0 07-13-2012 08:00 AM
Secure Boot prodonice Linux - Security 5 10-29-2008 02:36 PM


All times are GMT -5. The time now is 10:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration