?//have you guys heard from m$ recently?
First, a reference: microsoft-will-take-nearly-a-year-to-finish-patching-new-0-day-secure-boot-bug
or two: Quote:
|
Quote:
You want just another "Microsoft sucks!" thread? Let's leave the issues with UEFI boot security to those concerned about, anyway Slackware has (and always had) exactly ZERO boot security on UEFI mode booting because it demands the disabling of Secure Boot. And I do not see any sign that this will be changed someday. |
This is a follow on from the original disclosure of BlackLotus that was discussed here in this forum.
The deal is elucidated here. The fix is revocation of certificates for previously trusted binaries. The problem is the damage to users when that is enforced. It highlights a fundamental problem with UEFI and SecureBoot; how to manage revocation of widely dispersed previously trusted certificates |
Now, what is the correct definition of "secure" again? :study:
It's not the first time this so-called secure thing has been exploited and it won't be the last. At least there's a patch solution with only a few drawbacks... Quote:
|
Quote:
|
I'm reminded a few years back, grub & redhat had their signed boot code, which was found to have an easily accessible command line (horror!) that allowed bypassing the secure boot restrictions by running, well, anything. I guess it wasn't enough there could be other layers of protection for the system, but that the grub way of doing things could not be considered secure. So in the church of secure boot, this means MS essentially threatened to revoke what was "linux's boot loader" signed keys because of a feature that is against the religion of secure boot. I'd point to an article about this, but search engines have gone to crap and you can't find anything when something has remotely similar terms anymore (security... booting... etc) without being pushed alot of nonsense about security or booting a computer. I'm not going to spend any time on finding it seeing what popped up means it's effectively memory holed.
So just reading this thing about microsoft, it seems like a summary would be is someone figured out how to inject code into microsoft's boot loader, which is why so many methods of booting, and every vendor is affected. This means a massive rollout, which is why it will take probably years. They have to scrub all copies of window's broken boot loader, because you can't bypass the church of secure boot and let someone run different code. |
Quote:
|
Reading a little more about this one, it's very similar to the grub issue. Someone figured out how to boot in secure mode and injecting whatever they wanted when they had physical access to the machine, with microsoft's boot loader. So they have to update the keys and boot loader, and then come in and revoke the old boot loader's keys. That's an IT admin nightmare. All because some one might have physical access to the machine and do this. Who's machine is it anyway?
|
We shouldn't care, until all OEM start enforcing secure boot. I just stick with the old "no root no money" policy.
Just ask yourself does your motherboard firmware enforce this secure boot snakeoil type of thing, and whether or not you consider it a defect. Then you'll know exactly what to do, as with all defective hardware > into the recycling bin. |
Quote:
So, I find to be ridiculous to see people raging about Secure Boot flaws WHEN they advocate ZERO UEFI boot security on Slackware. |
If someone has physical access, they can pull the drive, and if it's not encrypted, they've got everything, no boot loader hacking involved. A person with a screwdriver is always going to be faster and more efficient than any kind of boot loader hacking.
|
99 out of 100 machines with Secure Boot enabled don't have a UEFI password set. Anyone with physical access can enroll arbitrary keys to get any binaries they want certified as secure.
|
Yes, yes, and I certainly enjoyed reading the rants:).
For someone like me who intended to keep a copy of windows 11 around for the use of my friends, compatibility appears to diverge here. That's why I posted. Now I only boot windows for patch tuesday's updates, and promptly put it back asleep. I didn't boot it this month. Now if slackware had a compatibility plan involving changes, I would have taken note. But as all I'm getting around here is middle finger gestures, I'll take note of that. Because if someone gets the next year's windows updates all together, all hell might break loose. FTR, I too think secure boot was one of the worst inventions ever. And local root access here is just me. |
Quote:
Because I for one I sincerely doubt that you have expected something meaningful. Quote:
So, why you waste your precious time in this forum, when you can make those greedy capitalists to pay you royally? Because they will pay royally if you show them a much better solution than Secure Boot. They will beg you to accept their trucks of money. :D Man, make the historians to talk about you along with Edison and Tesla in the future! Go ahead! |
Quote:
And it isn't just that they suck, but that because of their aggressive, intrusive overreach corporate policies they are dangerous not only to their own users, but also to those who choose not to have any dealings with them at all, ever... let's be honset about that. They have this potential for control only because they have positioned themselves to have it - not because of industry standards or technical constraints. They wanted it for their own ends, and they have it, and the rest of us are affected by the consequences of their decisions, and their negligence, as a result. So it is always nice to see reminders of that, even when the bullet has been dodged as it was in this case by those lucky and wise Slackware users. :) Quote:
We either care or we don't. If we care then there is no sense of "sooner" or "later", we must continuously evaluate our exposure, and information such as that posted here provides valuable input. Quote:
Quote:
Quote:
I hope that my own comments are meaningful to someone else, but if only to myself they still retain their meaning... as do your own to yourself I suppose! |
All times are GMT -5. The time now is 12:16 AM. |