SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Scope of Impact
All Windows devices with Secure Boot protections enabled are affected by this issue, both on-premises physical devices and some virtual machines (VMs) or cloud-based devices. Protections are available for supported versions of Windows. For the full list, please see CVE-2023-24932.
Linux is also affected by this issue. Microsoft has been coordinating with representatives from major Linux distributions to make the fix available for their operating systems. You must contact support for your Linux distribution for guidance on mitigating this issue for your Linux devices.
Considering that Slackware is not capable to even boot with Secure Boot enabled, I do not see the sense of this thread?
You want just another "Microsoft sucks!" thread?
Let's leave the issues with UEFI boot security to those concerned about, anyway Slackware has (and always had) exactly ZERO boot security on UEFI mode booting because it demands the disabling of Secure Boot. And I do not see any sign that this will be changed someday.
Last edited by LuckyCyborg; 05-15-2023 at 08:34 AM.
This is a follow on from the original disclosure of BlackLotus that was discussed here in this forum.
The deal is elucidated here.
The fix is revocation of certificates for previously trusted binaries. The problem is the damage to users when that is enforced. It highlights a fundamental problem with UEFI and SecureBoot; how to manage revocation of widely dispersed previously trusted certificates
Now, what is the correct definition of "secure" again?
It's not the first time this so-called secure thing has been exploited and it won't be the last.
At least there's a patch solution with only a few drawbacks...
Quote:
once the fixes have been enabled, your PC will no longer be able to boot from older bootable media ...: Windows install media like DVDs and USB drives created from Microsoft's ISO files; custom Windows install images maintained by IT departments; full system backups; network boot drives including those used by IT departments to troubleshoot machines and deploy new Windows images; stripped-down boot drives that use Windows PE; and the recovery media sold with OEM PCs.
I'm reminded a few years back, grub & redhat had their signed boot code, which was found to have an easily accessible command line (horror!) that allowed bypassing the secure boot restrictions by running, well, anything. I guess it wasn't enough there could be other layers of protection for the system, but that the grub way of doing things could not be considered secure. So in the church of secure boot, this means MS essentially threatened to revoke what was "linux's boot loader" signed keys because of a feature that is against the religion of secure boot. I'd point to an article about this, but search engines have gone to crap and you can't find anything when something has remotely similar terms anymore (security... booting... etc) without being pushed alot of nonsense about security or booting a computer. I'm not going to spend any time on finding it seeing what popped up means it's effectively memory holed.
So just reading this thing about microsoft, it seems like a summary would be is someone figured out how to inject code into microsoft's boot loader, which is why so many methods of booting, and every vendor is affected. This means a massive rollout, which is why it will take probably years. They have to scrub all copies of window's broken boot loader, because you can't bypass the church of secure boot and let someone run different code.
Reading a little more about this one, it's very similar to the grub issue. Someone figured out how to boot in secure mode and injecting whatever they wanted when they had physical access to the machine, with microsoft's boot loader. So they have to update the keys and boot loader, and then come in and revoke the old boot loader's keys. That's an IT admin nightmare. All because some one might have physical access to the machine and do this. Who's machine is it anyway?
We shouldn't care, until all OEM start enforcing secure boot. I just stick with the old "no root no money" policy.
Just ask yourself does your motherboard firmware enforce this secure boot snakeoil type of thing, and whether or not you consider it a defect.
Then you'll know exactly what to do, as with all defective hardware > into the recycling bin.
That's an IT admin nightmare. All because some one might have physical access to the machine and do this. Who's machine is it anyway?
Are you aware what someone who have physical access to a machine can do if that machine boots with ELILO and keeps the kernel and initrd in the ESP partition?
So, I find to be ridiculous to see people raging about Secure Boot flaws WHEN they advocate ZERO UEFI boot security on Slackware.
Last edited by LuckyCyborg; 05-15-2023 at 01:13 PM.
If someone has physical access, they can pull the drive, and if it's not encrypted, they've got everything, no boot loader hacking involved. A person with a screwdriver is always going to be faster and more efficient than any kind of boot loader hacking.
99 out of 100 machines with Secure Boot enabled don't have a UEFI password set. Anyone with physical access can enroll arbitrary keys to get any binaries they want certified as secure.
Yes, yes, and I certainly enjoyed reading the rants.
For someone like me who intended to keep a copy of windows 11 around for the use of my friends, compatibility appears to diverge here. That's why I posted. Now I only boot windows for patch tuesday's updates, and promptly put it back asleep. I didn't boot it this month. Now if slackware had a compatibility plan involving changes, I would have taken note. But as all I'm getting around here is middle finger gestures, I'll take note of that. Because if someone gets the next year's windows updates all together, all hell might break loose.
FTR, I too think secure boot was one of the worst inventions ever. And local root access here is just me.
Yes, yes, and I certainly enjoyed reading the rants.
In fact, those rants was your only purpose. You wanted another "Microsoft sucks!" thread.
Because I for one I sincerely doubt that you have expected something meaningful.
Quote:
Originally Posted by business_kid
FTR, I too think secure boot was one of the worst inventions ever.
If you have the skills and the education to properly evaluate the Secure Boot as "one of the worst inventions ever", then certainly you know a better solution...
So, why you waste your precious time in this forum, when you can make those greedy capitalists to pay you royally? Because they will pay royally if you show them a much better solution than Secure Boot. They will beg you to accept their trucks of money.
Man, make the historians to talk about you along with Edison and Tesla in the future! Go ahead!
Last edited by LuckyCyborg; 05-15-2023 at 04:32 PM.
And it isn't just that they suck, but that because of their aggressive, intrusive overreach corporate policies they are dangerous not only to their own users, but also to those who choose not to have any dealings with them at all, ever... let's be honset about that. They have this potential for control only because they have positioned themselves to have it - not because of industry standards or technical constraints. They wanted it for their own ends, and they have it, and the rest of us are affected by the consequences of their decisions, and their negligence, as a result.
So it is always nice to see reminders of that, even when the bullet has been dodged as it was in this case by those lucky and wise Slackware users.
Quote:
Originally Posted by elcore
We shouldn't care, until all OEM start enforcing secure boot.
It is much too late at that point.
We either care or we don't. If we care then there is no sense of "sooner" or "later", we must continuously evaluate our exposure, and information such as that posted here provides valuable input.
Quote:
Originally Posted by the3dfxdude
Who's machine is it anyway?
The core question, often left unspoken.
Quote:
Originally Posted by business_kid
Yes, yes, and I certainly enjoyed reading the rants.
Thanks for bringing it to my attention, first I have been aware of it.
Quote:
Originally Posted by LuckyCyborg
In fact, those rants was your only purpose. You wanted another "Microsoft sucks!" thread.
Because I for one I sincerely doubt that you have expected something meaningful.
Well, that is certainly dismissive of the thoughts of others!
I hope that my own comments are meaningful to someone else, but if only to myself they still retain their meaning... as do your own to yourself I suppose!
Last edited by astrogeek; 05-15-2023 at 06:08 PM.
Reason: ptoy
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
.
