Most active commenters
  • Arnavion(3)

←back to thread

Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security

(securityonline.info)
658 points transpute | 21 comments | 06 May 23 17:39 UTC | HN request time: 0.001s | source | bottom
1. discerning_ ◴[06 May 23 18:40 UTC] No.35844121[source]
If these keys are leaked, they should be adopted by open source projects to disable secure boot.
replies(5): >>35844176 #>>35844425 #>>35844463 #>>35844475 #>>35844941 #
2. Arnavion ◴[06 May 23 18:45 UTC] No.35844176[source]
Is there any platform using Intel CPUs with Boot Guard where Secure Boot can't already be disabled?
replies(1): >>35844428 #
3. fowtowmowcow ◴[06 May 23 19:08 UTC] No.35844425[source]
I'm not sure that they can of the key is proprietary to Intel. I think this would open up those projects to litigation.
replies(3): >>35844462 #>>35844871 #>>35844974 #
4. NelsonMinar ◴[06 May 23 19:09 UTC] No.35844428[source]
On one of my systems disabling secure boot also disables other aspects of the BIOS. I forget what, maybe use of the Intel graphics on the chip? It was severe enough I spent an hour figuring out how to make secure boot work instead.
replies(1): >>35844569 #
5. zapdrive ◴[06 May 23 19:13 UTC] No.35844462[source]
It's just a string of characters.
replies(2): >>35844483 #>>35844550 #
6. meepmorp ◴[06 May 23 19:13 UTC] No.35844463[source]
But secure boot is a good thing! I want my machines to verify what they're loading at boot time!

I just want to specify the root of trust.

replies(1): >>35844621 #
7. ranger_danger ◴[06 May 23 19:14 UTC] No.35844475[source]
Why would you want to disable secure boot? Personally I'd rather not have software able to modify my bootloader.
replies(1): >>35844887 #
8. Xorlev ◴[06 May 23 19:15 UTC] No.35844483{3}[source]
Software, movies, music is just a string of bits.

Using something leaked always carries some inherent risk.

replies(1): >>35844979 #
9. brookst ◴[06 May 23 19:24 UTC] No.35844550{3}[source]
So are bomb threats and false advertising.

I don't think "it's just characters" is a one-simple-trick.

replies(1): >>35845922 #
10. Arnavion ◴[06 May 23 19:26 UTC] No.35844569{3}[source]
Which system?
11. yyyk ◴[06 May 23 19:30 UTC] No.35844621[source]
There's mokutil to add your own key.
replies(1): >>35848255 #
12. einarfd ◴[06 May 23 20:00 UTC] No.35844871[source]
There seems to be a bit of a precedence with the AACS DVD encryption keys that got leaked (https://en.m.wikipedia.org/wiki/AACS_encryption_key_controve...), the suppression of that key. Seems to have failed, it was widely copied, and you can even find a copy of it on my link to Wikipedia.
13. AshamedCaptain ◴[06 May 23 20:01 UTC] No.35844887[source]
Software can still modify the bootloader. Secure Boot does not protect against that. It just will complain on the next boot .... unless the replacement bootloader has been signed with the MS signature, the BIOS manufacturer signature, the OEM signature, or a bazillion other signatures.

Even if you were to completely replace all of the signatures with your own, you are going to have to trust some of the MS/manufacturer ones (unless you replace all the manufacturer-signed firmware modules with your own).

replies(1): >>35846117 #
14. iforgotpassword ◴[06 May 23 20:08 UTC] No.35844941[source]
I think this is not general enough. What would be needed is the Microsoft secure boot private key so we can just sign EFI binaries and have them work everywhere without mucking around in the bios setup.

Afaiu, this key is specific to certain generations of Intel CPUs.

15. realusername ◴[06 May 23 20:13 UTC] No.35844974[source]
> I'm not sure that they can of the key is proprietary to Intel. I think this would open up those projects to litigation

Depends of the legislation.

That's questionable in the US since the keys are 100% machine generated and thus not copyrightable.

In most of the EU, it's clear though, there's interobability exceptions and those keys can be shared freely.

16. realusername ◴[06 May 23 20:13 UTC] No.35844979{4}[source]
The difference is that software and music are made by authors unlike keys, that's what makes them copyrightable
17. ok123456 ◴[06 May 23 22:32 UTC] No.35845922{4}[source]
you make a mathematical formula that generates the key.
replies(1): >>35846786 #
18. Arnavion ◴[06 May 23 22:56 UTC] No.35846117{3}[source]
>unless you replace all the manufacturer-signed firmware modules with your own

... of which there might not be any. Eg none of my half-dozen SB-using systems (desktops and laptops) have anything in the ESP other than the booloader and UKIs I put there, and boot with my own keys just fine.

19. evancox100 ◴[07 May 23 00:52 UTC] No.35846786{5}[source]
Good luck with that argument!

"Your honor, I wasn't copying that movie. You see, I applied a mathematical formula to the .zip file, and it just happened to produce the movie as output. Coincidence!"

(That's not to say the key is copyrightable, it's not. I think the relevant law would be the DMCA anti-circumvention provision.)

replies(1): >>35847259 #
20. brookst ◴[07 May 23 02:15 UTC] No.35847259{6}[source]
"I didn't distribute the movie, just a file that XOR'd every byte with 255!"

Technical people tend to see the law as a technical thing, where technical arguments will win. Courts are generally unamused, since every judge has years of experience with defendants who think that they've discovered one simple trick.

21. csdvrx ◴[07 May 23 05:35 UTC] No.35848255{3}[source]
no, a mok is just adding an unprotected UEFI variable. It's not the same as adding your key which can say disallow running payloads signed by Microsoft key.