Most active commenters
  • brookst(3)
  • Y_Y(3)

←back to thread

Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security

(securityonline.info)
658 points transpute | 25 comments | 06 May 23 17:39 UTC | HN request time: 1.466s | source | bottom
Show context
codedokode ◴[06 May 23 18:40 UTC] No.35844123[source]
Isn't it good? Does leaked key mean that now owners of hardware will be able to read and modify the firmware, including IME, and check it for backdoors?

Such keys should be in the hands of users, not Intel.

replies(5): >>35844144 #>>35844419 #>>35844928 #>>35845513 #>>35845801 #
1. QuiDortDine ◴[06 May 23 18:42 UTC] No.35844144[source]
If there was something to leak, it was always going to. Just a matter of when. Pretending otherwise is just security theater.
replies(4): >>35844147 #>>35844361 #>>35844510 #>>35844608 #
2. guerrilla ◴[06 May 23 18:43 UTC] No.35844147[source]
Yeah, don't depend on a permanent global conspiracy for your security. Someone always defects and accidents often happen long before that.
replies(4): >>35844184 #>>35844346 #>>35844567 #>>35846541 #
3. henriquez ◴[06 May 23 18:46 UTC] No.35844184[source]
It is not a conspiracy. Just like the iOS App Store it is for your own protection. There is no legitimate reason to run your own software on general purpose computing hardware.
replies(4): >>35844239 #>>35846466 #>>35847367 #>>35847385 #
4. ChrisClark ◴[06 May 23 18:50 UTC] No.35844239{3}[source]
/s I hope. ;)
replies(1): >>35844530 #
5. 19h ◴[06 May 23 19:03 UTC] No.35844361[source]
Pfft, keys, schmeys. Real security is built on handshakes and backroom deals, not strong encryption.
replies(2): >>35844606 #>>35844684 #
6. brookst ◴[06 May 23 19:17 UTC] No.35844510[source]
Is everything that is gong to fail eventually just useless theater? Like new cars Re just transport theater because they will have to be junked eventually?

I agree that master private keys are bad security design, and we can and should do better. I'm just not willing to say that all past security value is retroactively nullified. That feels polemic more than realistic.

replies(1): >>35844593 #
7. brookst ◴[06 May 23 19:20 UTC] No.35844530{4}[source]
Doesn't really matter /a or not, it's a ridiculously reductive and extremist position either way.

Security is about tradeoffs, most notably security vs convenience, but also many others.

Anyone who suggests that their personal preferences in tradeoffs are not just universally correct but also the only reasonable position to hold is just silly.

replies(1): >>35846570 #
8. hammock ◴[06 May 23 19:26 UTC] No.35844567[source]
That’s the same argument that people use to support the second amendment (the people’s right to bear arms)
replies(2): >>35844624 #>>35845896 #
9. htag ◴[06 May 23 19:28 UTC] No.35844593[source]
There's a difference between temporary security and security theater.

Real but temporary security -> This 2048 bit key you generated will be commercial grade protection until at least 2030. Sometime after that computers will be strong enough to brute force it. Do not store anything with this key that will still be highly sensitive in 7 years. It's possible the underlying algorithm is cracked, or a leap in quantum computers happen that will make the key obsolete sooner.

Security theater -> All software running on this chip must be signed with our master key. Please trust all software we sign with this key, and no malicious party will have access to it. You are not allowed to run arbitrary software on your hardware because it is not signed with our key.

In the first case, the security is real. You own the lock, you own the key, and you control the entire security process. In the second case, you neither own the lock, the key, and basically have limited access to your own hardware.

replies(1): >>35847287 #
10. Y_Y ◴[06 May 23 19:30 UTC] No.35844606[source]
What's the cryptographic definition of a "backroom deal"? Can I do it with Ed25519?
replies(1): >>35845781 #
11. conradev ◴[06 May 23 19:30 UTC] No.35844608[source]
Yeah, it is puzzling that the key was able to be leaked in the first place. The key should have been in an HSM.
replies(2): >>35845228 #>>35846357 #
12. Y_Y ◴[06 May 23 19:31 UTC] No.35844624{3}[source]
Hey, the second amendment says the right to bear arms shall not be infringed, it doesn't say it exists!
replies(1): >>35845976 #
13. cassepipe ◴[06 May 23 19:36 UTC] No.35844684[source]
Didn't get it
14. er4hn ◴[06 May 23 20:47 UTC] No.35845228[source]
Same thing with Samsung and their key leak.

Part of the blame, imo, lies with how clunky tools are at the lower levels. I've seen plenty of hardware based signing protocols that don't allow for key hierarchies.

Higher level tools push this along as well. Hashicorp Vault also, last I checked, doesn't allow for being a front end to an HSM. You can store the master unlock key for a Vault in an HSM, but all of the keys Vault works with will still be in Vault, in memory.

15. efitz ◴[06 May 23 22:10 UTC] No.35845781{3}[source]
No, but you can with the curves that the NSA proposed to NIST.
16. ◴[06 May 23 22:27 UTC] No.35845896{3}[source]
17. aksss ◴[06 May 23 22:38 UTC] No.35845976{4}[source]
"keep and bear" :^)
replies(1): >>35851552 #
18. foobiekr ◴[06 May 23 23:32 UTC] No.35846357[source]
HSMs are not secure to sustained competent hardware attacks. This should have been on an HSM in multiple secure a signing service facilities with authenticated access and never handed to an OEM of any kind in any form.
19. chaxor ◴[06 May 23 23:46 UTC] No.35846466{3}[source]
I love this comment, thank for such a good laugh.

I really hope no one would ever think this non sarcastically.

20. sobkas ◴[07 May 23 00:02 UTC] No.35846541[source]
> Yeah, don't depend on a permanent global conspiracy for your security. Someone always defects and accidents often happen long before that.

But then we still also have things like Crypto AG.

21. userbinator ◴[07 May 23 00:07 UTC] No.35846570{5}[source]
It's extremist but unfortunately also an opinion that seems to be nonsarcastically becoming more popular.
22. brookst ◴[07 May 23 02:19 UTC] No.35847287{3}[source]
The trick is seeing different personas rather than just "you".

IT admins are thrilled to have limited access to their own hardware, as long as adversaries do too.

In corporate IT, the greatest fear is insider attacks, either knowing or because statistically some users will inevitably make mistakes. Secure boot is fantastic in this context, even if it feels like an unreasonably impingement to gamers / tech enthusiasts.

23. vivegi ◴[07 May 23 02:37 UTC] No.35847367{3}[source]
Yeah, right. Wait until the day when iOS App Store infra keys leak.

Oh no! That will never happen. Because it runs on Apple M1 kryptonite chip that even Superman can't touch. /s

24. Dalewyn ◴[07 May 23 02:40 UTC] No.35847385{3}[source]
This rings more true than many would want to accept: Most people view and use computers as household appliances; they just use whatever is installed on it and if it breaks they go out and buy a new one.

For most people there are, in fact, no legitimate reasons to run "their own" software on "general purpose" (read: household appliance) computing hardware. Almost nobody runs custom software on their washing machine or toaster.

25. Y_Y ◴[07 May 23 13:55 UTC] No.35851552{5}[source]
What do you mean? It also says that states should have militias or something, but I didn't feel that was relevant.