Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security

(securityonline.info)

658 points transpute | 3 comments | 06 May 23 17:39 UTC | HN request time: 0.728s | source

Show context

discerning_ ◴[06 May 23 18:40 UTC] No.35844121[source]▶

>>35843566 (OP) #

If these keys are leaked, they should be adopted by open source projects to disable secure boot.

replies(5): >>35844176 #>>35844425 #>>35844463 #>>35844475 #>>35844941 #

1. ranger_danger ◴[06 May 23 19:14 UTC] No.35844475[source]▶

>>35844121 #

Why would you want to disable secure boot? Personally I'd rather not have software able to modify my bootloader.

replies(1): >>35844887 #

2. AshamedCaptain ◴[06 May 23 20:01 UTC] No.35844887[source]▶

>>35844475 (TP) #

Software can still modify the bootloader. Secure Boot does not protect against that. It just will complain on the next boot .... unless the replacement bootloader has been signed with the MS signature, the BIOS manufacturer signature, the OEM signature, or a bazillion other signatures.

Even if you were to completely replace all of the signatures with your own, you are going to have to trust some of the MS/manufacturer ones (unless you replace all the manufacturer-signed firmware modules with your own).

replies(1): >>35846117 #

3. Arnavion ◴[06 May 23 22:56 UTC] No.35846117[source]▶

>>35844887 #

>unless you replace all the manufacturer-signed firmware modules with your own

... of which there might not be any. Eg none of my half-dozen SB-using systems (desktops and laptops) have anything in the ESP other than the booloader and UKIs I put there, and boot with my own keys just fine.

↑