Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security

Anyone saying secureboot "brings absolutely nothing" clearly doesn't understand how secure boot works (or is just arguing in bad faith). Secure boot has issues (see key revocation issue & vulnerable UEFI program used by malware to install bootkit) but it does address a real security issue.

People might not like who holds the commonly preinstalled keys (Microsoft and motherboard OEMs) but even then you can add your own keys and sign your own images if you want (there was just a post yesterday about doing this for raspberry pis),

The raspberry pi example is an even worse implementation of secure boot using an absurd write only once scheme for the keys.

That's just creating more ewaste, nobody can ever use that device normally again and it cannot be resold.

I don't think its absurd at all. It isn't required in anyway (opt in), lets you use your own keys (no preinstalled microsoft or other bigcorp keys), and isn't possible for someone to modify what keys you installed.

Of course if you lose your keys you can't sign anything else and that would make it basically ewaste, but most things end up as waste when you take actions that are reckless and can't be reversed (which is what losing the keys would be). Plus tech tends to ends up as ewaste after less than a decade anyways. Like sure you could still be using an AMD steamroller CPU but realistically after 10 years you'd be better off using a cheaper more power efficient chip anyways.

> Plus tech tends to ends up as ewaste after less than a decade anyways. Like sure you could still be using an AMD steamroller CPU but realistically after 10 years you'd be better off using a cheaper more power efficient chip anyways.

I'm not sure what you are trying to argue but people routinely buy used computers on market place. Rasperry pies with locked keys are essentially paper weights once the owner doesn't want to use them anymore.

And realistically, the biggest ewaste generators are especially smartphones nowadays which are too locked to be reused well.

> I'm not sure what you are trying to argue but people routinely buy used computers on market place. Rasperry pies with locked keys are essentially paper weights once the owner doesn't want to use them anymore.

Why can't the owner who wants to sell their locked Pi give the buyer the key?

> People might not like who holds the commonly preinstalled keys (Microsoft and motherboard OEMs) but even then you can add your own keys and sign your own images if you want (there was just a post yesterday about doing this for raspberry pis),

I like SecureBoot, and I like that I can select my keys to sign things the UEFI will run, but I don't like that I can't replace the UEFI itself since it's protected by bootguard.

Now if I can edit the UEFI, that's a gamechanger: I could have my signed UEFI payloads check the UEFI firmware has the parts I want (or don't want) and refuse to keep booting if it doesn't

Because presumably they are not going to use one key per raspberry they own? Who would complicate their setup like that?