←back to thread

Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security

(securityonline.info)
658 points transpute | 1 comments | 06 May 23 17:39 UTC | HN request time: 0s | source
Show context
TacticalCoder ◴[06 May 23 19:48 UTC] No.35844787[source]
To all those saying SecureBoot brings absolutely nothing security wise...

Why is a project like, say, Debian, even bothering signing kernels:

https://wiki.debian.org/SecureBoot

What's their rationale for supporting SecureBoot?

replies(5): >>35844795 #>>35844812 #>>35844902 #>>35844983 #>>35848520 #
neilv ◴[06 May 23 20:03 UTC] No.35844902[source]
That wiki page buries what might be the rationale in the "What is UEFI Secure Boot?" section:

> Other Linux distros (Red Hat, Fedora, SUSE, Ubuntu, etc.) have had SB working for a while, but Debian was slow in getting this working. This meant that on many new computer systems, users had to first disable SB to be able to install and use Debian. The methods for doing this vary massively from one system to another, making this potentially quite difficult for users.

> Starting with Debian version 10 ("Buster"), Debian included working UEFI Secure Boot to make things easier.

Sounds plausible, but I don't know how seriously to take it, when that wiki page also includes very generous and regurgitated-sounding bits like:

> UEFI Secure Boot is not an attempt by Microsoft to lock Linux out of the PC market here; SB is a security measure to protect against malware during early system boot. Microsoft act as a Certification Authority (CA) for SB, and they will sign programs on behalf of other trusted organisations so that their programs will also run. There are certain identification requirements that organisations have to meet here, and code has to be audited for safety. But these are not too difficult to achieve.

I normally look to Debian to be relatively savvy about detecting and pushing back against questionable corporate maneuvers, but it's not perfectly on top of everything that goes on.

replies(1): >>35845031 #
stonogo ◴[06 May 23 20:20 UTC] No.35845031[source]
Can you provide examples of such pushback from Debian? I always viewed them as a typically understaffed, underfunded volunteer effort without the resources to push back against funded technology. I'm ready to be wrong on this, if you can help me out!
replies(2): >>35845297 #>>35845882 #
1. teddyh ◴[06 May 23 22:25 UTC] No.35845882{3}[source]
Debian keeps track of all remaining privacy issues in all packages (i.e. such issues which have not yet been corrected or patched by the Debian package maintainer):

https://wiki.debian.org/PrivacyIssues