←back to thread

Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security

(securityonline.info)
658 points transpute | 2 comments | 06 May 23 17:39 UTC | HN request time: 0.591s | source
Show context
mjg59 ◴[06 May 23 20:26 UTC] No.35845088[source]
The pervasiveness of secure boot has genuinely made things difficult for attackers - there'd have been no reason for the Black Lotus bootkit to jump through all the hoops it did if it weren't for secure boot, and the implementation of UEFI secure boot does make it possible to remediate in a way that wouldn't be the case without it.

But secure boot at the OS level (in the PC world, at least) is basically guaranteed to give users the ability to enable or disable it, change the policy to something that uses their own keys, and ensure that the system runs the software they want. When applied to firmware, that's not the case - if Boot Guard (or AMD's equivalent, Platform Secure Boot) is enabled, you don't get to replace your firmware with code you control. There's still a threat here (we've seen firmware-level attacks for pre-Boot Guard systems), but the question is whether the security benefit is worth the loss of freedom. I wrote about this a while back (https://mjg59.dreamwidth.org/58424.html) but I lean towards thinking that in most cases the defaults are bad, and if users want to lock themselves into only using vendor firmware that's something that users should be able to opt into.

replies(3): >>35847100 #>>35847323 #>>35849078 #
Dalewyn ◴[07 May 23 02:28 UTC] No.35847323[source]
>the question is whether the security benefit is worth the loss of freedom.

At least as far as Benjamin Franklin would tell you: No.

replies(2): >>35847568 #>>35848234 #
stevefan1999 ◴[07 May 23 03:15 UTC] No.35847568[source]
Absolutely agree on here as Benjamin Franklin once said: "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
replies(2): >>35847600 #>>35848456 #
1. mjg59 ◴[07 May 23 03:21 UTC] No.35847600[source]
The freedom to choose which software runs on your computer is also the freedom to choose that certain software shouldn't run on your computer. The freedom to make that decision should be left up to the individuals rather than being imposed on them, but making an explicit choice that my computer should only run specific firmware builds is an expression of freedom, not a rejection of it.
replies(1): >>35860294 #
2. account42 ◴[08 May 23 11:12 UTC] No.35860294[source]
Except that describes a fantasy reality and not our reality where the user has no say and even if you are lucky enough to be able to run the software that you want it won't have access to the keys demanded by third parties like the media industry. The mere existence of "trusted comuting" is a threat to free computing.