←back to thread

Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security

(securityonline.info)
658 points transpute | 1 comments | 06 May 23 17:39 UTC | HN request time: 0s | source
Show context
TacticalCoder ◴[06 May 23 19:48 UTC] No.35844787[source]
To all those saying SecureBoot brings absolutely nothing security wise...

Why is a project like, say, Debian, even bothering signing kernels:

https://wiki.debian.org/SecureBoot

What's their rationale for supporting SecureBoot?

replies(5): >>35844795 #>>35844812 #>>35844902 #>>35844983 #>>35848520 #
CircleSpokes ◴[06 May 23 20:13 UTC] No.35844983[source]
Anyone saying secureboot "brings absolutely nothing" clearly doesn't understand how secure boot works (or is just arguing in bad faith). Secure boot has issues (see key revocation issue & vulnerable UEFI program used by malware to install bootkit) but it does address a real security issue.

People might not like who holds the commonly preinstalled keys (Microsoft and motherboard OEMs) but even then you can add your own keys and sign your own images if you want (there was just a post yesterday about doing this for raspberry pis),

replies(2): >>35845027 #>>35848239 #
realusername ◴[06 May 23 20:19 UTC] No.35845027[source]
The raspberry pi example is an even worse implementation of secure boot using an absurd write only once scheme for the keys.

That's just creating more ewaste, nobody can ever use that device normally again and it cannot be resold.

replies(1): >>35845121 #
CircleSpokes ◴[06 May 23 20:31 UTC] No.35845121{3}[source]
I don't think its absurd at all. It isn't required in anyway (opt in), lets you use your own keys (no preinstalled microsoft or other bigcorp keys), and isn't possible for someone to modify what keys you installed.

Of course if you lose your keys you can't sign anything else and that would make it basically ewaste, but most things end up as waste when you take actions that are reckless and can't be reversed (which is what losing the keys would be). Plus tech tends to ends up as ewaste after less than a decade anyways. Like sure you could still be using an AMD steamroller CPU but realistically after 10 years you'd be better off using a cheaper more power efficient chip anyways.

replies(1): >>35845183 #
realusername ◴[06 May 23 20:39 UTC] No.35845183{4}[source]
> Plus tech tends to ends up as ewaste after less than a decade anyways. Like sure you could still be using an AMD steamroller CPU but realistically after 10 years you'd be better off using a cheaper more power efficient chip anyways.

I'm not sure what you are trying to argue but people routinely buy used computers on market place. Rasperry pies with locked keys are essentially paper weights once the owner doesn't want to use them anymore.

And realistically, the biggest ewaste generators are especially smartphones nowadays which are too locked to be reused well.

replies(1): >>35845479 #
tzs ◴[06 May 23 21:24 UTC] No.35845479{5}[source]
> I'm not sure what you are trying to argue but people routinely buy used computers on market place. Rasperry pies with locked keys are essentially paper weights once the owner doesn't want to use them anymore.

Why can't the owner who wants to sell their locked Pi give the buyer the key?

replies(1): >>35849205 #
1. realusername ◴[07 May 23 08:34 UTC] No.35849205{6}[source]
Because presumably they are not going to use one key per raspberry they own? Who would complicate their setup like that?