←back to thread

Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security

(securityonline.info)
658 points transpute | 1 comments | 06 May 23 17:39 UTC | HN request time: 0s | source
Show context
mjg59 ◴[06 May 23 20:26 UTC] No.35845088[source]
The pervasiveness of secure boot has genuinely made things difficult for attackers - there'd have been no reason for the Black Lotus bootkit to jump through all the hoops it did if it weren't for secure boot, and the implementation of UEFI secure boot does make it possible to remediate in a way that wouldn't be the case without it.

But secure boot at the OS level (in the PC world, at least) is basically guaranteed to give users the ability to enable or disable it, change the policy to something that uses their own keys, and ensure that the system runs the software they want. When applied to firmware, that's not the case - if Boot Guard (or AMD's equivalent, Platform Secure Boot) is enabled, you don't get to replace your firmware with code you control. There's still a threat here (we've seen firmware-level attacks for pre-Boot Guard systems), but the question is whether the security benefit is worth the loss of freedom. I wrote about this a while back (https://mjg59.dreamwidth.org/58424.html) but I lean towards thinking that in most cases the defaults are bad, and if users want to lock themselves into only using vendor firmware that's something that users should be able to opt into.

replies(3): >>35847100 #>>35847323 #>>35849078 #
hathawsh ◴[07 May 23 01:46 UTC] No.35847100[source]
Would it be sensible to make that choice using a good old fashioned jumper? For example, when the jumper is connected to pins 1 and 2, the firmware must be signed by a list of vendor-controlled keys; when the jumper is connected to pins 2 and 3, the firmware must be signed by a list of user-managed keys. That way, I can choose what kind of freedom makes sense for me. Most people value the freedom of not having to worry about firmware, while others value the freedom to use or create their own firmware.
replies(3): >>35847580 #>>35847586 #>>35850841 #
mjg59 ◴[07 May 23 03:18 UTC] No.35847586[source]
No, because the entire point of this is to be resilient against physical attack - anyone re-flashing your firmware already has your case open and can just move the jumper while they're at it.
replies(3): >>35847702 #>>35847927 #>>35848639 #
zimmerfrei ◴[07 May 23 06:56 UTC] No.35848639[source]
However, all UEFI implementations (on PCs at least) allow anybody with physical access to disable Secure Boot, the classic method of just popping the button battery remaining valid to these days.

So, isn't this firmware protection with BootGuard only really meant to prevent rootkits from getting persistence?

PS: thanks for all the blog posts you share on the matter! they are really golden

replies(3): >>35848658 #>>35849069 #>>35849351 #
1. TacticalCoder ◴[07 May 23 08:56 UTC] No.35849351[source]
> So, isn't this firmware protection with BootGuard only really meant to prevent rootkits from getting persistence?

I saw this "but it only prevent persistence" several times and I wonder...

Isn't preventing rootkit from getting persistence already a big win? Preventing a rootkit from getting persistence also means that should a new signed kernel contain a security fix fixing the hole the rootkit was exploiting be installed, the rootkit won't work at all anymore. The attacker now needs not only to root the machine at each boot, he also needs to cross fingers that a kernel patch closing the hole he's exploiting doesn't get installed (or he needs to both prevent the new kernel from being installed while, at the same time, managing to make believe it's been installed).

Which also raises the probability the exploit he's using at every boot gets detected at some point.

How is this a win for attackers?

Are black hat hackers really thinking "Great, BootGuard and SecureBoot are getting ubiquitous, everything up to the kernel loading is signed and enforced, so now things are easier for me!"?