←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 2 comments | 18 Jul 25 03:53 UTC | HN request time: 0s | source
Show context
RecycledEle ◴[19 Jul 25 13:30 UTC] No.44615326[source]
This is yet another why I do not encrypt.
replies(2): >>44615500 #>>44615502 #
craftkiller ◴[19 Jul 25 13:55 UTC] No.44615500[source]
Secure boot has nothing to do with encryption. It is verifying crytographic signatures. The bootloader is signed, not encrypted.
replies(1): >>44616142 #
vbezhenar ◴[19 Jul 25 15:10 UTC] No.44616142[source]
There's some link between secure boot and encryption.

If you don't do secure boot, you need to secure your boot chain in other ways, to prevent attacker from modifying your software to log entered passphrase.

Secure boot allows to build a verifiable chain of software (UEFI -> Bootloader -> Kernel -> Initrd) which will protect against any modification, so you can be sure that your key presses are not being logged by the malicious software. That said, commonly used Linux distros have some problems protecting initrd, but that's issue of those distros.

Another link is TPM. I set up my system in a way to keep encryption key in TPM and release it only when secure boot is enabled. This allows to decrypt root automatically, without entering passphrase and my configuration only allows to boot UKI kernel signed with my key. It trades security with convenience, of course (because now attacker, who stolen my computer, only has to break through gdm or perform other ways of attacks like extracting RAM sticks), but for me it's acceptable.

replies(3): >>44616306 #>>44616371 #>>44617443 #
1. em-bee ◴[19 Jul 25 17:28 UTC] No.44617443{3}[source]
for most people that is an irrelevant threat model. people can steal my laptop, but if they don't know my passport they can't access my data. end of story. they would have to break into my laptop without stealing it to install any kind of tool that can read the password. how/when is that going to happen ever without you knowing it? you would have to be working on highly sensitive, and sought after stuff for someone to try that.
replies(1): >>44618882 #
2. craftkiller ◴[19 Jul 25 20:07 UTC] No.44618882[source]
Unless you're using a SED, your EFI system partition is unencrypted. It would be trivial to build a malicious copy of popular open source UEFI bootloaders (grub, refind, zfsbootmenu, etc), and a bootable USB stick that scans your EFI system partition, replacing your unencrypted bootloader with a malicious one. This attack could then be applied by relatively unskilled people in a couple minutes ("boot this flash drive, wait until the screen says "done", power it off"). I hope your laptop is never out of your possession for more than a couple of minutes! (For example, the TSA at the airport, geek squad or other repair centers, or classically an evil maid).