Linked by Thom Holwerda on Fri 23rd Sep 2011 22:22 UTC, submitted by kragil
Windows The story about how secure boot for Windows 8, part of UEFI, will hinder the use of non-signed binaries and operating systems, like Linux, has registered at Redmond as well. The company posted about it on the Building Windows 8 blog - but didn't take any of the worries away. In fact, Red Hat's Matthew Garrett, who originally broke this story, has some more information - worst of which is that Red Hat has received confirmation from hardware vendors that some of them will not allow you to disable secure boot.
Thread beginning with comment 490692
To view parent comment, click here.
To read all comments associated with this story, please click here.
oiaohm
Member since:
2009-05-30

Part of UEFI design is that you cannot probe from OS side what keys are in the store. So yes it will be leap of faith at times if you try just putting up signed boot-loaders guessing what key works. This is about making attackers life harder.

So providing multi copies of the bootloader are not going to cut it either. Also once key is breached you don't want to keep on using it. Since attackers these days are after to place bootloader before OS so anti malware software inside the OS cannot detect the virus /bot/worm is there. Breached key equals exploited OS at core.

So yes only way to see what keys are in there would basically have something in the bios dialogs to show you. This is also useful for techs debuging why something has gone south. Go into bios look at the keys and go o boy that bios needs a update. If you can add keys you could just add the missing one remove the now expired one problem solved.

Now if you have to go by bios version numbers to makers site to find out if a particular version of windows can be installed is going to be a complete pain in but.

nonoitall the average user has nothing todo with why the secuirty is being done in the first place. What has better chance of average user being able to cope with secure boot. Having to visit a makers site or being able to check page in bios for what is supported. Having to check page in bios for what is support is closer average users skill limits.

Many windows machines are being exploited by malware/bot/worm/virus boot loader that effectively render all forms of detection of infection bar booting from different media almost impossible.

The prime reason for this is not DRM. Its the rate of infected machines out there. Something has to be done when more and more users are getting infected and the infection not being detectable.

Breach of DVD and Blueray is not a major problem. Reason what can you make a Blueray machine do by the breach nothing. What can you make a standard computer do when you breach it.

List of items.
Send spam
DDOS attack
Infect Others
Steal Identities
Steal person money and many other evils.

Basically if we want to stop OS being infected we need auditing from boot up all the way to user applications. This is many times more effective than anti-virus software. White listing. If only white listed stuff can work areas that can be infected are reduced.

Mandatory secure boot I have no problem with as long as I can add my own keys when I want to. And remove keys I know they are breached.

Most of the Linux world would not care either if they can added the keys required.

Simple fact here the rate viruses are growing its getting too cpu consuming to be working by black list. Items like secure boot based on public key encryption has to come.

So secure boot provides the promise of less anti-virus scanning required.

Most import is the implementation is sane for consumers. Microsoft current implementation fails the sane test. Insane to take too much control out of consumers hands and transfer to hardware makers.

Reply Parent Score: 2

Alfman Member since:
2011-01-28

oiaohm,

"The prime reason for this is not DRM. Its the rate of infected machines out there. Something has to be done when more and more users are getting infected and the infection not being detectable."

How do you know that this isn't about DRM? The inability for the owner to control their own keys is extremely conspicuous of this design, which seems to be a backdoor way of imposing DRM upon the public.

Assuming the OS is entirely secure (yes, that's a big leap of faith), do you acknowledge that this "security mechanism" enables microsoft to enforce application store restrictions as well as protecting from bootloader malware?


"Mandatory secure boot I have no problem with as long as I can add my own keys when I want to. And remove keys I know they are breached.

Most of the Linux world would not care either if they can added the keys required."

I think we are all in concurrence, however it is sounding like this is not part of the spec for new systems sold with secure boot.


"Simple fact here the rate viruses are growing its getting too cpu consuming to be working by black list. Items like secure boot based on public key encryption has to come."

If this is your criticism of signature based antivirus scanners, then I agree it's a problem. However adding vendor controlled PKI authentication to secure boot neither addresses this problem, nor is it required of the security problem which secure boot allegedly tries to solve.

Why put all this effort in locking the front door when it's the windows that are broken? (I hope you appreciate the play on words).

Reply Parent Score: 2

nonoitall Member since:
2011-09-22

Why put all this effort in locking the front door when it's the windows that are broken? (I hope you appreciate the play on words).

Quoted for truth. :-D

Reply Parent Score: 1

nonoitall Member since:
2011-09-22

Part of UEFI design is that you cannot probe from OS side what keys are in the store. So yes it will be leap of faith at times if you try just putting up signed boot-loaders guessing what key works. This is about making attackers life harder.

So providing multi copies of the bootloader are not going to cut it either.

They don't need to provide multiple copies of the boot loader -- just multiple signatures for it.

Also once key is breached you don't want to keep on using it. Since attackers these days are after to place bootloader before OS so anti malware software inside the OS cannot detect the virus /bot/worm is there. Breached key equals exploited OS at core.

I think the significance of this threat has been overstated. Even with current technology, there are superior techniques for handling this than neutering the motherboard and locking out the user. (I bet if Microsoft simply blocked ads in IE with a comprehensive block list like the ones AdBlock+ has, infection rates would plummet far more significantly than secure boot could ever hope to achieve, but we all know they won't do that.)

That said, I still sincerely doubt that a compromised key (which will happen eventually) would be met with prompt action by whoever dealt the key. I don't buy the "we're doing this to keep users secure" line that Microsoft is spouting. If that's what they really wanted to do there are better ways to go about it.

If you can add keys you could just add the missing one remove the now expired one problem solved.

That "if" is the whole crux of the matter. :-D

Many windows machines are being exploited by malware/bot/worm/virus boot loader that effectively render all forms of detection of infection bar booting from different media almost impossible.

I still doubt the scope of this is as great as you or Microsoft say. Most (all?) of the infected computers I've had to work on haven't had their boot loaders tampered with.

What you said brought up another thought to me though on why mandatory secure boot could be such a pain. There are many ways a system can become severely infected without touching the boot loader -- some of which necessitate reinstalling the OS. In those cases, it's very helpful to be able to boot up from a LiveCD to salvage documents, and secure boot could stand in the way of this if there's no way to add keys or disable it.

The prime reason for this is not DRM. Its the rate of infected machines out there. Something has to be done when more and more users are getting infected and the infection not being detectable.

Breach of DVD and Blueray is not a major problem. Reason what can you make a Blueray machine do by the breach nothing. What can you make a standard computer do when you breach it.

List of items.
Send spam
DDOS attack
Infect Others
Steal Identities
Steal person money and many other evils.

A boot loader infection is not required to achieve any of those things you listed. Heck, root/administrator access isn't even required. A good percentage of the infections I've seen have never even left the confines of the user's home directory. So again, I call foul on this being for the users' benefit. And when you think in terms of it being for the industry's benefit, it compares with DRM quite well.

Basically if we want to stop OS being infected we need auditing from boot up all the way to user applications. This is many times more effective than anti-virus software. White listing. If only white listed stuff can work areas that can be infected are reduced.

Mandatory secure boot I have no problem with as long as I can add my own keys when I want to. And remove keys I know they are breached.

Most of the Linux world would not care either if they can added the keys required.

Simple fact here the rate viruses are growing its getting too cpu consuming to be working by black list. Items like secure boot based on public key encryption has to come.

So secure boot provides the promise of less anti-virus scanning required.

Most import is the implementation is sane for consumers. Microsoft current implementation fails the sane test. Insane to take too much control out of consumers hands and transfer to hardware makers.

I agree with the users being in control, though I still don't consider secure boot to be quite as crucial an instrument as you apparently do. ;-)

Reply Parent Score: 1

oiaohm Member since:
2009-05-30


They don't need to provide multiple copies of the boot loader -- just multiple signatures for it.

Incorrect signature has to be embed in the loader so the only way you can have UEFI try multi signatures is install multi copies of the loader yes waste of space.

"Also once key is breached you don't want to keep on using it. Since attackers these days are after to place bootloader before OS so anti malware software inside the OS cannot detect the virus /bot/worm is there. Breached key equals exploited OS at core.

I think the significance of this threat has been overstated. Even with current technology, there are superior techniques for handling this than neutering the motherboard and locking out the user.
"
What world have you been on. McAfee and and other anti-virus vendors have been trying to solve this exact problem. The number of worms/bots that exploit at boot loader level to render anti-virus software and other malware scanning software worthless is increasing.

"If you can add keys you could just add the missing one remove the now expired one problem solved.

That "if" is the whole crux of the matter. :-D

Many windows machines are being exploited by malware/bot/worm/virus boot loader that effectively render all forms of detection of infection bar booting from different media almost impossible.

I still doubt the scope of this is as great as you or Microsoft say. Most (all?) of the infected computers I've had to work on haven't had their boot loaders tampered with.
"
Most of the boot loader level infections are going unnoticed by everyone other than honey pot runners and banks where they have customers being repeated breached so leading to the discovery of the boot loader level breach in their system. Even that they have current anti-virus software run malware bytes and every other detection method. Reason some are even deeper than bootloader. Some are bios. Because the bios was not protected by a signing key in lots of motherboards either.

So yes some of the current most evil defeat livecd's as well. Removing harddrive and inserting into another machine only partly detect this.

So yes there are machines you could be declaring clean that get reinfected rapidly that are one of the new classes of infections. 24 to 48 hours after being cleaned being reinfected is not uncommon.

Basically these infections are still low numbers. But will grow.

What you said brought up another thought to me though on why mandatory secure boot could be such a pain. There are many ways a system can become severely infected without touching the boot loader -- some of which necessitate reinstalling the OS. In those cases, it's very helpful to be able to boot up from a LiveCD to salvage documents, and secure boot could stand in the way of this if there's no way to add keys or disable it.

You need to read the the full extent of the protection. Boot loader validates everything else above it. Mandatory secure boot would not be a major annoyance as long as you can add the keys for your recovery LiveCD so yes just a minor annoyance. But yes if it left the way it is your recovery LiveCD could be worthless so a major annoyance. No system recovery without ripping harddrive out fun.

A boot loader infection is not required to achieve any of those things you listed. Heck, root/administrator access isn't even required. A good percentage of the infections I've seen have never even left the confines of the user's home directory. So again, I call foul on this being for the users' benefit. And when you think in terms of it being for the industry's benefit, it compares with DRM quite well.


Problem is the low number of current generation worms out there are using the boot loader to disable the anti-virus and any other malware scanning from being able to find their existence in the machine.

But we know with all virus tech this will increase in numbers. So as the numbers grow your anti-virus software will just become more and more a joke unless something like secure boot is done.

Yes anti-virus software needs attackers prevented from being able to get between it and the real hardware.

I agree with the users being in control, though I still don't consider secure boot to be quite as crucial an instrument as you apparently do. ;-)


I do run honey pots I have seen the most nasty of current generation worms/bots. The time is up basically. Secuirty has to be improved or the complete lot will fail. Time of head in sand is over.

Reply Parent Score: 2