Linked by Thom Holwerda on Sat 29th Dec 2012 16:37 UTC
Linux It's sad that we need this, but alas - Matthew Garret has made a list of Linux distributions that boot on Windows 8 PCs with Secure Boot enabled. Tellingly enough, the list is short. Very short. Can someone hack this nonsense into oblivion please?
Thread beginning with comment 546651
To read all comments associated with this story, please click here.
Validity period of signing keys ?
by Lennie on Sun 30th Dec 2012 11:52 UTC
Lennie
Member since:
2007-09-22

So there is something I would like to know.

As "Secure boot" uses x509 certificates (SSL cerficates like for HTTPS) what is the validity period of these keys ?

Is it 5 years, 10 years ? 15 years ?

Because sounds to me like when you start up your Windows 8 ARM device (no disabled button for Secure Boot) in 15 years it might not boot anymore ?

Turns out, it is 15 to 20 years:
http://blog.fpmurphy.com/2012/11/list-secure-boot-certificates.html

Will the BIOS/firmware check this ?

So will your PC stop booting in the future ?

Edited 2012-12-30 12:04 UTC

Reply Score: 5

saso Member since:
2007-04-18

http://blog.fpmurphy.com/2012/11/list-secure-boot-certificates.html

Will the BIOS/firmware check this ?

So will your PC stop booting in the future ?

Wow, this is a major fuckup and cause for serious concern. 15 year old working machines aren't all that rare - having this kind of time-bomb in them might very well prove to be a serious issue for businesses relying on UEFI secured systems.

Reply Parent Score: 3

Lennie Member since:
2007-09-22

This is gonna be an other annoyance for the computer museum I'm sure.

(not to mention that the cloud services probably are all offline by then too ?)

Reply Parent Score: 4

WereCatf Member since:
2006-02-15

So there is something I would like to know.

As "Secure boot" uses x509 certificates (SSL cerficates like for HTTPS) what is the validity period of these keys ?

Is it 5 years, 10 years ? 15 years ?

Because sounds to me like when you start up your Windows 8 ARM device (no disabled button for Secure Boot) in 15 years it might not boot anymore ?

Turns out, it is 15 to 20 years:
http://blog.fpmurphy.com/2012/11/list-secure-boot-certificates.html

Will the BIOS/firmware check this ?

So will your PC stop booting in the future ?


It's unlikely the UEFI BIOS will enforce the expiration date simply because it does not have any way of validating the date in the settings unless it has Internet-connectivity and can make an encrypted connection to a manufacturer-mandated clock source. If the BIOS just assumed that whatever the date is in the settings is correct then it would be terribly simple for malware to render the device unbootable: just set the date to something past 2040 and reboot. Similarly, block access to the manufacturer-mandated clock source and adjust the date manually every now and then to bypass the expiration date -- the expiration method would be totally, completely ineffective.

Reply Parent Score: 4

Lennie Member since:
2007-09-22

I can't check what it does, I have no intention of buying such a device.

But the OS by default at least, would use the Internet to update the time every time it boots and even update the key database every so often.

If the manufacturer of an ARM device wants to be really sure that the time is correct it would use the onboard GPS device to update the time every so often.

So everytime the time gets updated it stops booting again.

Reply Parent Score: 3