Language Selection

English French German Italian Portuguese Spanish

Attacks on secure boot

This is interesting. It's obviously lacking in details yet, but it does highlight one weakness of secure boot. The security for secure boot is all rooted in the firmware - there's no external measurement to validate that everything functioned as expected. That means that if you can cause any trusted component to execute arbitrary code then you've won. So, what reads arbitrary user data? The most obvious components are any driver that binds to user-controlled hardware, any filesystem driver that reads user-provided filesystems and any signed bootloader that reads user-configured data. A USB drive could potentially trigger a bug in the USB stack and run arbitrary code. A malformed FAT filesystem could potentially trigger a bug in the FAT driver and run arbitrary code. A malformed bootloader configuration file or kernel could potentially trigger a bug in the bootloader and run arbitrary code. It may even be possible to find bugs in the PE-COFF binary loader. And once you have the ability to run arbitrary code, you can replace all the EFI entry points and convince the OS that everything is fine anyway.

None of this should be surprising.




More in Tux Machines

Posts From MiniDebConf Hamburg 2018

  • Debian is wrong
    So, the MiniDebConf Hamburg 2018 is about to end, it's sunny, no clouds are visible and people seem to be happy. And, I have time to write this blog post! So, just as a teaser for now, I'll present to you the content of some slides of our "Reproducible Buster" talk today. Later I will add links to the video and the full slides.
  • Mini DebConf Hamburg
    Since Friday around noon time, I and my 6-year-old son are at the Mini DebConf in Hamburg. Attending together with my son is quite a different experience than plain alone or with also having my wife around. Though he is doing pretty good, it mostly means the day ends for me around 2100 when he needs to go to sleep.

today's howtos

A look at Spice-Up presentation software for GNU/Linux

As a student, presentations are second nature to me. I can’t even count the amount of times I have had to make visual presentations and slides of information over the course of the past couple years. I’ve always been one to like to change things up, and get bored if I don’t, so rather than always using Google Slides or Microsoft PowerPoint, or even LibreOffice Impress, I’ve opted to use a handy little piece of software called “Spice-Up” on a few occasions. Read more

DragonFly BSD 5.2.0

My experience with DragonFly this week was a lot like my experiences with other members of the BSD family. The system is lightweight, provides lots of useful documentation and gives us a minimal platform from which to build our operating system. The system was stable, fast and provided me with most of the software I wanted. Apart from DragonFly not working with my desktop computer's hardware, I had an overall good experience with the operating system. I had mixed feelings about H2. At this point the file system seems stable and can be used for most common tasks. However, the advanced features that make the future of H2 look so appealing, are not all in place yet. So it might be best to wait another year before switching over to H2 if you want to make the most of snapshots and other advanced file system options. DragonFly is typically regarded as a server operating system, and that is where its strengths lie. However, this week I feel it performed well as a desktop platform too. It takes a little while to set up DragonFly as a desktop, but the documentation walks us through most of the process and I was able to do everything I would typically do on Linux desktop distribution. Read more Also: Server maker IXsystems sets sail with new TrueNAS flagship