[conspire] (forw) Re: [Felton LUG] Re: Oh boy, this doesn't look good...

Rick Moen rick at linuxmafia.com
Wed Jul 29 21:05:48 PDT 2020 

Rod Smith's page may also be useful for people who _actually_ want for
some reason to do UEFI Secure Boot on Linux.
http://www.rodsbooks.com/efi-bootloaders/secureboot.html#preloader


----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Wed, 29 Jul 2020 21:01:15 -0700
From: Rick Moen <rick at linuxmafia.com>
To: Felton LUG <felton-lug at googlegroups.com>
Subject: Re: [Felton LUG] Re: Oh boy, this doesn't look good...
Organization: If you lived here, you'd be $HOME already.

Quoting donald lillard (dlillard100 at gmail.com):

> Good article. Maybe the whole Linux community should look at this issue. 

Or at least the portion of the Linux community that doesn't know that
root can do root things.  ;->


SuSE says:

  Given the need for root access to the bootloader, the described
  attack appears to have limited relevance for most cloud computing,
  data center and personal device scenarios, unless these systems are
  already compromised by another known attack.  

In which case, you have bigger problems.

  However, it does create an exposure when untrusted users can access a 
  machine, e.g. bad actors in classified computing scenarios or computers 
  in public spaces operating in unattended kiosk mode. These are scenarios 
  which Secure Boot was intended to protect against.

In other words, situations where you specifically want to prevent root
from doing root things.

  SUSE has released fixed grub2 packages which close the BootHole
  vulnerability for all SUSE Linux products, and is releasing
  corresponding Linux kernel packages, cloud image and installation
  media updates. 

By implication, they coded a GRUB2 patch that checks a cryptographic
signature on grub.cfg .  (Also, guys?  Guys?  Bueller?  GRUB2 is hardly
the only bootloader in existence, not even counting only ones that
support UEFI Secure Boot, e.g., Linux Foundation's Secure Boot System,
https://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/)


It should be added that, if you're concerned about what the root user
can do, there are many, many other harmful things someone with the root 
account can also do -- without the need to change the bootloader 
config.

I'm not actually convinced without strong evidence that a significant
number of Linux installations intentionally rely on Secure Boot in the
first place.


Frankly, I'm disappointed that this obvious clickbait is being
considered a 'good article'.


----- End forwarded message -----

More information about the conspire mailing list