[conspire] (forw) Re: [Felton LUG] Oh boy, this doesn't look good...

Ruben Safir ruben at mrbrklyn.com
Wed Jul 29 21:38:26 PDT 2020 

> 
> GRUB2 is intended to implement & enforce SecureBoot on a system,
> if/where so configured.  But there's an (arguable) weakness, in that
> GRUB2 follows directives the superuser places into grub.cfg:  Modifying
> grub.cfg requires root privilege, but the news item's point is that a
> fully bulletproof SecureBoot configuration should by design be
> untouchable by the root user.
> 

Yeah, I don't want that.  I want the root user to be able to touch
anything.


> So, a bad actor or code running under the direction of a bad actor on a
> Linux system (yclept 'malware') could alter the system's boot
> configuration, because that is, by traditional Unix system design, a
> privilege of the root user.  Changing this overall situation would
> require some sort of modification to standard GRUB2 to make it check a
> crypto signature on grub.cfg and refuse to process it during bootup if
> the signature doesn't check out.  As it does not, at present.
> 
> The fact that the local root user can edit the contents of grub.cfg and
> GRUB2 will (thereupon) still regard it as valid is being named the
> 'BootHole vulnerability' by security firm Eclypsium.
> 
> 
> So, news flash:  Root can still do root things.  
> 
> To the extent that one is of the opinion that Secure Boot should
> crypto-validate every aspect of bootup, this is a problem to be solved.
> 
> Personally, I don't use SecureBoot, so the scope of its coverage doesn't
> especially matter to me.  But Views Differ[tm].
> 
> 

I consider Sercure Boot a vulnerabilitly by design

> ----- End forwarded message -----
> 
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire

-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive 
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and extermination camps, 
but incompatible with living as a free human being. -RI Safir 2013

More information about the conspire mailing list