[conspire] (forw) Re: [Felton LUG] Oh boy, this doesn't look good...

Ruben Safir ruben at mrbrklyn.com
Thu Jul 30 04:55:19 PDT 2020 

On Wed, Jul 29, 2020 at 10:00:33PM -0700, Rick Moen wrote:
> Quoting Ruben Safir (ruben at mrbrklyn.com):
> 
> > Yeah, I don't want that.  I want the root user to be able to touch
> > anything.
> 
> Even if you did, this is basically just a clickbait article, like just
> about every article about security, and especially about Linux security,
> in a general-IT Web site or magazine.
> 
> 
> > I consider Sercure Boot a vulnerabilitly by design
> 
> You're entitled to your wrong view.  `;->
> 
> Crypto-signing and vetting the bootchain at startup time is an obvious
> win, per se, and I think the reasons are so self-evident that I'm not
> going to waste time detailing them.
> 
> It would be for obvious reasons a great deal better if anyone were to be
> able to wield the signing keys for UEFI Secure Boot instead of just
> Microsoft Corporation (so that is irksome).  That having been said,
> there are already-signed bootloaders that one can use where someone
> already got MSFT to sign it, and that's the case with Linux
> Foundation's, for example.
> 

I'm sorry, but it is not logical.  In the end you reach the same exact
function, with or without the crypto.  You can either have the boot
processes physically etched into the hardware, or you have to have a
trusted user to control the boot process.  Having crypto placed in the
boot flash just makes it more complicated to get to the same exact
functional endpoint, which is a human behind the keyboard controlling
the computer.

I have had, BTW, libre boot systems where the boot partition is
encrypted and I am functionally locked out of that computer because only
Leah Rowe can decrypt the fucking thing with grub at the boot loader in
the flash of the bios unable to decrypt the hard drives.  It is either
that or rip the chip out of the machine with a soldering iron and work
on it (no thanks).  There is no place for cryptography anywhere in
the boot chain unless you want to give control of your computer to
someone else.  That is my definition of insecure.(and yes I know this
is not the exact use case of secureboot).

Maybe it wouldn't all be necessary if they didn't build an entire
functional OS into the UEFI boot loader.

I know we don't want to get sucked into an repeated on flamewar on this
topic, so my apologies in advanced.


-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive 
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and extermination camps, 
but incompatible with living as a free human being. -RI Safir 2013

More information about the conspire mailing list