Hacker News new | ask | show | jobs
by mjg59 3963 days ago
No, the vulnerability is in the firmware doing nothing to ensure that the code it's executing is unmodified. This part of the attack isn't possible on systems that have UEFI Secure Boot enabled - once the option ROM is modified, the firmware will simply refuse to execute it.
2 comments
scintill76 3963 days ago
Does Apple's firmware support Secure Boot? I've always heard of it in connection with Windows 8+. If they support it, is it enabled by default? If either answer is "no", it seems like the Option ROM vuln is pretty severe for Macs.
link
Sanddancer 3963 days ago
It's neither enabled, nor supported on Apple machines. Apple's not using UEFI, they're using their own fork of EFI 1.10
link
sandGorgon 3963 days ago
question for you - Secure Boot basically screws up the ability to boot Linux OSes. From this article, it seems Secure Boot is a good thing.

How do you see this working out in the longer term - is there a Secure Boot alternative that allows freedom to boot Linux, yet protects against vulnerabilities like these ?

link
TheDong 3962 days ago
SecureBoot implementations often let a user, via some means, add additional keys that they trust.

Any user can simply create their own key, sign their own firmware, linux, and what have you with it, and then boot away.

Unfortunately, Microsoft mandates secure boot but doesn't require the feature of adding keys to be present... so the reality is a bit more grim.

The reality is that most distros have managed to get a signing key from microsoft (and those that haven't, there's a grub shim signed by such a key) that is included by default in microsoft certified secureboots. This has been working, but is not as ideal.

link
mjg59 3962 days ago
> Secure Boot basically screws up the ability to boot Linux OSes

Not really. The barrier to obtaining a signed bootloader isn't that large, and if you're unwilling or unable to do that you can use http://mjg59.dreamwidth.org/20303.html and just oblige your users to jump through an additional (easily documented) hoop. We had legitimate concerns over the impact of Secure Boot on free operating systems, and for the most part we were able to reach some reasonable solutions.

link
sandGorgon 3962 days ago
does the shim solution not lead to this exact same security problem ?
link
mjg59 3962 days ago
No. How would it?
link
abrowne 3963 days ago
Linux distributions can and do support Secure Boot. I know Fedora, Ubuntu, and OpenSUSE do. FreeBSD is planning[1].

[1]: https://wiki.freebsd.org/SecureBoot

link
josteink 3962 days ago
> Secure Boot basically screws up the ability to boot Linux OSes.

Funny. And here I thought I was secure booting Ubuntu already.

I think this issue was resolved 2 or 3 years ago.

link