Hacker News new | ask | show | jobs
by shawnz 2233 days ago
Does anyone know if anything similar is possible with Windows? I am interested in the idea of signing the bootloader with your own keys to prevent other system images from being used on the system. It seems like such a system would provide much better anti-theft guarantees than existing solutions like CompuTrace/Lojack.
1 comments
jimbobimbo 2233 days ago
Isn't that what Bitlocker and Secure Boot do essentially?

https://docs.microsoft.com/en-us/windows-hardware/design/dev...

link
shawnz 2233 days ago
In its typical configuration, Secure Boot can't provide any anti-theft guarantees because an attacker could just replace the contents of the disk with a new Windows installation and the workstation would be usable for them.

Secure Boot as it is configured by Windows only prevents malware from inserting itself into the boot process, since all Windows installations use the same signature. Bitlocker only prevents attackers from accessing the data on the disk, not from using the workstation in general.

link
andrewnicolalde 2232 days ago
Hmmm, is it theoretically possible to sign the Windows bootloader (?) with your own custom keys to ensure that someone couldn't just fire up a stock Windows image? Though I'm not sure what sort of management challenges that would present if Microsoft ever decided to update their bootloader.

Looking at the Microsoft documentation, doing this with SecureBoot could be pretty complicated: https://docs.microsoft.com/en-us/windows-hardware/drivers/br...

link
shawnz 2232 days ago
I havent tested personally but this seems to suggest that you can't re-sign the bootloader: https://docs.microsoft.com/en-us/previous-versions/windows/i...

> "Windows boot components: BootMgr, WinLoad, Windows Kernel Startup. Windows boot components verify the signature on each component. Any non-trusted components will not be loaded and instead will trigger Secure Boot remediation."

Plus, you would need to add some kind of check to verify that it's actually booting your image, or else the attacker could just copy your bootloader files.

link
gruez 2232 days ago
> In its typical configuration, Secure Boot can't provide any anti-theft guarantees because an attacker could just replace the contents of the disk with a new Windows installation and the workstation would be usable for them.

What's preventing an attacker from resetting the secureboot settings? You'd need some sort of activation scheme like on iOS.

link
aesh2Xa1 2233 days ago
You can usually lock the whole system with a boot password. In the case where the attacker replaces the whole disk, or whole disk image with another Windows image, you can also add your own keys and sign the image or individual boot files.
link