[drhagen]

> To this day, key players in security—among them Microsoft and the US National Security Agency—regard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments, including in industrial control and enterprise networks.

Am I correct that Secure Boot purely exists to prevent this attack vector: malware gets root on the OS, hardware allows updating firmware via OS now owned by malware, but Secure Boot means you have to wipe only the hard drive instead of the firmware to eliminate the malware.

It seems like it would be a lot simpler and more reliable to add a button to motherboards that resets the firmware to the factory version (on memory that can't be written by a malicious OS).

[acdha]

Also things around physical access: if you steal my laptop, FDE prevents you from getting my data immediately but if you install malware which takes over the boot process, you get that data as soon as I type in my password.

If the process changes so the hardware only loads signed firmware, which only loads a signed boot loader, which only loads a signed kernel, etc. that avenue of attack is closed. It also makes it possible to trust a used computer.

The problem is that other than Apple nobody has really been committed to doing it well - it’s begrudging lowest-bidder compliance and clearly not something many vendors are taking pride in.

[amluto]

Secure Boot with factory keys has never prevented this attack, by design. You can take a valid, signed OS image from your favorite vendor (Microsoft, Red Hat, whatever), write some userspace code for it that asks for a passphrase and looks exactly like the legitimate paraphrase prompt, and configure the boot order to boot to it. It will pass the Secure Boot checks because it is completely valid. Secure Boot, as configured by default, never had userspace verification as a design goal.

There are at least two solutions:

1. Deploy your own Secure Boot keys and protect them with a firmware password whatever mechanism your particular system has to lock down Secure Boot settings.

2. Use TPM-based security so that even knowing the passphrase doesn’t unlock FDE unless the PCRs are correct.

#1 is a bit of a pain. #2 is a huge pain because getting PCR rules right is somewhere between miserable and impossible, especially if you don’t want to accidentally lock yourself out when you update firmware or your OS image.

Of course, people break PCR-based security on a somewhat regular basis, so maybe you want #1 and #2.

[patrakov]

#2 is also something that a security expert needs to audit, so that booting an extracted stock recovery ISO (which has the kernel signed by the same keys as the real system) does NOT unlock the FDE.

https://discussion.fedoraproject.org/t/issue-with-automatic-...

[amluto]

Right. But this gives a really nasty dilemma:

First, you need a recovery image to be rejected by the TPM rules.

Second, you need an updated image that you prepare yourself, or that the distro prepares, etc, that will respect your security goals (e.g. does not allow you to boot it and copy files off) to be accepted.

Maybe a mainstream distro could distribute a UKI that will unlock a disk and run that disk’s userspace with no safe mode, recovery mode, etc without a password, but I’ve never seen such a thing.

[sillywalk]

> other than Apple nobody has really been committed to doing it well

I believe Chromebooks also do this fairly well.

[acdha]

Good point. I was thinking “PC” as opposed to phones but those totally count.

[from-nibly]

Chromebooks aren't phones.

[acdha]

Yes, hence my agreement with sillywalk. In my original comment I was thinking of the category of PC-like things which are more geared towards work and phones which are more limited.

Phones don’t have as much contrast because there are several vendors approaching Apple’s level of security, whereas on the classic PC side it’s just a mess. ChromeOS is an excellent addition to the comparison since it’s more locked down than a PC but still productive for many workers and really shows that the problem is coordination. Google cares about security and their ChromeOS devices are more secure than most PCs despite having a lot in common because they don’t leave it to the whims of the hardware vendor.

[1oooqooq]

Big phone.

[megous]

> It also makes it possible to trust a used computer.

Thankfully all this complexity is not the only thing that allows to trust a used computer. There are other options, like not having a modifiable SW (that is SW not stored in non-replaceable ROM) run prior to handing off control to bootloader loaded from external media.

[vbezhenar]

> Also things around physical access: if you steal my laptop, FDE prevents you from getting my data immediately but if you install malware which takes over the boot process, you get that data as soon as I type in my password.

There's still simple vector of attack by installing hardware keylogger to the keyboard wires.

[m463]

Do enterprise vendors like dell do it well enough to meet corporate requirements?

[out-of-ideas]

do folks in the business really simply steal a laptop and try to pull all data? or do they steal the laptop and wipe it and flip it... if they wanted your data wouldnt they steal you, the human, too ?

the signing method only offers buying more time before the innevitable data is "breached" by a theat actor - its the same buying-time for any and all encryption. the system can get too complex, and the underlying problems of humans will always exist (and amplified by more points of failure).. (accidents, data breaches, exploits, ect). the system needs to be immutable, but also mutable at the same time (for updates, ect) - and thats not exactly something easy to accomplish.

and with apple.. they try yes, but it is forever a walled garden. we've already seen their secure enclave bloatloader shinanigans get exploited on phones- and it was not fun for those people where their phones were compromised. apple suffer from us humans, too (we will never be perfect, nor will our software)

[acdha]

> do folks in the business really simply steal a laptop and try to pull all data? or do they steal the laptop and wipe it and flip it... if they wanted your data wouldnt they steal you, the human, too ?

Governments definitely worry about it, and I’d be shocked if e.g. banks didn’t also put it into requirements. Access can be temporary, too: imagine if you get 15 minute alone in someone’s office or they have a kiosk in the lobby, etc. – not enough time to open the case up but plenty to toss a USB drive in and reboot. Repeat for lost devices or scenarios like the KnowBe4 attack disclosed yesterday where some dude might not be able to explain cracking the case open.

> the signing method only offers buying more time before the innevitable data is "breached" by a theat actor - its the same buying-time for any and all encryption.

You have to think about cost, too. It appears to be safe to buy a used Mac because Apple employs competent cryptographic engineers and very few targets are worth involving a lab with truly serious hardware. This could be the case on the PC side too, but it’s undercut by vendors skimping on execution and until Secure Boot is pervasive and robust, nobody can easily tell whether hardware they’ve lost control of can be trusted. People have been getting malware on used computers for years and a trusted boot process makes it easier both to tell if that’s happened and to be confident that you’ve fully wiped a system.

[out-of-ideas]

i only chose those questions as to pick on the concept of "stealing a laptop" - its more the hypothecial use case where majority of users, given the "my laptop got stolen" will never see their system again. folks in the business of stealing a laptop will resell it if they can - a laptop in a random car in SF.. sounds real profitiable to try to decrypt some aes 2tb data for a cat pic); secure boot has not guarnteed a password to access the bios in my experiences - and not all bios are created equal. just makes it harder for data on the drive to be accessed (and certainly prevents my neighbor from putting a rootkit in my bootloader)

of course govts worry about data loss - and implanted root-kits; yes we want to prevent those but my point is there are many steps along the path where the complexity can get out hand, and every added step to a system is another step of potential failure - and anything we invent will be vurnerable to human mistakes/errors/ect (like we've literally seen). the problem is the firmware is mutable, the os is mutable, ect ect. the signed stages are a bandaide (not that im smart enough to solve the problem) and it's a matter of time before something like a cert leak happens (again). its funny too because we worry about 1000's of folks computers having a rootkit (that needs physical access when things like my-pc-looks-tampered-with are not considered), and then we let location data be gathered by literally every company, hmmm

the scenario where 15 min alone in somebodys office, (this made me laugh actually - theres a countless amount of what-ifs): a company with any kind of compliance should never let an untrusted person be alone (especially with access to a computer); a smaller company, surly we'd assume would be less of a target, but not a guarntee - but thats also why all companies should not leave their vaults with raw cash open for any to access.

as far as used systems going; folks will always fall victim for that which they do not know. for a newly owned computer a user should be fresh installing the firmware and OS. but convience has folks trained to plug-and-play with 0 downtime, 0 setup, 0 knowledge of options. apple, of course, that cannot be done on the same level as my non-apple system is done. and from what i remember, apple folks need to have proof of reciept for a used-sale, and even then can still get trolled on a used-sale with the find-my-mac lockout - maybe its improved nowaday; i'll simply pass and rather buy new (not that im supporting apple)

[j16sdiz]

> a company with any kind of compliance should never let an untrusted person be alone ..

Trust could be misplaced.

[A4ET8a8uTh0]

<< if they wanted your data wouldnt they steal you, the human, too ?

As chilling as it may be to explore this line of thought, I think there are real, pragmatic considerations that make 'stealing' humans along with laptops less than ideal. Laptops get damaged, lost and so on all the time. Missing laptop raises some, but minimal suspicion and attention. Now, with a human missing, whoever did the deed, will likely have a difficult time moving around assuming LEOs in the area are competent.

[1oooqooq]

there's a literal market to clone device data. you don't even have to steal them.

in the 90s Israeli celebright made millions of govt procurement for ...i forgot the acronyms. but basically devices where you plug a phone and it copies all contacts and messages.

[tripflag]

The case you're outlining (an uefi rootkit) is pretty much the worst case; assuming you get infected by some malware which decides to install a malicious firmware (BIOS update), then pretty much nothing is getting in the way of that.

What secureboot is designed to prevent is malicious changes to the OS bootloader (a conventional rootkit), which is usually shimx64.efi or grubx64.efi on linux/dualboot machines, or bootmgfw.efi on windows. Secureboot checks the signature of .efi files before they're allowed to run during boot, ensuring they were signed by one of the trusted keys. And unless you've made changes to your secureboot config, that means microsoft and/or the hardware vendor.

[amluto]

I think “UEFI rootkit” usually refers to a malicious .efi file installed in the ESP. An actual firmware rootkit, installed on the flash chip, can likely bypass Secure Boot entirely, and may well be able to bypass TPM protections as well.

[gizmo686]

It is possible to use Secure Boot as part of a fully verified bootchain. The firmware verified the bootloader. The bootloader verifies the kernel (and kernel arguments, and ramdisk...), the kernel verified all executables. Userspace programs verify critical data files.

There are systems out there that do this, and having something like Secure Boot is essential to their design (as is measured boot, which is the main mechanism TPMs leverage).

However, this solution is utterly unworkable for the personal computer market. Instead, we have a bunch of general purpose kernels signed to run on any computer, but which are willing to run any userspace you through at them.

[Terr_]

I'm having strange nostalgic flashbacks the '90s where I kept wondering why nobody offered a hard drive with a physical read-only toggle button. (Mounted to the front of the 5.25 inch bay in a tower chassis, as was the style of the time.)

Obviously you need some read+write storage elsewhere on the same computer, but you could reliably freeze large chunks of stuff in a way that would be impervious to viruses or hackers.

[drhagen]

I remember USB drives in the '00s that had a read-only toggle. They were useful for rescuing machines that had a virus.

Edit: A quick search reveals that, of course, you can still buy them today. I have not felt a need for one in ages.

[Hizonner]

I strongly suspect that most or all of the modern "hardware" write-protect switches are actually just suggestions to the drive firmware. Which may very well itself be modifiable.

[Gormo]

I can't imagine how it would be possible to do it any other way for a flash storage device.

A mechanical hard drive could at least theoretically have a physical lock attached to the drive head which prevents it from approaching the platters if it is engaged.

[Scoundreller]

Flash storage requires high voltage to do an erase (which needs to precede a write operation).

Back in the EPROM days, that was easy, just don’t supply 25V or whatever.

Modern flash still needs those high voltages but generates it on-chip via charge pumps. If your read-only switch physically disconnected the charge pumps, you would have read-only flash.

[schmidtleonard]

Writing flash takes (relatively) high voltage and the voltage boosting circuitry could be routed through a switch. It generally isn't, and the voltage converter is often an on-chip charge pump so this wouldn't be an easy retrofit, but the current state of affairs is due entirely to lack of interest rather than lack of possibility.

[upwardbound]

Do those charge pumps use external capacitors? If so, you could disconnect/float those capacitors, or if that would damage or glitch the chip, you could replace the real capacitors with some circuit like a voltage regulator + diode that would be designed to provide the charge pump output rail with a voltage that's high enough not to glitch the chip but low enough to be unsuccessful in writing to the flash. Would one of those ideas work, and allow the retrofit you envision to be designed with existing flash memory silicon + a few additional components?

[Scoundreller]

Isn’t it really only the erase that requires high voltage? So with a blank flash chip, without higher voltages, you could write to it to your heart’s content until you need to free up deleted content?

Edit: I think I’m wrong here and high voltage is needed for both.

[edwcross]

For years, Dell laptops came with a USB key containing drivers, a sort of "rescue boot disk". I once tried using them as a normal pen drive, but then realized they were read-only.

If there is a way to make them writable via software, that would be very interesting (and dangerous).

[Hizonner]

Erm. The read head and the write head in a magnetic drive are the same head. You can't keep the head away from the surface if you want to read the disk. But you can disable power to the driver that puts write current into the head.

... and you could absolutely build similar functionality into a flash chip. But most likely you can't actually buy such chips, at least not with any real capacity.

[mypalmike]

There are multi-actuator hard drives out there. I don't know if any of them separate read heads from write heads, but it would certainly seem possible for such a drive to exist.

[commercialnix]

This is the way a smart person looks at write-protect switches.

[Terr_]

Hmmm, I would absolutely buy one of those if it also had a hardened case and a firm connection point for my real-world keychain. The use-case is a "my house burned down what next" backup, password-manager stuff and other details I might need before/without accessing any cloud-backup services.

I may need to read some of its files on a not-very trusted device, and I don't want to risk that device also tampering/trojan'ing other files, like backup copies of the software needed to decrypt the data files.

A simpler scenario might be a USB stick that I use for carrying files to be printed at the local library.

[GuB-42]

I have one of these as a boot disk (Medicat) for this exact reason.

Also because some of the software included in Medicat is flagged by some anti-virus software and I don't want them removed.

[CableNinja]

There were things like this, but it was more to prevent accidental writes. Some of the old 10" drives had a write enable toggle.

[bitwize]

Secure Boot is the first component in a verified boot chain from initial power-on to application level code. Signed, verified firmware boots signed, verified kernel with strict authenticity and integrity guarantees. The goal is, presumably, to attest to the authenticity and integrity of everything the system runs, but when it comes to kernel modules and device drivers, userland OS components, and applications, those are the kernel's responsibility. But Secure Boot is an essential link in this chain.

[judge2020]

That sounds correct, but even the savviest of users might not be aware they have malware installed when they decide to re-install windows. If cleaning malware requires pressing a button on the MOBO then I can imagine only a single-digit percentage of users will actually click it.

[Dylan16807]

If they're not worried about malware, and there is some, then they'd probably get reinfected by their data anyway.

[awaythrow999]

Immediately gets slapped over the head by the requirement: "preventing downgrade to a vulnerable version" (which would be just a matter of enough time passing)

[antifa]

And by "vulnerable version" they mean the version before they added ads to the boot screen.

[sim7c00]

it protects against boot and early boot attacks. thia includes bootkits but also early drivers such as AV drivers and others which protect the system further. if you dont have it, any security can be compromised before its active. via different methods.

[tedunangst]

How do you determine when to push the button?

[bluescrn]

Instead, write-protect the firmware by default, and require the user to press a physical button on the back of the PC to write-enable it (for a limited duration/until the next reboot)

[Dylan16807]

Any time you're reinstalling the OS and suspect the old OS had malware.

Or if you want to make it simpler, any time you're reinstalling the OS.

[jtbayly]

Once a day ought to do…