Guido Stepken on Linux UEFI TPM 2.0 backdoors

Guido Stepken has a Google+ post from September (which I didn’t notice back then), and the SecNewsBot on Twitter just posted this like it is news. Well, it is news to me. 😦

Linux UEFI TPM 2.0 security impacts:
The “security chain” begins with one or more TPM 2.0 “Endorsement Keys” (EK), that are stored on the motherboard and that cannot be overwritten without “allowance” by either the owner (hardware manufacturer) or somebody, that is “higher” in key hierarchy, such as Microsoft or U.S. government authorities. Key Exchange Keys (KEK) establish a trust relationship between the operating system and the platform firmware. Each operating system (and potentially each 3rd party application, that needs to communicate with platform firmware) enrolls a public key (KEKpub) into the platform firmware. When your hardware comes “Windows Certified”, the “Endorsement Key” already is initialized, is signed by Microsoft and U.S. authorities. “Windows certified” here automatically means “NSA backdoor” included and activated in all encryption modules. Hardware encryption on newer INTEL Xeon machines, at boot, load those key rings from UEFI tables into processor buffer. From then on, the CPU hardware encrypts everything with Microsoft and U.S. authorities keys being enclosed in the key ring, independent of used operating system! […]

Full article:

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s