Uncategorized

Matthew on improving UEFI Secure Boot on Linux with TPMs

http://mjg59.dreamwidth.org/48897.html

Standard
Uncategorized

Debian signed Shim

Secure Boot chain-loading bootloader (Microsoft-signed binary)

This package provides a minimalist boot loader which allows verifying signatures of other UEFI binaries against either the Secure Boot DB/DBX or against a built-in signature database. Its purpose is to allow a small, infrequently-changing binary to be signed by the UEFI CA, while allowing an OS distributor to revision their main bootloader independently of the CA. This package contains the version of the bootloader binary signed by the Microsoft UEFI CA.

https://packages.debian.org/sid/main/shim-signed

https://wiki.debian.org/SecureBoot

Standard
Uncategorized

Peter Jones on Secure Boot failures and mitigations

I just now came across a blog post written by Peter Jones from LAST MONTH on that “Microsoft Secure Boot Golden Key” news reports that is worth reading. Peter owns the Linux shim, so he knows a bit about UEFI’s boot process.

https://blog.uncooperative.org/blog/2016/08/18/secure-boot-failures-and-mitigation/

Especially because I’ve had nearly nothing useful in this blog on this post:

https://firmwaresecurity.com/2016/08/18/more-on-microsoft-uefi-secure-boot-golden-key-news/

 

https://firmwaresecurity.com/2016/08/11/microsoft-uefi-secure-boot-key-problem/

Also note other articles in Peter’s blog: he makes regular canary posts about the state of his Shim code. I wish all of the boot/firmware code required all contributes to have canaries!

Standard
Uncategorized

Ubuntu Secure Boot concerns

David Hartsock has a blog post on the state of Ubuntu Secure Boot for those who have not been paying attention to things:

Ubuntu Secure Boot Threatens All PCs

We’re all doomed! Scary, right? Well, maybe, but I should explain a bit first. […]

 

Ubuntu Secure Boot Threatens All PCs

Standard
Uncategorized

GRUB with Trusted Boot for TPM v1 or v2

This from September, I only just noticed it. 😦

Matthew Garrett has updated GRUB bootloader with support for Trusted Boot, on TPM v1 or v2 systems!

In a follow-up to the above tweet, Matthew also states:

“I need to add equivalent code to Shim now lucky me”

 

https://github.com/mjg59/grub

 

So I need to check if that happened, and if Debian and other distros are using this version of GRUB and Shim…

I wish somebody — Wikipedia, the Linux Foundation, the Linux kernel security wiki, the UEFI Forum, etc. —  were tracking the various hardware/firmware security features of various vendors, and what system components (grub and shim in this case) had support for the various technologies, with a table of red/green boxes. Then we could more easily see things like tboot only supporting BIOS and not UEFI, etc..

Standard