Linux Secure Boot Exploits

[Ed P]

Iirc at some point when secure boot was being released an MM Forumite commented that one day someone was bound to find exploits in UEFI that would result in a capability for undetectable exploits. Well that day arrived for Linux a few months ago, and it looks as though it may take time to eradicate Linux’s problems with Secure Boot.

I hasten to add that this is not due to any lack of ability on the part of Linux coders, but with the logistical problems of blacklisting a large number of existing Linux Servers wrt their current booting systems. All this is compounded by Microsoft having the responsibility for holding and potentially blacklisting existing UEFI keys..

This Debian Blog covers all the background and reveals why fixing problems can sometimes be both time-consuming and complicated.

[Wheels-Of-Fire]

A note about UEFI keys. The authorisation of certifying authorities is actually handled by the UEFI forum rather than Microsoft. The problem is that the UEFI writers or the system OEM must hard code the root certificate of a certificate authority into the UEFI firmware in order for its signatures to be valid. Many manufacturers only choose to encode the Microsoft root key so only Microsoft can sign code that runs in UEFI mode on those systems.

[Ed P]

While what you wrote is completely accurate, I think that you would be hard-pressed to find a server that is Linux boiler-plated throughout. If you trawl the web every result that I found seems to start off with assuming hardware containing a M$ UEFI which you then modify to get your own set of Linux keys. Even Redhat goes that way, though it does use PXE boot servers too (very remotely like a Windows PE setup).

[Author]

Posts