Questions tagged [secure-boot]

40 questions
14
votes
6 answers

What's stopping someone from copying my HDD/SSD?

Let's say I have to leave my computer unattended and turned off for a while with some strangers, is it possible for someone to clone my HDD and SSD data?
Gem
  • 265
  • 2
  • 4
7
votes
2 answers

Is it possible to make a laptop useless to thieves?

I was robbed... That included my Linux notebook and my company's notebook. Both are encrypted. Mine is encrypted with LVM over LUKS, using a passphrase to unlock the hard drive once the kernel has been started by the UEFI. But Secure Boot was…
Cilyan
  • 183
  • 6
3
votes
1 answer

Secure boot after an OTA update confusion

My understanding is that secure boot works by verifying each stage in the boot process before proceeding. So first, UEFI or booting firmware will validate the signature of the bootloader, then kernel, applications etc. before loading. When an OTA…
Engineer999
  • 257
  • 1
  • 8
2
votes
1 answer

How do you boot from the network using https?

How do you boot a Linux live image from a CDN using Https as boot protocol? The reason for netbooting using a CDN would be to start fresh with a non persistent operating system image. Booting fresh via the network should make it harder to persist…
Christian
  • 265
  • 1
  • 3
2
votes
0 answers

How to prevent grub.cfg from breaking the chain of trust?

First some definitions and common understanding. The premise of secure boot is that each binary get's verified before it is loaded. This starts with the firmware in ROM verifying the EFI application. For the case of a Linux boot that EFI…
2
votes
2 answers

Secure boot for devices which don't have hardware security element

I understand that Root of Trust is necessary for implementing a secure boot on a device. Root of Trust is strong and trust worthy if this comes from hardware security elements like HSM/TPM/.. So for devices which are not having hardware security…
2
votes
1 answer

Understanding Secure Boot

I'm trying to understand the secure boot process of an OS but there are few points I can't wrap my head around. At a high level, afaik, secure boot ensures that the loaded OS is authenticated by its respective vendor. If an adversary modifies the OS…
2
votes
3 answers

How much of the system is secure boot going to cover?

Background: We're developing for a Debian 9.8 system on an x86, but most of us here are more used to dealing with embedded devices. according to wikipedia, secure boot can "secure the boot process by preventing the loading of drivers or OS loaders…
2
votes
1 answer

Secure Boot - Usage of blacklist DB

I have been reading up on the details of Secure Boot, in particular the authorized and forbidden databases: Before enabling UEFI Secure Boot (by setting the PK) the white and black lists DB & DBX must be set up with authorized and forbidden…
Nubcake
  • 135
  • 5
1
vote
0 answers

How hard is it to modify UEFI nvram if the device is off and the UEFI is locked?

This assumes that: Machine is powered off No UEFI backdoors No Reflashing the firmware No clearing the NVRAM (The point is to modify/read a small amount of NVRAM, instead of resetting it) Device requires password to POST (Enforced by…
1
vote
1 answer

Is it possible to allow only a certain secure USB boot media to boot an UEFI system?

I want to restrict all USB boot media from my system, except for a certain USB boot drive that I declare secure via a certain key. Is this possible using UEFI/Secure Boot/TPM? Maybe via TPM? TPM gets a private key and checks if public key on USB…
JohnnyFromBF
  • 1,413
  • 4
  • 16
  • 23
1
vote
2 answers

TPM Endorsement Key usage in secure and trusted boot

Taking into account a Root of Trust in a device using a TPM. My understanding is that the bootloader, firmware, operating system, applications etc. are all verified on startup by validating signatures with the vendors public key. The TPM Endorsement…
Engineer999
  • 257
  • 1
  • 8
1
vote
0 answers

Is grub implementation of secure boot inherently flawed?

Definitions Grub is the second stage bootloader often found in Linux distributions. shim is the first bootloader ran by the ROM firmware. It is signed by Microsoft. ROM firmware is the code embedded in the hardware which implements the UEFI…
1
vote
0 answers

Is it possible for malware to overwrite UEFI code when installing an operating system?

If the ISO file for an operating system is malicious, is it possible for it to overwrite UEFI code when booted (If secure boot is disabled)?
1
vote
0 answers

Security implications of automatic signing of kernel modules on Debian/Ubuntu (like VirtualBox does)

In the past, to install VirtualBox on Debian/Ubuntu you needed to sign some kernel modules, otherwise it would not work. The process involved creating a key pair, importing the public key as a MOK (Machine Owner Key) in the firmware, signing the…
reed
  • 15,398
  • 6
  • 43
  • 64
1
2 3