OpenBSD - UEFI Secure Boot

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD - UEFI Secure Boot

llemikebyw@aol.com
Dear <Your name should be here ;-) >,

I have been considering the implications for BSD and
Linux and any non-MS O/S of the implementation of UEFI
Secure Boot (SB).

As I understand it, ARM devices wishing to receive Win8 cert
are required to enable SB by default and prevent the disabling
of SB.

Meanwhile, x86 devices are supposed to ship with SB enabled
but allow disabling...

For some commentators, the x86 situation has been presented
as MS leaving a back-door for other OSes such as BSD or Linux
etc. i.e. "Don't worry about it"

I think it is, in fact, that MS is seeking to temporarily provide a
back-door for Win XP, Vista and Win7.

As each MS OS reaches end-of-paid-for-support (e.g. XP in 2014)
MS will slowly relax the UEFI SB specification such that the ability to
disable SB will gradually disappear from x86-based devices.

I am surprised that there is so little discussion of this developing
situation on BSD and/or Linux lists because for me, the red lights
are flashing, all bells and hooters are sounding,
"We gotta get out of here!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

We are potentially talking about the end of BSD (or Linux...) on x86
hardware.

Am I overly pessimistic? Have I missed something?

OR

Am I Jeremiah shouting "There's a flood coming! There's a f******
flood coming, PEOPLE!" while everybody else is roasting sausages
on their barbecues?

Mike

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD - UEFI Secure Boot

Theo de Raadt
Be realistic.  Talking about it on misc won't change anything.

>Dear <Your name should be here ;-) >,
>
>I have been considering the implications for BSD and
>Linux and any non-MS O/S of the implementation of UEFI
>Secure Boot (SB).
>
>As I understand it, ARM devices wishing to receive Win8 cert
>are required to enable SB by default and prevent the disabling
>of SB.
>
>Meanwhile, x86 devices are supposed to ship with SB enabled
>but allow disabling...
>
>For some commentators, the x86 situation has been presented
>as MS leaving a back-door for other OSes such as BSD or Linux
>etc. i.e. "Don't worry about it"
>
>I think it is, in fact, that MS is seeking to temporarily provide a
>back-door for Win XP, Vista and Win7.
>
>As each MS OS reaches end-of-paid-for-support (e.g. XP in 2014)
>MS will slowly relax the UEFI SB specification such that the ability to
>disable SB will gradually disappear from x86-based devices.
>
>I am surprised that there is so little discussion of this developing
>situation on BSD and/or Linux lists because for me, the red lights
>are flashing, all bells and hooters are sounding,
>"We gotta get out of here!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
>
>We are potentially talking about the end of BSD (or Linux...) on x86
>hardware.
>
>Am I overly pessimistic? Have I missed something?
>
>OR
>
>Am I Jeremiah shouting "There's a flood coming! There's a f******
>flood coming, PEOPLE!" while everybody else is roasting sausages
>on their barbecues?
>
>Mike

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD - UEFI Secure Boot

llemikebyw@aol.com
T,

AHHHHHHHH!! Oh Yes....
I see what you are doing...

Ah-hahaha, Yes - I agree
Talk is so much puff...

We need to DO...

Time to work on CoreBoot or our own (who else will
do it?) aftermarket BIOS solutions...

Mike's plan:
1) Get EPROM programmer with PLCC adaptor
2) Get surface mount torch
3) Take over the world...

Mike


On 07/07/12 16:05, Theo de Raadt wrote:

> Be realistic.  Talking about it on misc won't change anything.
>
>> Dear <Your name should be here ;-) >,
>>
>> I have been considering the implications for BSD and
>> Linux and any non-MS O/S of the implementation of UEFI
>> Secure Boot (SB).
>>
>> As I understand it, ARM devices wishing to receive Win8 cert
>> are required to enable SB by default and prevent the disabling
>> of SB.
>>
>> Meanwhile, x86 devices are supposed to ship with SB enabled
>> but allow disabling...
>>
>> For some commentators, the x86 situation has been presented
>> as MS leaving a back-door for other OSes such as BSD or Linux
>> etc. i.e. "Don't worry about it"
>>
>> I think it is, in fact, that MS is seeking to temporarily provide a
>> back-door for Win XP, Vista and Win7.
>>
>> As each MS OS reaches end-of-paid-for-support (e.g. XP in 2014)
>> MS will slowly relax the UEFI SB specification such that the ability to
>> disable SB will gradually disappear from x86-based devices.
>>
>> I am surprised that there is so little discussion of this developing
>> situation on BSD and/or Linux lists because for me, the red lights
>> are flashing, all bells and hooters are sounding,
>> "We gotta get out of here!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
>>
>> We are potentially talking about the end of BSD (or Linux...) on x86
>> hardware.
>>
>> Am I overly pessimistic? Have I missed something?
>>
>> OR
>>
>> Am I Jeremiah shouting "There's a flood coming! There's a f******
>> flood coming, PEOPLE!" while everybody else is roasting sausages
>> on their barbecues?
>>
>> Mike

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD - UEFI Secure Boot

David Diggles-2
In reply to this post by llemikebyw@aol.com
With all the investment in non MS, mission critical / non portable apps,
in the proprietry world alone, do you really think Microsoft can ever take
over all of i386?  Surely they can only try, and keep on trying, but it is
an unwinnable arms race, and someone is going to be willing to pay for a back
door each time, regardless of what lock downs occur.

On Sat, Jul 07, 2012 at 03:46:50PM +0100, [hidden email] wrote:

> Dear <Your name should be here ;-) >,
>
> I have been considering the implications for BSD and
> Linux and any non-MS O/S of the implementation of UEFI
> Secure Boot (SB).
>
> As I understand it, ARM devices wishing to receive Win8 cert
> are required to enable SB by default and prevent the disabling
> of SB.
>
> Meanwhile, x86 devices are supposed to ship with SB enabled
> but allow disabling...
>
> For some commentators, the x86 situation has been presented
> as MS leaving a back-door for other OSes such as BSD or Linux
> etc. i.e. "Don't worry about it"
>
> I think it is, in fact, that MS is seeking to temporarily provide a
> back-door for Win XP, Vista and Win7.
>
> As each MS OS reaches end-of-paid-for-support (e.g. XP in 2014)
> MS will slowly relax the UEFI SB specification such that the ability to
> disable SB will gradually disappear from x86-based devices.
>
> I am surprised that there is so little discussion of this developing
> situation on BSD and/or Linux lists because for me, the red lights
> are flashing, all bells and hooters are sounding,
> "We gotta get out of here!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
>
> We are potentially talking about the end of BSD (or Linux...) on x86
> hardware.
>
> Am I overly pessimistic? Have I missed something?
>
> OR
>
> Am I Jeremiah shouting "There's a flood coming! There's a f******
> flood coming, PEOPLE!" while everybody else is roasting sausages
> on their barbecues?
>
> Mike

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD - UEFI Secure Boot

Tomas Bodzar-4
In reply to this post by llemikebyw@aol.com
On Sat, Jul 7, 2012 at 4:46 PM, [hidden email] <[hidden email]> wrote:

> Dear <Your name should be here ;-) >,
>
> I have been considering the implications for BSD and
> Linux and any non-MS O/S of the implementation of UEFI
> Secure Boot (SB).
>
> As I understand it, ARM devices wishing to receive Win8 cert
> are required to enable SB by default and prevent the disabling
> of SB.
>
> Meanwhile, x86 devices are supposed to ship with SB enabled
> but allow disabling...
>
> For some commentators, the x86 situation has been presented
> as MS leaving a back-door for other OSes such as BSD or Linux
> etc. i.e. "Don't worry about it"
>
> I think it is, in fact, that MS is seeking to temporarily provide a
> back-door for Win XP, Vista and Win7.
>
> As each MS OS reaches end-of-paid-for-support (e.g. XP in 2014)
> MS will slowly relax the UEFI SB specification such that the ability to
> disable SB will gradually disappear from x86-based devices.
>
> I am surprised that there is so little discussion of this developing
> situation on BSD and/or Linux lists because for me, the red lights
> are flashing, all bells and hooters are sounding,
> "We gotta get out of here!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

You are probably not reading misc@ or other forums (not even OpenBSD
specific) too much, right?

http://marc.info/?l=openbsd-misc&m=133857397722515&w=2 - for example

>
> We are potentially talking about the end of BSD (or Linux...) on x86
> hardware.

No way and typical customers which are not target of OpenBSD will not
care for sure.

>
> Am I overly pessimistic? Have I missed something?

World is trying much worse stuff than UEFI
http://extratorrent.com/article/2263/uk+prime+minister+calls+for+online+porn+ban.html

>
> OR
>
> Am I Jeremiah shouting "There's a flood coming! There's a f******
> flood coming, PEOPLE!" while everybody else is roasting sausages
> on their barbecues?
>
> Mike

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD - UEFI Secure Boot

Bob Beck-2
On Sat, Jul 7, 2012 at 11:25 AM, Tomas Bodzar <[hidden email]>wrote:

>
> World is trying much worse stuff than UEFI
>
> http://extratorrent.com/article/2263/uk+prime+minister+calls+for+online+porn+ban.html
>
>
>
What? they're going to ban porn? That's it, I'm quitting the internets.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD - UEFI Secure Boot

llemikebyw@aol.com
In reply to this post by Tomas Bodzar-4
Tomas (and David and E.V.R. Else-Body)

Yes - I'd read the thread(s) (Gentoo too..) - but the
ultimate conclusion of much of the discussion is
"buy different hardware".

I bought Betamax (because it was the best)... until...
I bought SAAB (because it was the best)... until...
I bought Amiga (because it was the best)... until...

I don't want to be saying...

I bou.. erm.. got... OpenBSD (because it was the best)...

Mike



On 07/07/12 18:25, Tomas Bodzar wrote:
> You are probably not reading misc@ or other forums (not even OpenBSD
> specific) too much, right?
>
> http://marc.info/?l=openbsd-misc&m=133857397722515&w=2  - for example

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD - UEFI Secure Boot

Claudio Jeker
On Sat, Jul 07, 2012 at 06:54:31PM +0100, [hidden email] wrote:

> Tomas (and David and E.V.R. Else-Body)
>
> Yes - I'd read the thread(s) (Gentoo too..) - but the
> ultimate conclusion of much of the discussion is
> "buy different hardware".
>
> I bought Betamax (because it was the best)... until...
> I bought SAAB (because it was the best)... until...
> I bought Amiga (because it was the best)... until...
>
> I don't want to be saying...
>
> I bou.. erm.. got... OpenBSD (because it was the best)...
>

Wrong. OpenBSD does not only run on legacy archs like i386.
I guess some people would like to see i386 follow the dodo^Wmac68k.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD - UEFI Secure Boot

Chris Bennett-11
In reply to this post by llemikebyw@aol.com
On Sat, Jul 07, 2012 at 06:54:31PM +0100, [hidden email] wrote:
> I bought Betamax (because it was the best)... until...
> I bought SAAB (because it was the best)... until...
> I bought Amiga (because it was the best)... until...
>
> I don't want to be saying...
>
> I bou.. erm.. got... OpenBSD (because it was the best)...
>

I'd be happy to sell you a freshly burned copy of OpenBSD.
That way you COULD say you bought OpenBSD.

$100 USD price.
That buys you a $70 donation and $30 bucks for me.
Everybody happy!   :)

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD - UEFI Secure Boot

Tomas Bodzar-4
In reply to this post by Bob Beck-2
On Sat, Jul 7, 2012 at 7:49 PM, Bob Beck <[hidden email]> wrote:

>
>
> On Sat, Jul 7, 2012 at 11:25 AM, Tomas Bodzar <[hidden email]>
> wrote:
>>
>>
>> World is trying much worse stuff than UEFI
>>
>> http://extratorrent.com/article/2263/uk+prime+minister+calls+for+online+porn+ban.html
>>
>>
>
> What? they're going to ban porn? That's it, I'm quitting the internets.

It's not about ban, it's about asumption that everyone who has high
bandwidth wants that because of porn and they want to protect children
so you must sign that that you want that because of porn hehehe

But was meant as one of actual stupid ideas which they try to
implement like UEFI.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD - UEFI Secure Boot

Alexey Suslikov
In reply to this post by llemikebyw@aol.com
Remember SOPA/ACTA? If somebody is planning to have a regulation,
this somebody should take care about tools which guarantee direct, not
circumstantial, evidence of somebody else broke this regulation.

UEFI implements network stack so it can be a long-standing strategy.

UEFI is about remote monitoring without you even knowing about it, or
your corporate firewall sniffing for somebody else.

You buying UEFI hardware will be a sponsor of somebody sniffing on you.
What an irony.

Also, UEFI will possibly take down a dozens of Linux/BSD-oriented
hardware suppliers businesses because their customers will deny to run
security critical tasks on UEFI hardware. Good support for stagnating
world economy.

IMO, it is smarter to spent on Raspberry Pi port than UEFI bullshit.

And don't blame Amiga. It is UEFI free, isn't it? ;)

llemikebyw wrote:

> Tomas (and David and E.V.R. Else-Body)
>
> Yes - I'd read the thread(s) (Gentoo too..) - but the
> ultimate conclusion of much of the discussion is
> "buy different hardware".
>
> I bought Betamax (because it was the best)... until...
> I bought SAAB (because it was the best)... until...
> I bought Amiga (because it was the best)... until...
>
> I don't want to be saying...
>
> I bou.. erm.. got... OpenBSD (because it was the best)...
>
> Mike

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD - UEFI Secure Boot

Nico Kadel-Garcia-2
On Sun, Jul 8, 2012 at 6:18 AM, Alexey Suslikov
<[hidden email]> wrote:
> Remember SOPA/ACTA? If somebody is planning to have a regulation,
> this somebody should take care about tools which guarantee direct, not
> circumstantial, evidence of somebody else broke this regulation.
>
> UEFI implements network stack so it can be a long-standing strategy.
>
> UEFI is about remote monitoring without you even knowing about it, or
> your corporate firewall sniffing for somebody else.

It's not the only thing it's about. The old Palladium project, now
known as "Trusted Computing", is designed to have "secured" access to
each level of hardware and software. Since every step individually can
be circumvented with known technologies if not part of the secure
stack, they've tried very hard to embed it at every level: CPU, boot
loader, kernel, applications, data, and hardware. Expect to see this
whole stack pushed for secure storage media and private information,
because some of the primary goals are portable storage media and
backup data. By "securing" every stage, it's also effectively digital
rights managed, and for that to work, it needs to exist at every stage
rom motherboard chipsets on up.

Where it's going to be problematic for OpenBSD is on "Windows 8"
certified hardware, which has the UEFI enabled by default. It's
theoretically possible for OpenBSD's boot loaders to emulate what Red
Hat has done for Fedora: buy a signature for UEFI compatible shim that
will load the kernel. The problem then, will be locally compiled
kernels, which all my OpenBSD managing peers create as a matter of
course.

Many of us can comfortably disable UEFI, but it's going to be
problematic for our less skilled colleagues.

> You buying UEFI hardware will be a sponsor of somebody sniffing on you.
> What an irony.

Or saving $100 on buying the latest hot box, or of graciously
accepting a gift, or of doing a successful dumpster dive for laptops,
desktops, and server grade hardware.

> Also, UEFI will possibly take down a dozens of Linux/BSD-oriented
> hardware suppliers businesses because their customers will deny to run
> security critical tasks on UEFI hardware. Good support for stagnating
> world economy.

Go look at what Fedora is doing to handle this. OpenBSD boot loaders
are going to have to make some kind of accomodation with this in the
next 5 years, or throw in the towel for new hardware and go directly
to virtualization only. (That's admittedly how I use it these days,
mostly for testing components like OpenSSH before 6.0p1 was bundled.)

> IMO, it is smarter to spent on Raspberry Pi port than UEFI bullshit.

Good luck with that.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD - UEFI Secure Boot

Alexey Suslikov
On Mon, Jul 9, 2012 at 5:03 AM, Nico Kadel-Garcia <[hidden email]> wrote:
> Many of us can comfortably disable UEFI, but it's going to be
> problematic for our less skilled colleagues.

Well, are you sure "UEFI disable button" will turn off ALL of UEFI functions?

>> Also, UEFI will possibly take down a dozens of Linux/BSD-oriented
>> hardware suppliers businesses because their customers will deny to run
>> security critical tasks on UEFI hardware. Good support for stagnating
>> world economy.
>
> Go look at what Fedora is doing to handle this. OpenBSD boot loaders
> are going to have to make some kind of accomodation with this in the
> next 5 years, or throw in the towel for new hardware and go directly
> to virtualization only. (That's admittedly how I use it these days,
> mostly for testing components like OpenSSH before 6.0p1 was bundled.)

With that virtualization, both hardware bugs and attacks against hypervisors
are real world cases. So don't be naive.

Trust me, I'll try hard to avoid virtualization and Fedora@UEFI on my firewalls,
no matter what they did to circumvent UEFI issues.

Heck, I simply have no extra 5 years to spend on that hide-and-seek games.

My customers want services, not excuses for utterly unneeded maintenance
downtimes (you kindly call this "accommodation").

Anyway, it seems you didn't get the idea above.

My assumption is, customer, which is aware of UEFI sniffing on them, will
deny to buy UEFI boxes. Market niche will collapse with no demand since
some (presumable smaller) suppliers will be unable to diversify fast enough.

Going this way will result in hardware/software monopolies destroying
entire ecosystem. Raspberry Pi (and alike) is about going another way.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD - UEFI Secure Boot

Kevin Chadwick-2
> Well, are you sure "UEFI disable button" will turn off ALL of UEFI functions?

Fow windows 8 certed hardware, aka most.

http://download.microsoft.com/download/A/D/F/ADF5BEDE-C0FB-4CC0-A3E1-B38093F50BA1/windows8-hardware-cert-requirements-system.pdf

Which states.

MANDATORY. The platform shall ship with an initial, possibly empty,
"forbidden" signature database (EFI_IMAGE_SECURITY_DATABASE1) created
with the EFI_VARIABLE_TIME_BASED_AUTHENTICATED_ACCESS attribute. When a
signature is added to the forbidden signature database, upon reboot,
any image certified with that signature must not be allowed to
initialize/execute.

So revocation is possible and likely even through Windows update.

AND

a) It shall be possible for a physically present user to use the Custom
Mode firmware setup option to modify the contents of the Secure Boot
signature databases and the PK.
________________________________________________________________________
!!
This may be implemented by simply providing the option to clear all
Secure Boot databases (PK, KEK, db, dbx) which will put the system into
setup mode.
!!

I haven't checked this as apparently the spec is like > 2000 pages.


This link says the setup mode spec makes no mention of key installation
by users being possible.

http://mjg59.dreamwidth.org/13713.html?replyto=521361

________________________________________________________________________

So you will be able to disable signed booting, if you are authorised to
disable you certainly should be able to import keys. I believe
microsoft see making that mandatory as being against their interests.


Potential Problems I see:


Price hike of signing by Microsoft.

Not being able to revoke Microsoft's keys perhaps with the cover of
preventing malware from doing so.

No interface to add keys being mandatory and so unlikely. Some will
implement as selling feature.

Multi-booting (apparently but I'm skeptical, you may be able to sign a
key with another)

Openbios projects.

Hardware manufacturers specifying their windows version.

If it happened a few years back, people being stuck with VISTA and not
being able to get the shop to install XP.


p.s. anyone know if HDD that use so much firmware these days require
that it's signed?

--
________________________________________________________

 Why not do something good every day and install BOINC.
________________________________________________________

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD - UEFI Secure Boot

Rudolf Leitgeb
In reply to this post by Alexey Suslikov
> Well, are you sure "UEFI disable button" will turn off ALL of UEFI
> functions?
 
> With that virtualization, both hardware bugs and attacks against
> hypervisors are real world cases. So don't be naive.
>
> Trust me, I'll try hard to avoid virtualization and Fedora@UEFI on my
> firewalls, no matter what they did to circumvent UEFI issues.
>
> Heck, I simply have no extra 5 years to spend on that hide-and-seek
> games.

For 15+ years I read these regular Cassandra calls that this and that
"innovation" will kill free operating systems on commodity hardware,
remember Adaptec SCSI controllers, 3D video cards, I2O, trusted
computing and whatever the "feature of the day" is called.

For some reason or another these apocalypses never materialize,
increasingly due to the fact that free operating systems are a major
factor in the server world, and a manufacturer trying to exclude them
will lose business both in the short run and long term. There are few
threats to server manufacturers worse than "Ok, I'll hang on to my old
hardware then until it either falls apart or until this is resolved".

Rudi

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD - UEFI Secure Boot

Mihai Popescu-3
In reply to this post by llemikebyw@aol.com
 Rudolf Leitgeb wrote:

> For 15+ years I read these regular Cassandra calls that this and that
> "innovation" will kill free operating systems on commodity hardware,
> remember Adaptec SCSI controllers, 3D video cards, I2O, trusted
> computing and whatever the "feature of the day" is called.

It very confusing to tell what is "free" in this times. OK, not so
hard, OpenBSD is a standard when it comes about real free meaning, I
can;t complain. But you see, what to do with Linux world, it is
already full of not so free (blobs) stuff.

The OSes were not killed, but the possibility to use that specific
hardware, yes, it was killed. Not many people can say they are using
Adaptec controllers or graphic acceleration on OpenBSD. Of course, it
is not OpenBSD team fault and it is not a dead end.

> For some reason or another these apocalypses never materialize,
> increasingly due to the fact that free operating systems are a major
> factor in the server world, and a manufacturer trying to exclude them
> will lose business both in the short run and long term. There are few
> threats to server manufacturers worse than "Ok, I'll hang on to my old
> hardware then until it either falls apart or until this is resolved".

I'm really curious, how much a manufacturer is thinking about free
operating system when a new product is designed or released. I'm not
an ignorant, I just don't have access to this kind of infomation.