It ensures only a valid bootloader is started, e. g. preventing evil maid attacks while PIN entry.
You need to secure the whole startup chain, to get what the industry dubbed a "trusted" computing environment. It's a nuisance for neckbeard enthusiasts, but corporate overlords like it.
Storage encryption keeps your data safe from being pulled off a disk directly. Additionally it prevents tampering, like the lame accessibility tools attack. In combination with a TPM it ensures the disk can only be read by a single computer, yours. The bootloader needs to handle the decryption key and kick the OS to life. You could try to extract the key or start the OS in an insecure state, if you could modify the bootloader.
After the OS is alive, the chain can be audited and logged for processing in higher level tools, to detect attempted attacks.
What's your attack scenario? The computer wouldn't have the same data or it couldn't read the old disk. It would be obvious to the user.
>It's a nuisance for neckbeard enthusiasts, but corporate overlords like it.
After spending a week reading about secureboot and TPM on the arch wiki, this was exactly what I concluded. If I were such a high value target anyways, I run ME so it's fricked anyways. I don't have a fricking maid, nor proprietary information to protect anyways.
>What's your attack scenario? The computer wouldn't have the same data or it couldn't read the old disk. It would be obvious to the user.
swap the hard drive to an identical rig without secure boot
2 years ago
Anonymous
Secure boot is not an issue, identical rig will let you boot trusted Microsoft OS, which is on the hard drive you are swapping.
However, the TPM key is missing on the other rig. So if the disk was encrypted, can't boot/read files on this other rig.
2 years ago
Anonymous
Secure boot is not an issue, identical rig will let you boot trusted Microsoft OS, which is on the hard drive you are swapping.
However, the TPM key is missing on the other rig. So if the disk was encrypted, can't boot/read files on this other rig.
Also, Secure boot does not change the hard drive, so you could also boot on a rig with secure boot disabled or which has no secure boot.
It is a restriction on the rig which has it enabled, it's like a gatekeeper for what can be booted on the system where it is enabled.
2 years ago
Anonymous
Secure Boot is a function in the BIOS.
2 years ago
Anonymous
What is the name for connecting SecureBoot to an encrypted hard drive?
2 years ago
Anonymous
TPM will make it so the hard drive can only be decrypted on the same computer
Microsoft has a configuration where you have Secure Boot plus TPM and that is called Pluton
2 years ago
Anonymous
The TPM can check if the Secure Boot is in place and if it looks legit
2 years ago
Anonymous
>Secure Boot plus TPM and that is called Pluton
Pluton does a lot more than that. For example, it includes memory (RAM) encryption so you can't break out of your slave cage using DMA attacks. That would be terrible! Terrible!
2 years ago
Anonymous
There are additional layers beyond this which impact it when accessing external resources. In the organization I'm with, resources can only be accessed from systems that pass full compliance, including client system attestations. If the system wasn't booted with Secure Boot, or the TPM keys don't match what was registered for the host in device management, it won't be allowed to access secured resources.
1) it 'locks' your disk to this computer (so you cant just take your disk out and load it on another computer? does that count for booting from it or even acessing it from a different OS on a different computer?)
2) it 'locks' the computer to that disk. can't stick any other disk in there and boot from it, whether as a replacement, or even a little usb stick to install a new OS over the original disk. ?
Not quite, SecureBoot in itself is used to verify the integrity of the boot loader. It has to be signed by a certificate authority. That's it.
But if you want to realize the possible security benefits you need to go all the way, full disk encryption and more, which would prevent the disk to be read in another device.
Secure Boot makes sure you only boot trusted Microsoft OS (when there was pushback, they also gave authorization to reputable Linux vendors). That's all Secure Boot does.
TPM will store your disk encryption key on the motherboard/CPU: You can encrypt the disk. The key to decrypt is stored on the TPM chip/CPU, it is not on the disk. The TPM monitors the boot process. It will only "unseal" the key when everything is as expected (trusted Microsoft OS, hardware is still the same).
For 1), when you use a software like Bitlocker, then you can not boot the disk in another computer and also can not read files from the disk in another computer.
2) I think you can do a fresh install/use another disk for the computer. You would probably lose access to the first system/disk. The system you install needs to be a trusted OS when Secure Boot is enabled.
This is not the same thing as the vendor lock which is used by Lenovo for AMD CPUs. In the affected Lenovo computers, the CPU is locked to the mainboard. This is called AMD Secure Processor Platform Secure Boot (PSB).
>you only boot trusted Microsoft OS
That's wrong. I enrolled my own keys and now my system only boots what I signed myself. It won't boot any Microsoft shit or even the vendor UEFI tools (unless I sign them).
You might argue there's a backdoor somewhere and you might be right, but other than that it's not booting anything I didn't allow.
Microsoft would argue that this "Custom mode" is a broken implementation. How did you enroll the keys, did you need to go into the BIOS and load them there?
2 years ago
Anonymous
>Microsoft would argue that this "Custom mode" is a broken implementation
No, they wouldn't. They even encourage it, if not outright demand it for Windows certification. >How did you enroll the keys, did you need to go into the BIOS and load them there?
1. Turn off SecureBoot
2. Generate a bunch of self-signed keys
3. Write them into the appropiate EFI variables
4. Sign your bootloader
5. Enable SecureBoot
I'm using sbsigntools for step 2-4.
2 years ago
Anonymous
Why do they demand the mode where you can install non-Microsoft keys for Windows certification?
2 years ago
Anonymous
>Why do they demand the mode where you can install non-Microsoft keys for Windows certification?
So they don't get sued (again) for monopoly bullshit.
nothing, anyone can trivially acquire m$ signing keys which makes secure boot totally useless for your average user. some initial implementations did not even allow to clear the m$ keys from your uefi. if you trust your security with m$ then you are a special kind of dumbass(pluton(dont buy amd 6000 series))
Secure boot basically checks to make sure what you’re booting from is considered “reputable” by the OEM, makes sure you can boot into your OS and restricts un-signed / non-trusted media from running.
Basically useless without a BIOS password and some form of bot locker type encryption
For making sure the boot environment hasn't been tampered with. That's what it's for, and all it really does.
but to tamper it you need access? why not just swap the rig with a new rig...
It ensures only a valid bootloader is started, e. g. preventing evil maid attacks while PIN entry.
You need to secure the whole startup chain, to get what the industry dubbed a "trusted" computing environment. It's a nuisance for neckbeard enthusiasts, but corporate overlords like it.
Storage encryption keeps your data safe from being pulled off a disk directly. Additionally it prevents tampering, like the lame accessibility tools attack. In combination with a TPM it ensures the disk can only be read by a single computer, yours. The bootloader needs to handle the decryption key and kick the OS to life. You could try to extract the key or start the OS in an insecure state, if you could modify the bootloader.
After the OS is alive, the chain can be audited and logged for processing in higher level tools, to detect attempted attacks.
What's your attack scenario? The computer wouldn't have the same data or it couldn't read the old disk. It would be obvious to the user.
>It's a nuisance for neckbeard enthusiasts, but corporate overlords like it.
After spending a week reading about secureboot and TPM on the arch wiki, this was exactly what I concluded. If I were such a high value target anyways, I run ME so it's fricked anyways. I don't have a fricking maid, nor proprietary information to protect anyways.
tldr: it's a complete waste of time
>What's your attack scenario? The computer wouldn't have the same data or it couldn't read the old disk. It would be obvious to the user.
swap the hard drive to an identical rig without secure boot
Secure boot is not an issue, identical rig will let you boot trusted Microsoft OS, which is on the hard drive you are swapping.
However, the TPM key is missing on the other rig. So if the disk was encrypted, can't boot/read files on this other rig.
Also, Secure boot does not change the hard drive, so you could also boot on a rig with secure boot disabled or which has no secure boot.
It is a restriction on the rig which has it enabled, it's like a gatekeeper for what can be booted on the system where it is enabled.
Secure Boot is a function in the BIOS.
What is the name for connecting SecureBoot to an encrypted hard drive?
TPM will make it so the hard drive can only be decrypted on the same computer
Microsoft has a configuration where you have Secure Boot plus TPM and that is called Pluton
The TPM can check if the Secure Boot is in place and if it looks legit
>Secure Boot plus TPM and that is called Pluton
Pluton does a lot more than that. For example, it includes memory (RAM) encryption so you can't break out of your slave cage using DMA attacks. That would be terrible! Terrible!
There are additional layers beyond this which impact it when accessing external resources. In the organization I'm with, resources can only be accessed from systems that pass full compliance, including client system attestations. If the system wasn't booted with Secure Boot, or the TPM keys don't match what was registered for the host in device management, it won't be allowed to access secured resources.
Secureboot is reliable and secure.
If you trust the right people
keep it away from hACKeR.
It lonly benefits microsoft.
Anyone can install secure boot keys schizo
>his hobby distro doesn't support secure boot out of the box
ngmi
>illiterate and moronic
>loonix luser
Every single time. Why does it have to be every single time.
DRM
that's why it was created
It ensures the boot is firmly secure in your ass
It protects you from rootkits and other malicious modifications made to your system.
so let me get this straight
1) it 'locks' your disk to this computer (so you cant just take your disk out and load it on another computer? does that count for booting from it or even acessing it from a different OS on a different computer?)
2) it 'locks' the computer to that disk. can't stick any other disk in there and boot from it, whether as a replacement, or even a little usb stick to install a new OS over the original disk. ?
Not quite, SecureBoot in itself is used to verify the integrity of the boot loader. It has to be signed by a certificate authority. That's it.
But if you want to realize the possible security benefits you need to go all the way, full disk encryption and more, which would prevent the disk to be read in another device.
Secure Boot makes sure you only boot trusted Microsoft OS (when there was pushback, they also gave authorization to reputable Linux vendors). That's all Secure Boot does.
TPM will store your disk encryption key on the motherboard/CPU: You can encrypt the disk. The key to decrypt is stored on the TPM chip/CPU, it is not on the disk. The TPM monitors the boot process. It will only "unseal" the key when everything is as expected (trusted Microsoft OS, hardware is still the same).
For 1), when you use a software like Bitlocker, then you can not boot the disk in another computer and also can not read files from the disk in another computer.
2) I think you can do a fresh install/use another disk for the computer. You would probably lose access to the first system/disk. The system you install needs to be a trusted OS when Secure Boot is enabled.
This is not the same thing as the vendor lock which is used by Lenovo for AMD CPUs. In the affected Lenovo computers, the CPU is locked to the mainboard. This is called AMD Secure Processor Platform Secure Boot (PSB).
>you only boot trusted Microsoft OS
That's wrong. I enrolled my own keys and now my system only boots what I signed myself. It won't boot any Microsoft shit or even the vendor UEFI tools (unless I sign them).
You might argue there's a backdoor somewhere and you might be right, but other than that it's not booting anything I didn't allow.
Microsoft would argue that this "Custom mode" is a broken implementation. How did you enroll the keys, did you need to go into the BIOS and load them there?
>Microsoft would argue that this "Custom mode" is a broken implementation
No, they wouldn't. They even encourage it, if not outright demand it for Windows certification.
>How did you enroll the keys, did you need to go into the BIOS and load them there?
1. Turn off SecureBoot
2. Generate a bunch of self-signed keys
3. Write them into the appropiate EFI variables
4. Sign your bootloader
5. Enable SecureBoot
I'm using sbsigntools for step 2-4.
Why do they demand the mode where you can install non-Microsoft keys for Windows certification?
>Why do they demand the mode where you can install non-Microsoft keys for Windows certification?
So they don't get sued (again) for monopoly bullshit.
nothing, anyone can trivially acquire m$ signing keys which makes secure boot totally useless for your average user. some initial implementations did not even allow to clear the m$ keys from your uefi. if you trust your security with m$ then you are a special kind of dumbass(pluton(dont buy amd 6000 series))
i can delete the keys but then i have no graphics during boot phase.
probably works with server graphic cards
For making the enterprise feel secure.
ryzen has built in tmp. even ubuntu starts with secure boot enabled.
free additional security why not ?
>picrel
what did they mean by this?
>What is SecureBoot good for?
Ensures monopoly in the ecosystem for Microsoft and everybody who sucks Microsoft dick
Secure boot basically checks to make sure what you’re booting from is considered “reputable” by the OEM, makes sure you can boot into your OS and restricts un-signed / non-trusted media from running.
Basically useless without a BIOS password and some form of bot locker type encryption
>secure
Some windows dev accidentally left the entire list of key hashes commented out in a patch he released to the general public years ago.
Good thing new keys can be created, old keys can be blocked, and Windows has had the infrastructure to do this for nearly a decade.
You mean good thing the guy who noticed it told microsoft about it.
Securing the boot
Microsoft deciding what is secure and what isn't.
for bootly securing your os