:: [Dng] UEFI secure boot not secure
Top Page
Delete this message
Reply to this message
Author: Robert Storey
Date:  
To: dng
Subject: [Dng] UEFI secure boot not secure
Hi, this is a little off-topic, but still relevant I think. You all might
remember that about a month ago I made a post about how I had partitioned
my laptop hard drive GPT-style, which requires UEFI boot. I did this mainly
to learn about GPT and UEFI, not because I wanted to dual-boot with Windows
(because I don't in fact use Windows, at all). My post was just to ensure
that Devuan would be able to handle UEFI boot.

A few people later replied that MBR boot was at least as good, if not
better. I didn't really think that it mattered, so I don't have anything to
say about that. But then today I saw this:

New Vicious UEFI Bootkit Vulnerability Found for Windows 8
http://www.theregister.co.uk/2012/09/19/win8_rootkit/

That got my attention. And with a little more googling, I learned that UEFI
boot in fact is quite a bit more likely to compromised than BIOS boot,
because you can place rootkits undetectable for the OS in the preload.
Microsoft's answer to this is to enable "secure boot," but now it seems
that even that has been compromised.

Your best protection would be to own a motherboard that only has BIOS boot
capability. But such boards are now becoming scarce, though you can still
find that in new server motherboards (such as those made by Tyan) On
consumer motherboards, BIOS is pretty much history. Nevertheless, a UEFI
motherboard is probably safe (or at least safer) if you disable UEFI boot
and enable CSM (compatibility support module) so that you can partition the
drive MBR style. Doing that, of course, means that you don't get to take
advantage of the dubious benefits of GPT partitioning, but unless your hard
drive is larger than 2TB, I don't think you'll notice the difference.

cheers,
Robert