:: Re: [Dng] UEFI secure boot not secu…
Top Page
Delete this message
Reply to this message
Author: Gravis
Date:  
To: dng@lists.dyne.org
Subject: Re: [Dng] UEFI secure boot not secure
UEFI does concern me but it's more an issue of implementation. It's been
made clear for quite some time that the only way to ensure the security of
your computer is to be able to write your own firmware. Coreboot is an
effort for reverse engineering motherboard BIOSes to make a libre BIOS. As
recent news has shown, we also need to start writing new firmware for our
hard drives. Since so many things have shown to be insecure, the question
has becomes if it's worth reverse engineering proprietary systems versus
engineering a libre systems from the ground up.

--Gravis

On Sun, Feb 22, 2015 at 11:06 AM, Robert Storey <robert.storey@???>
wrote:

> Hi, this is a little off-topic, but still relevant I think. You all might
> remember that about a month ago I made a post about how I had partitioned
> my laptop hard drive GPT-style, which requires UEFI boot. I did this mainly
> to learn about GPT and UEFI, not because I wanted to dual-boot with Windows
> (because I don't in fact use Windows, at all). My post was just to ensure
> that Devuan would be able to handle UEFI boot.
>
> A few people later replied that MBR boot was at least as good, if not
> better. I didn't really think that it mattered, so I don't have anything to
> say about that. But then today I saw this:
>
> New Vicious UEFI Bootkit Vulnerability Found for Windows 8
> http://www.theregister.co.uk/2012/09/19/win8_rootkit/
>
> That got my attention. And with a little more googling, I learned that
> UEFI boot in fact is quite a bit more likely to compromised than BIOS boot,
> because you can place rootkits undetectable for the OS in the preload.
> Microsoft's answer to this is to enable "secure boot," but now it seems
> that even that has been compromised.
>
> Your best protection would be to own a motherboard that only has BIOS boot
> capability. But such boards are now becoming scarce, though you can still
> find that in new server motherboards (such as those made by Tyan) On
> consumer motherboards, BIOS is pretty much history. Nevertheless, a UEFI
> motherboard is probably safe (or at least safer) if you disable UEFI boot
> and enable CSM (compatibility support module) so that you can partition the
> drive MBR style. Doing that, of course, means that you don't get to take
> advantage of the dubious benefits of GPT partitioning, but unless your hard
> drive is larger than 2TB, I don't think you'll notice the difference.
>
> cheers,
> Robert
>
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>
>