| ▲ | NelsonMinar 5 days ago |
| This article notes that "nobody actually enforces these expiry dates". So this is another way that secure boot is proven to be nowhere as secure as it claims to be. Coupled with LogoFAIL and most hardware shipping with insecure debug keys.. has Secure Boot ever provided meaningful security? It sure causes all sorts of practical problems. https://arstechnica.com/security/2023/12/just-about-every-wi... https://arstechnica.com/security/2024/07/secure-boot-is-comp... |
|
| ▲ | WhyNotHugo 4 days ago | parent | next [-] |
| SecureBoot uses an existing certificate implementation which supported expiration, for a scenario where a having a reliable clock in unfeasible. SecureBoot would have been better off with certificates that never expire. That's not a problem in cases where users (or organisations) manage their own hosts, since they can just changed the certificate when the previous one is no longer valid or leaked or whatever. In practice, SecureBoot rolled out with a single CA for everyone, one controlled by Microsoft. This provides little value for anyone—restricting your computer to "only boot stuff signed by a third party" doesn't really protect from attackers in any way. They'll just boot into one of the many programs signed by MS. But because a single CA is used globally, you want expiration so as to roll them over every few years. But remember: there's no way to have a reliable clock. And so, we have the mess that we have. The grand majority of Linux users could disable SecureBoot tomorrow and their system's security would not change in any meaningful way. |
|
| ▲ | OsrsNeedsf2P 5 days ago | parent | prev | next [-] |
| Was Secure Boot supposed to increase security? I thought Microsoft was using it to make it near impossible to install Linux |
| |
| ▲ | michaelt 5 days ago | parent | next [-] | | It increases security in certain circumstances. Mostly for Windows users at big corporations. For example, you want your users' laptop hard drives to be encrypted - but also you have users who regularly forget their passwords? With bitlocker their hard drive can decrypt itself, so they only need to remember their windows login, which you can reset remotely. You give laptops to your field workers, who have full physical access and would love to play video games or access netflix when work puts them in a hotel over night with nothing to do? With secure boot you can keep your precious spreadsheets locked down, even if they're willing to boot from USB sticks or swap the hard drive. And perhaps most importantly, it has "secure" in the name. So the corporation's IT security auditors will like to see it turned on even if they have only a vague understanding of what it does. | |
| ▲ | okanat 5 days ago | parent | prev | next [-] | | Maybe you are too young for this but viruses modifying boot partitions was a big thing back then. It is simply impossible to inject some code without finding an exploit in UEFI with Secure Boot or somehow exploiting the kernel. It is still possible to do this kind of hack but it is 2 orders of magnitude harder. | | |
| ▲ | ahartmetz 4 days ago | parent [-] | | No, boot sector viruses were not a big thing, especially after DOS times. They existed, but they weren't the worst problem at any time. |
| |
| ▲ | mjg59 5 days ago | parent | prev | next [-] | | Linux distributions have been shipping with secure boot support since 2012, so if that was the goal it had already failed over a decade ago. | | |
| ▲ | zahlman 5 days ago | parent [-] | | The Linux Mint support forums keep telling people to try turning it off to fix problems, but I installed Mint just fine with it enabled on my 8 (at the time) year old hardware, before I'd even heard that there was such a thing. Anyway, it's good to hear that I probably don't have anything to worry about. | | |
| ▲ | charcircuit 5 days ago | parent [-] | | Unfortunately, hearing this is not surprising since desktop Linux users tolerate having poor security and rely on never ever running malware to keep themselves safe over having the operating system itself protect against malware. | | |
| ▲ | zahlman 5 days ago | parent | next [-] | | > Unfortunately, hearing this is not surprising since [users of an OS with a built-in file permissions system] tolerate having poor security and rely on [thinking about whom to trust and primarily sourcing their software from the distro package manager] to keep themselves safe over having the operating system itself [apply heuristics to try to decide whether things the user downloaded from random web sites are malware, while completely failing to provide transparency on whether double-clicking something will supply it as data to an existing program or treat it as itself a program]. I'm not understanding how it's the desktop Linux users who have to deal with poor security. | | |
| ▲ | charcircuit 5 days ago | parent | next [-] | | >I'm not understanding how it's the desktop Linux users who have to deal with poor security. On Linux Mint if you run a program without granting any extra permissions it can: Record your mic, record your camera, record your screen, steal your browser history/ cookies/passwords, alias sudo or show a fake update dialog to collect the user's password to elevate to root, see if you copied a crypto address and replace it with a similar looking one owned by the attacker, encrypt all of your files, send any sensitive pictures or documents to the attacker, etc. The existence of a 50 year old concept of file permission is not good enough to combat the modern security problems users can encounter. | |
| ▲ | sugarpimpdorsey 5 days ago | parent | prev | next [-] | | > users of an OS with a built-in file permissions system Lot of good that will do you when Linux users will curl | bash most any garbage. The Windows NT file permission system is far more advanced (and I'm not even including AppLocker or software whitelisting). > thinking about whom to trust and primarily sourcing their software from the distro package manager So "app store" is the wave of the future? The days of Linux users using magic healing crystals to protect themselves from malware are long over. Most malware these days targets Linux servers. If you think chmod u+x is what is preventing your computer from catching digital AIDS I have news for you. | | |
| ▲ | bayindirh 4 days ago | parent [-] | | > Lot of good that will do you when Linux users will curl | bash most any garbage. Same for Windows users who zoom through UAC prompts without reading. > The Windows NT file permission system is far more advanced (and I'm not even including AppLocker or software whitelisting). ...and much more convoluted and easy to break while most systems allow unfettered access to everywhere. On the other hand SELinux and AppArmor already provide transparent system isolation for decades now, and they are completely invisible. If you want even more security, you can install an immutable distro. > So "app store" is the wave of the future? App stores are capitalist versions of software repositories which are present for more than 20 years now? Plus, these repositories are generally well-vetted and observed by their maintainers. > Most malware these days targets Linux servers. If you think chmod u+x is what is preventing your computer from catching digital AIDS I have news for you. No, instead many sysadmins who know what they're doing are depending on a layered security system, provided by Linux kernel and its peripheries. Containers, CGroups, namespaces, SELinux/AppArmor, package integrity checks, multiple limited users (with reduced capabilities as well), UNIX file permissions, and many more. If you think Linux only has file permissions for system security, I have news for you. | | |
| ▲ | charcircuit 3 days ago | parent [-] | | >zoom through UAC prompts without reading. UAC is not a security boundary, so it is not relevant when talking about security. >SELinux and AppArmor already provide transparent system isolation for decades If they are setup and most Linux distros only limit individual apps. So a brand new app can still run wild. >you can install an immutable distro. Even immutable distros let people download new software off the internet and run it. >Plus, these repositories are generally well-vetted and observed by their maintainers. This has been shown to be false in practice due to the xz backdoor. Maintainers do not actually vet anything other than that the code is coming from the developer. Which is also what app stores do. | | |
| ▲ | akimbostrawman 3 days ago | parent [-] | | >UAC is not a security boundary, so it is not relevant when talking about security. That is there excuses but you don't seem to realize that this makes it only worse because that means there is no boundary at all. >If they are setup and most Linux distros only limit individual apps. So a brand new app can still run wild. new apps will be either installed from a trusted repository (often with a MAC profile) or sandboxed by default from flatpak/snap store. You don't seem to understand that the entire install process is different. You don't get your software from random sites found on Google between malware ads on Linux. >This has been shown to be false in practice due to the xz backdoor XZ has nothing to to with a lack of vetting and even if it was it would be an argument for it because it got caught in testing. | | |
| ▲ | sugarpimpdorsey 3 days ago | parent [-] | | > XZ has nothing to to with a lack of vetting and even if it was it would be an argument for it because it got caught in testing. This is absolutely false, it was not caught in any sort of regular testing whatsoever. It was caught by - of all people - a Microsoft employee who noticed SSH logins were taking a split second too long. Not distro packagers. The packages were already staged in the testing branches of the distros they were targeting and could have easily made it into the LTS versions had this one curious MS guy not noticed. | | |
| ▲ | bayindirh a day ago | parent | next [-] | | > could have easily made it into the LTS versions had this one curious MS guy not noticed. LTS doesn't mean set in stone. Debian publishes fixes within 24 hours in most cases, even if the upstream doesn't provide any, plus some packages come with Debian's own security patches on top of upstream patches. Linux security landscape is very different than Windows' central "we'll patch it when we patch it" stance. | |
| ▲ | akimbostrawman 3 days ago | parent | prev [-] | | >This is absolutely false, it was not caught in any sort of regular testing whatsoever >The packages were already staged in the testing branches Thanks for making my argument for me. It was also literally caught in (Debian) TESTING. It does not matter for who he works unless you believe a cooperation owns there employees time and achievements 24/7. He notices something off, tested it, looked at the source code (impossible on windows ;) and reported the issue he found which got quickly and transparently (also impossible on windows) fixed. Again that is how FOSS should work and why it's superior to proprietary software. |
|
|
|
|
| |
| ▲ | literalAardvark 4 days ago | parent | prev [-] | | Because you're starting from a poor understanding of the security process in general. File permissions are the least of your worries. |
| |
| ▲ | akimbostrawman 4 days ago | parent | prev | next [-] | | Of course unlike windows billion dollar heightened security of getting flooded with UAC and MOTW pops up everybody is conditioned to click yes as fast as possible caused by the proven "download random executables from the first site you see on google and hope it's not malwaretising" method. | |
| ▲ | AAAAaccountAAAA 4 days ago | parent | prev [-] | | The desktop security model is pretty much the same across the vendors. Somehow, Microsoft seems to get a free pass on this. |
|
|
| |
| ▲ | fuzzfactor 5 days ago | parent | prev | next [-] | | SecureBoot and UEFI were "bundled" with Windows 8.0 PC's to curtail the possibility of users easily installing Windows 7 instead. Earlier versions of Windows were a much bigger threat to adoption of Windows 8 than Linux was. | |
| ▲ | jon-wood 4 days ago | parent | prev | next [-] | | Yes, it does, for some values of security. Operated correctly it allows you to know you can trust everything on your system from the UEFI firmware down, because if any part of that chain didn't match what you were expecting to be there the next step in the chain would refuse to execute. Most people experience this via Windows, which automatically sets up that chain of trust so that you can know you've not had a rootkit injected somewhere. In other cases it may be Linux or something more exotic booting, and it requires some management by whoever is operating the device, but that comes with the benefit of knowing that if one of our devices has got to the point of decrypting it's storage we can be reasonably confident that it hasn't been tampered with, and so we can trust it to send good data. | |
| ▲ | Yeul 4 days ago | parent | prev [-] | | Is secure boot even enabled by default? I have never used it on my gaming PC and Windows doesn't seem to care. | | |
|
|
| ▲ | mjg59 5 days ago | parent | prev | next [-] |
| The rollover coincides with stronger security policies for signed objects (enforcing code being read-only, that kind of thing) and people with stronger security requirements can remove trust in the old certificate to enforce that. Code has bugs. There's any number of critical vulnerabilities in Linux, Windows, MacOS that have allowed bypass of all security features - does that mean all security features remain security theatre? |
| |
| ▲ | ploxiln 5 days ago | parent [-] | | Most security features are, yeah. The cost in terms of freedom/flexibility and reliability/longevity is very high. But we're told, this is necessary, it's the only way to guarantee the security of the poor user. But if in practice the security wasn't actually guaranteed, for most motherboards over most years, due to pretty big dumb oversights ... was it worth the extreme costs? The cost of losing compatibility with older or newer software/hardware, of losing convenient repairs and recovery? Nope. You sold your soul for "guaranteed security" of securing the entire boot and runtime from the lowest level hardware up ... and didn't really get it anyway. | | |
| ▲ | sabas123 4 days ago | parent [-] | | You make it sound like security is a binary thing, which is not true. |
|
|
|
| ▲ | armada651 5 days ago | parent | prev | next [-] |
| They clearly didn't want to leave a system unbootable because a certificate expired. In which case you would have no opportunity to update the certificate because you can't boot the system anymore. They could've used a time stamping service to include a signed timestamp in the binary to compare the expiry date against, but that still leaves the system unbootable after the time stamping certificate expires in the far future. Besides, a hacking group powerful enough to steal Microsoft's Secure Boot private key will likely be able to steal a timestamping private key from a certificate authority as well. |
|
| ▲ | strstr 5 days ago | parent | prev [-] |
| With the default key hierarchies, the benefit is more limited. It raises the bar. Implementing known vulnerabilities takes work. And not ever configuration is vulnerable to every issue. And, for a lot of the vulns, the OS vendor shoves things in the dbx to mitigate. With custom hierarchies, it's a bit more compelling. But it's a lot of work to maintain. |
