zlacker

[return to "Leaked stolen Nvidia cert can sign Windows malware"]
1. bratwu+B8[view] [source] 2022-03-05 11:29:23
>>Zuider+(OP)
Hmmm maybe i should keep windows offline for a few days…..
◧◩
2. gchamo+x9[view] [source] 2022-03-05 11:35:23
>>bratwu+B8
I always use opportunities like this to experiment with whatever workflow I have on Linux to see what state it's at. I just game on Windows and do work on Linux so for me the transition is always quite simple: just install what you want on Steam/lutris and compare performance.

Last time I was starting vanishing of Ethan Carter, but even though it was playable, the experience wasn't free of stutters, whereas windows ran flawlessly.

In any case, it is always nice to jump back and check out how far Linux has come.

◧◩◪
3. Genbox+Td[view] [source] 2022-03-05 12:16:32
>>gchamo+x9
A stolen code signing certificate affect Linux in the same capacity as Windows.

I'm of course ignoring the fact that a lot of Linux distros still do not have Secure Boot enabled by default, and therefore do not enforce any kernel driver signing policy.

◧◩◪◨
4. jart+Yp[view] [source] 2022-03-05 13:53:14
>>Genbox+Td
Probably because those distros haven't developed a relationship with Microsoft. I'm reasonably certain that in order to distribute Linux on SB, you have to build the kernel as a Windows executable and get MS to sign it.
◧◩◪◨⬒
5. Genbox+jy[view] [source] 2022-03-05 15:00:30
>>jart+Yp
Most manufactures decided to include Microsoft's signing key into firmware. That is not something Microsoft is in control of. Pre-loaded (factory) keys are much harder for Linux as it seems every distro wants their own signing key, and from an administration perspective, that is not easy to keep track of.

Everyone can load their own signing keys into firmware. However, if you want something that "just works", Microsoft signs a package called Shim[1] that can be loaded on most computers due to the pre-loaded keys.

A relationship with Microsoft is not needed in any way or form to have Secure Boot.

[1] https://launchpad.net/ubuntu/+source/shim

◧◩◪◨⬒⬓
6. jart+H51[view] [source] 2022-03-05 18:16:56
>>Genbox+jy
What's stopping the bad guys from using that shim to boot their own code? Is there a date when the shim expires and Microsoft has to renew it?
◧◩◪◨⬒⬓⬔
7. Genbox+LN1[view] [source] 2022-03-05 23:09:20
>>jart+H51
Well, it is a chain of trusted components that are responsible for loading the next component in the chain.

UEFI with Secure Boot enabled will only load the stage 1 bootloader if it is signed with the firmware trusted certificate. We don't know if this component is malicious, we just know it is signed by the certificate.

The stage 1 bootloader (shim) will then be responsible for loading the next component (stage 2 bootloader). It will only boot the component if it is signed with a trusted (chosen by the user/distro) certificate.

The bad guys can't insert themselves into this process, as they either have to be trusted by the UEFI firmware (protected by an owner password), signed by Microsoft (to replace the shim) or be signed by the distro's certificate.

As long as the chain is unbroken it is secure.

◧◩◪◨⬒⬓⬔⧯
8. jart+9R1[view] [source] 2022-03-05 23:34:52
>>Genbox+LN1
That's only possible if Microsoft signs a public key the distro owner controls and then embeds it inside a special build of their shim. In that case the distro owner can distribute any Linux Kernel they want, but they need authorization from Microsoft beforehand. Therefore you can't publish a UEFI Linux desktop without being in league with the adversary.
[go to top]