• @[email protected]
    link
    fedilink
    English
    158
    edit-2
    4 months ago

    Select models of:

    Acer

    Dell

    Gigabyte

    Intel

    Supermicro

    aopen

    formelife

    You’re welcome.

    • NutWrench
      link
      English
      84 months ago

      Damn, Acer. You used to be cool. (a very long time ago)

      • @[email protected]
        link
        fedilink
        English
        5
        edit-2
        4 months ago

        They were always a pretty cheap brand IMO, but pretty reliable.

        Source: typing this on an Acer monitor that I’ve had for… 10 years? It kind of looks like crap, but it works and no dead pixels, so that’s cool.

        • @MrMcGasion
          link
          English
          24 months ago

          I had a nicer Acer monitor that I replaced with a similar Samsung model about a year ago. I still kinda miss the Acer. Both were 32" curved LCD and 1440p. The Acer had a much more uniform curve to it, and the Samsung has a bunch of firmware issues that sometimes can only be worked around by unplugging it and power cycling it that way. The only reason I “upgraded” was the Samsung had better support for PS5 and scaling 4K inputs down to the native 1440p without artifacts.

    • @[email protected]
      link
      fedilink
      English
      34 months ago

      You’re missing the additional list mentioned later on, also includes Lenovo and some others

  • @Buffalox
    link
    English
    634 months ago

    Secure Boot is a broken concept by design.

    • Optional
      link
      English
      504 months ago

      To this day, key players in security—among them Microsoft and the US National Security Agency—regard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments, including in industrial control and enterprise networks.

      You dare question a monopoly corporation and the spymasters of this country??

      (/s)

      • @[email protected]
        link
        fedilink
        English
        174 months ago

        industrial control and enterprise networks

        That’s doing a lot of work here.

        Yes, it’s important in certain situations, but for consumer devices, it’s just another thing that can go wrong when using alternative operating systems. Regular users don’t have the physical risk these other systems do, and making it more difficult for users to install more secure operating systems goes against the bigger threat.

        Linux is compatible with Secure Boot (source: I exclusively run Linux, and use Secure Boot on my systems), but some distros or manufacturers screw it up. For example, Google Pixel devices warn you about alternative ROMs on boot, and this makes GrapheneOS look like sketchy software, when it’s really just AOSP with security patches on top (i.e. more secure than what ships with the device). The boot is still secure, it’s just that the signature doesn’t match what the phone is looking for.

        It’s just FUD on consumer devices, but it’s totally valid in other contexts. If I was running a data center or enterprise, you bet I’d make sure everything was protected with secure boot. But if I run into any problems on personal devices, I’m turning it off. Context matters.

      • capital
        link
        English
        -104 months ago

        Yes, surely randoms on Lemmy know better than Microsoft and the NSA in regards to security.

        • Optional
          link
          English
          184 months ago

          Oh anyone who doesn’t trust Microsoft with their life is a complete idiot. And the NSA only illegally spied on everyone until Bush the II made it legal! So of course we should unquestioningly follow their configuration guides. I mean - haha - we don’t wanna get disappeared! Haha ha. Not. Not that that’s ever happened. That we know of. For sure. Probably.

          • capital
            link
            English
            14 months ago

            in regards to security

            in regards to security

            in regards to security

            in regards to security

            Just wanted to make sure you saw it this time because you went off on a tangent there.

            • azuth
              link
              fedilink
              English
              164 months ago

              It doesn’t matter if they know about security (which they do). A burglar could know about locks and home security systems, would you take his advice?

              Their positions on security of others is dismissed on grounds of trust not of competence.

              • @mriguy
                link
                English
                8
                edit-2
                4 months ago

                The NSA has two jobs.

                The first is to break into any computer or communications stream that they feel the need to for “national security needs”. A lot of leeway for bad behavior there, and yes, they’ve done, and almost certainly continue to do, bad things. Note that in theory that is only allowed for foreign targets, but they always seem to find ways around that.

                The second, and less well known, job is to ensure that nobody but them can do that to US computers and communications streams. So if they say something will make your computer more secure, it’s probably true, with the important addition of “except from them”.

                I won’t pretend I like any of this, but most people are much more likely to be targeted by scammers, bitcoin miners, and ransomware than they are by the NSA itself, so in that sense, following the NSA’s recommendation here is probably better than not.

                • azuth
                  link
                  fedilink
                  English
                  44 months ago

                  Exploits don’t care if you are actually the NSA or not. The NSA certainly knowns that yet they keep exploits secret at least from the public.

                  They have argued for key escrow for God’s shake.

                  They are primarily an intelligence agency. If you are not likely to be targeted by the NSA you are also unlikely to be targeted by any of their adversaries. They don’t give a shit if you get scammed, they are not the FBI, who also keep secret exploits and are anti-encryption.

                  Additionally using their “best” exploits on more simple targets still poses a risk to them being discovered and fixed. Therefore it’s beneficial to them for everybody’s security to be compromised. It also provides deniability.

                • azuth
                  link
                  fedilink
                  English
                  44 months ago

                  Do you have any evidence those two people are still committing burglaries? The NSA is not an ex-intelligence agency.

                • @[email protected]
                  link
                  fedilink
                  English
                  24 months ago

                  I get my advice from LockPickingLawyer on YouTube. He’ll demonstrate the weaknesses of various locks, and say which to avoid and which are probably okay (“okay” is a really strong recommendation from him). He’ll still break into really secure locks in <2 min, but he’ll describe the skills necessary to break in and let you decide on what your threat level.

                  Basically, as long as it’s bump and bypass resistant, you’re good. Burglars aren’t going to pick locks, they’ll either break a window or move on if the lock stops them. A good lock doesn’t keep out a burglar, it just slows them down enough that they’ll give up.

                  So yes, get advice from people who have the skills to break the protection they’re recommending, they’ll be able to separate things into threat categories. If you want OPSec advice, visit black hat hacking forums and whatnot, you’ll get way better advice than sticking with the normie channels.

              • @Emerald
                link
                English
                4
                edit-2
                4 months ago

                A burglar could know about locks and home security systems, would you take his advice?

                If they were an expert burglar, I might

                Source: I’m an expert burglar and all of the others on my burglar crew are very helpful when people ask about home security stuff.

              • @Cosmicomical
                link
                English
                34 months ago

                Exactly, they have a clear conflict of interest

              • Optional
                link
                English
                14 months ago

                Hey what is that, some kinda tangent

        • @Cosmicomical
          link
          English
          54 months ago

          Security is the last thing NSA and Micro$oft care about. NSA wants to be sure they can do all they need to with your devices, and M$ just wants to discourage you from switching to linux.

    • @cheese_greater
      link
      English
      144 months ago

      Can you explain more (don’t doubt you)

      • @ilinamorato
        link
        English
        13
        edit-2
        4 months ago

        Ok, so I am not an expert, and I am not the OP. But my understanding is that Secure Boot is checking with a relatively small list of trustworthy signing certificates to make sure that the OS and hardware are what they claim to be on boot. One of those certificates belongs to a Microsoft application called Shim, which can be updated regularly as new stuff comes out. And technically you can whitelist other certificates, too, but I have no idea how you might do that.

        The problem is, there’s no real way to get around the reality that you’re trusting Microsoft to not be compromised, to not go evil, to not misuse their ubiquity and position of trust as a way to depress competition, etc. It’s a single point of failure that’s presents a massive and very attractive target to attackers, since it could be used to intentionally do what CrowdStrike did accidentally last week.

        And it’s not necessarily proven that it can do what it claims to do, either. In fact, it might be a quixotic and ultimately impossible task to try and prevent boot attacks from UEFI.

        But OP might have other reasons in mind, I dunno.

        • @[email protected]
          link
          fedilink
          English
          224 months ago

          To use secure boot correctly, you need disable or delete the keys that come preinstalled and add your own keys. Then you have to sign the kernel and any drivers yourself. It is possible to automate the signing the kernel and kernel modules though. Just make sure the private key is kept secure. If someone else gets a hold of it, they can create code that your computer will trust.

          • @[email protected]
            link
            fedilink
            English
            3
            edit-2
            4 months ago

            The kernel modules usually are signed with a different key. That key is created at build time and its private key is discarded after the build (and after the modules have been signed) and the kernel uses the public key to validate the modules IIRC. That is how Archlinux enables can somewhat support Secure Boot without the user needing to sign every kernel module or firmware file (it is also the reason why all the kernel packages aren’t reproducible).

          • @ilinamorato
            link
            English
            24 months ago

            In any case, not for the average person.

          • @[email protected]
            link
            fedilink
            English
            14 months ago

            Your want to store a copy of the private key on the encrypted machine so it can automatically sign kernel updates.

        • @[email protected]
          link
          fedilink
          English
          54 months ago

          And technically you can whitelist other certificates, too, but I have no idea how you might do that.

          When you enter the UEFI somewhere there will be a Secure Boot section, there there is usually a way to either disable Secure Boot or to change it into “Setup Mode”. This “Setup Mode” allows enrolling new keys, I don’t know of any programs on Windows that can do it, but sbctl can do it and the systemd-boot bootloader both can enroll your own custom keys.

          • @ilinamorato
            link
            English
            14 months ago

            Definitely not for the “normie” then.

      • @trollbearpig
        link
        English
        11
        edit-2
        4 months ago

        Probably too late, but just to complement what others have said. The UEFI is responsible for loading the boot software thst runs when the computer is turned on. In theory, some malware that wants to make itself persistent and avoid detection could replace/change the boot software to inject itself there.

        Secure boot is sold as a way to prevent this. The way it works, at high level, is that the UEFI has a set of trusted keys that it uses to verify the boot software it loads. So, on boot, the UEFI check that the boot software it’s loading is signed by one of these keys. If the siganture check fails, it will refuse to load the software since it was clearly tampered with.

        So far so good, so what’s the problem? The problem is, who picks the keys that the UEFI trusts? By default, the trusted keys are going to be the keys of the big tech companies. So you would get the keys from Microsoft, Apple, Google, Steam, Canonical, etc, i.e. of the big companies making OSes. The worry here is that this will lock users into a set of approved OSes and will prevent any new companies from entering the field. Just imagine telling a not very technical user that to install your esoteric distro they need to disable something called secure boot hahaha.

        And then you can start imagining what would happen if companies start abusing this, like Microsoft and/or Apple paying to make sure only their OSes load by default. To be clear, I’m not saying this is happening right now. But the point is that this is a technology with a huge potential for abuse. Some people, myself included, believe that this will result in personal computers moving towards a similar model to the one used in mobile devices and video game consoles where your device, by default, is limited to run only approved software which would be terrible for software freedom.

        Do note that, at least for now, you can disable the feature or add custom keys. So a technical user can bypass these restrictions. But this is yet another barrier a user has to bypass to get to use their own computer as they want. And even if we as technical users can bypass this, this will result in us being fucked indirectly. The best example of this are the current Attestation APIs in Android (and iOS, but iOS is such a closed environment that it’s just beating a dead horse hahahah). In theory, you can root and even degoogle (some) android devices. But in practice, this will result in several apps (banks in particular, but more apps too) to stop working because they detect a modified device/OS. So while my device can technically be opened, in practice I have no choice but to continue using Google’s bullshit. They can afford to do this because 99% of users will just run the default configuration they are provided, so they are ok with losing the remaining users.

        But at least we are stopping malware from corrupting boot right? Well, yes, assuming correct implementations. But as you can see from the article that’s not a given. But even if it works as advertised, we have to ask ourselves how much does this protect us in practice. For your average Joe, malware that can access user space is already enough to fuck you over. The most common example is ransonware that will just encrypt your personal files wothout needing to mess with the OS or UEFI at all. Similarly a keylogger can do its thing without messing with boot. Etc, etc. For an average user all this secure boot thing is just security theater, it doesn’t stop the real security problems you will encounter in practice. So, IMO it’s just not worth it given the potential for abuse and how useless it is.

        It’s worth mentioning that the equation changes for big companies and governments. In their case, other well funded agents are willing to invest a lot of resources to create very sofisticated malware. Like the malware used to attack the nuclear program plants in Iran. For them, all this may be worth it to lock down their software as much as possible. But they are playing and entirely different game than the rest of us. And their concerns should not infect our day to day lives.

        • @[email protected]
          link
          fedilink
          English
          34 months ago

          “And then you can start imagining what would happen if companies start abusing this, like Microsoft and/or Apple paying to make sure only their OSes load by default.”

          I’m convinced that this is definitely the end goal for Microsoft, especially with the windows 11 TPM requirement. We are in the early stages of their plan to mold the PC ecosystem to be more like mobile. This is the biggest reason I decided to move to Linux - it’s now or never in my opinion.

          • @[email protected]
            link
            fedilink
            English
            -14 months ago

            This is the most open time period for hardware as far as options go since like, the 90s. Microsoft isn’t taking away options.

        • sircac
          link
          English
          24 months ago

          Thanks a lot for the summary!

      • @[email protected]
        link
        fedilink
        English
        04 months ago

        It is based on the assumption that every piece of code in the entire stack from the UEFI firmware to the operating system userspace is free of vulnerabilities

        • @Emerald
          link
          English
          24 months ago

          That doesn’t mean it’s useless. All software is prone to vulnerabilities and exploits, but that doesn’t mean its not worth using it at all. TrueCrypt was a good solution for the time, even if we now know it is pretty vulnerable

  • @[email protected]
    link
    fedilink
    English
    52
    edit-2
    4 months ago

    lol at the DO NOT TRUST keys.

    I’ve learnt over the years that you have to make the example code fail to compile or print out huge user-visible warnings or something like that, otherwise people can and will use it as-is in production, hard-coded keys and all.

    Even if you make it print out a huge message, some manufacturers will just comment that out while keeping all the other dummy example data.

    I’ve seen several production OAuth/OpenID servers that accepted an app ID and secret from a “how to set up an OAuth server” tutorial, and in one case the company was using that app ID for all their production services.

    • @[email protected]
      link
      fedilink
      English
      354 months ago

      It’s supposed to prevent unsigned files from being loaded by the UEFI (AFAIK) which could possibly help with rootkits, if it doesn’t somehow sign itself. However, these are pretty rare if you don’t allow sketchy software to access your boot partition, and will often cause issues with non major Linux distros.

      • bruhduh
        link
        English
        9
        edit-2
        4 months ago

        I had dell pc refuse to boot Linux mint because of secure boot

        • @nul9o9
          link
          English
          64 months ago

          I’ve been wary of secure boot and pluton chips for this reason.

        • @Emerald
          link
          English
          -14 months ago

          Then you haven’t set it up right

          • bruhduh
            link
            English
            44 months ago

            Nah man, it didn’t even allowed to boot iso from ventoy until i disabled secure boot

              • @Emerald
                link
                English
                14 months ago

                I just don’t bother with secure boot as its not in my threat model. I turn it off

            • @Emerald
              link
              English
              14 months ago

              Well of course, thats the setup. Disabling secure boot. If it didn’t stop you from booting a third party OS without you toggling that BIOS option, then the security feature would be pointless.

              • bruhduh
                link
                English
                14 months ago

                Imagine if in the future that option becomes untouchable

                • @Emerald
                  link
                  English
                  14 months ago

                  Then it would be an issue and I would not suggest anyone buy those machines

    • @[email protected]
      link
      fedilink
      English
      104 months ago

      Speaking from my background, it prevents someone from trying to boot using an external device to access your system, assuming you have a BIOS password in place.

      Of course encrypting your drive works just as well, but security in depth demands a “why not both?” Approach

  • @[email protected]
    link
    fedilink
    English
    284 months ago

    The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text.

    It’s like installing a top-of-the-line alarm system for your house with camera, motion detector, alarm, and immobilizing gas, then leaving the unlock password on a PostIt under the welcome mat.

    • TimeSquirrel
      link
      fedilink
      214 months ago

      immobilizing gas

      BRB, setting up a new automation in Homeassistant…

        • TimeSquirrel
          link
          fedilink
          84 months ago

          ESP32 running ESPHome connected to a MOSFET and relay, which operates a solenoid valve on the canister of gas. Don’t let dreams be dreams.

          • @cheese_greater
            link
            English
            2
            edit-2
            4 months ago

            As long as there’s some left for the dr. A little delphic courage

        • Optional
          link
          English
          34 months ago

          It’s totally a thing, bro. Here take a hit off this immobilizing gas bubble pipe

    • umami_wasabi
      link
      fedilink
      English
      1
      edit-2
      4 months ago

      For anyone interested, that 4 characters is the lowercase in alphabet order, starts from index 0.

  • @[email protected]
    link
    fedilink
    English
    21
    edit-2
    4 months ago

    200+ models from 5 big device makers

    Nearly 500 device models use them anyway.

    Bleeping Computer reports 813 products from 10 vendors.

    Checked the BIOS update file of a Gigabyte motherboard I have here (Z170X - Gaming 7):

    DETECTED PKfail untrusted certificate

    Issuer: CN=DO NOT TRUST - AMI Test PK

  • @j4k3
    link
    English
    194 months ago

    K-rapy garboge!:

    There’s little that users of an affected device can do other than install a patch if one becomes available from the manufacturer.

    Gentoo gives extensive instructions:

    Arch:

    NIST (US government guides cover POSIX/Windows with a layperson explanation and guide):

    The technical documentation about Secure Boot says that SB is not a mechanisms to steal ownership of your device. It is a spurious claim because the design specification is only a reference and not a requirement. Gentoo has further documentation that can be found describing KeyTool, a package that enables booting directly into UEFI to change the keys manually if your implemented UEFI bootloader lacks the functional implementation required to sign your own keys. I’ve never tried it personally. I merely know of its existence.

  • @[email protected]
    link
    fedilink
    English
    114 months ago

    i like how the manufacturers who responded to the author’s queries basically said ‘tough shit, that product is out of support’

  • I Cast Fist
    link
    fedilink
    English
    104 months ago

    Clearly, the solution is to just abandon all hope higher level abstraction. Pedal to the metal with Assembly (and maybe LISP and Forth) straight from boot

    • @coldy
      link
      English
      184 months ago

      I don’t speak for all Linux users, but it’s not like we don’t like the tech or the concept… We don’t like it because a lot of the time it’s just another way for Microsoft to throw around their weight, you need a valid key to sign your kernel images with to be able to boot another OS instead of Windows, and some motherboards don’t support installing your own keys as trusted keys. But usually there are ways around that issue nowadays.

      And also it’s not an easy process if you’re not an advanced user of sorts. You have to know what is entailed, what to use, where to store your keys safely, have a script to re-sign the kernel image every kernel update(which happens every week on something like Arch), etc.

      • Mwas alt (prob)
        link
        fedilink
        English
        1
        edit-2
        4 months ago

        ngl i got fedora secure boot working with microsoft uefi keys it required some tinkering

    • @[email protected]
      link
      fedilink
      English
      114 months ago

      They don’t like it because it’s mostly implemented in microsofts favor. It’s shipped with microsoft keys by default and needs to be disabled to boot a lot of linux distros. If there was a more unbiased way to load a new os like a default key setup routine at first boot or a preinstalled key for major linux distros they wouldn’t be so hostile towards secure boot. The technology isn’t bad and it’s the only way to not have somebody temper with your system at rest without TPM.

  • @[email protected]
    link
    fedilink
    English
    -1
    edit-2
    4 months ago

    “It’s a big problem,” said Martin Smolár, a malware analyst specializing in rootkits who reviewed the Binarly research and spoke to me about it. “It’s basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically… execute any malware or untrusted code during system boot. Of course, privileged access is required, but that’s not a problem in many cases.”

    I mean, I don’t really have much interest in requiring that my BIOS code be signed, but I have a hard time believing that this Martin Smolár guy is correct. Just entirely disable firmware updates in the BIOS, and re-enable just for the one boot where you update your BIOS while booting off a trusted USB key. You’d never put your OS in a position of being able to push an update to the BIOS.

    EDIT: Actually, if current BIOSes can update without booting to an OS at all, just selecting a file on a filesystem that they can understand – IIRC my last Asus motherboard could do that – you never need to enable it for even that.

    • @SzethFriendOfNimi
      link
      English
      114 months ago

      I think Secure boot is intended to check that the boot loader itself is signed.

      This is a way to mitigate viruses and malware that infects the boot loader so it can reinstall itself if it’s removed by AV, or something else.

      If you can create a boot loader that is signed in such a way that secure boot can’t tell it’s invalid then you can do some nasty stuff.

      Closest analogy I can think of is verisigns private key being leaked and there’s no fast and easy way to revoke and replace it without wreaking havoc on currently installed OS’s machines.