Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ubuntu's Secure Boot support vulnerability threatens even Windows PCs


  • Please log in to reply
59 replies to this topic

#1 JohnC_21

JohnC_21

  • Members
  • 23,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:16 AM

Posted 28 January 2016 - 07:05 PM

Ubuntu is thwarting Microsoft’s efforts to keep PCs safe. Modern Windows PCs are required to ship with Secure Boot enabled, a safety measure that limits access to Microsoft-approved operating systems. To make life easier for Linux users, Microsoft provides Linux distribution bootloaders with a Microsoft signing key. But Ubuntu’s signed bootloader will happily boot unsigned code, breaking the whole chain of trust. Thankfully, this is set to change with the upcoming Ubuntu 16.04 LTS

 

Article 

Personally, I think SecureBoot is overrated. 


Edited by JohnC_21, 28 January 2016 - 07:06 PM.


BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,904 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:09:16 PM

Posted 28 January 2016 - 09:01 PM

LOL @ chain of trust when Microsoft is involved.


Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#3 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 29 January 2016 - 12:00 AM

I'm a bit unclear. Are they saying that in the new 16.04 release, if secure boot is enabled, Grub will boot an OS only if the kernel is signed, because sometimes that might not be desired.



#4 mremski

mremski

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH

Posted 29 January 2016 - 03:12 AM

As a wise man once said in this forum (paraphrased) "...when Microsoft starts giving away hardware with their operating systems..."

 

I paid my money for the hardware, I will run what I want on it.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#5 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,904 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:16 AM

Posted 29 January 2016 - 03:33 AM

I built my PC, My PC Specifications 

 

It never had Windows on it, This thing was a combination PC shop parts bin and ebay orders build.

 

 

 

I paid my money for the hardware, I will run what I want on it.

And when and how I want I will boot it any way I want and most importantly I will secure it the way I want, and do all the other things Linux users can do when I want and my privacy is not on sold or used for who knows what by who knows who.


Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#6 mremski

mremski

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:09:16 PM

Posted 29 January 2016 - 07:49 AM

So if I'm remembering correctly, "secureboot" is more likely on full up PCs from someone, if you buy a motherboard, you have to turn it on.  If it's on, you should be able to turn it off (may require mucking with disk partitions).  I could certainly see a huge world wide class action lawsuit if "all new PCs would only run windows 10".


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#7 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 29 January 2016 - 08:57 AM

Most of the time the comments are better than the article...  :whistle:

Secure Boot was designed by Microsoft to prevent users from booting anything other than Microsoft software...

Greets!



#8 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,002 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:16 AM

Posted 31 January 2016 - 06:37 AM

LOL @ chain of trust when Microsoft is involved.

 

+1! :thumbup2:

 

That's the very reason why I not only disable Secure Boot on my own computers, yet also any of those that I work on for others at no charge, including simple things like installing security, setting a backup software program, cleansing of Malware, usually being a reinstall because once infected, the computer is untrusted. Secure Boot does not prevent nor block Malware from loading on a system. If Secure Boot is so great, then why is security any longer needed? The security features that the modern 64 bit CPU offers provides more security than Secure Boot, furthermore, so would simply placing a padlock on a tower PC. 

 

 

 

Personally, I think SecureBoot is overrated. 

 

Paragraph above is living proof of this. :)

 

Many who has Secure Boot (the ones who realizes that it's on their computers) has a misconception of what it represents. It can & often does prevent the install of a graphics or sound card, where there are no 'unsigned' drivers, yet are generally seen as safe, and Malware scans will prove it's the case. So Secure Boot has to be disabled to install & keep the components in the computer, otherwise, it's an expensive paperweight. 

 

As far as any 'chain of trust' when Microsoft is involved, I'll simply reserve my comments, because some will not like (or approve) of how I feel about it being forced upon consumers & it's hard for me to hold back. This has been discussed long ago in a long Topic in regards to Privacy & Security (in the Speak Easy Forum here), where one of the valuable links were taken down (though not by this site). Nick introduced us to the article, where I spread as far as possible, not just here, on many sites in response to articles pertaining to Secure Boot & Microsoft in general. Unfortunately, I didn't print nor download the article, why it was taken down, I have no idea, yet have one as to who & why. 

 

One thing that Secure Boot has done was to fuel the PC building industry, including rises in self-builds & custom builds by PC shops (certified shops & hobbyists). Though many of the MB's has the option of Secure Boot available (it's getting harder not to find newer ones that doesn't), the majority doesn't want it enabled & the builder will honor the paying customer's choice. Those who builds their own has total control over everything, and while may have to load Windows 7 (one can do so legally for 30 days w/out entering a COA) to install drivers & ensure all is OK, or to benchmark & upload for bragging rights, then format if HDD or secure erase the SSD & install the Linux distro of their choosing. UEFI firmware (or BIOS updates) can be performed by a bootable USB stick or by CD, with USB stick being the faster & most popular option, Windows isn't needed for this. 

 

If one wants to install Ubuntu, if the option is available, simply disable Secure Boot in the UEFI settings, be sure to press F10 to save settings (usually the key for most computers) & when it reboots, you're Free, Secure Boot is disabled. Install the OS, including Ubuntu, to your now unshackled computer & enjoy! :)

 

I don't recommend the disabling of GPT & reverting to MBR though, because GPT partitioning has some advantages over MBR, in performance, and because the bootloader is stored on more than one place on the drive. Plus it makes creating Logical/Extended partitions obsolete. One can have up to 128 Primary partitions, on a large drive, one for most everything. SSD's also sees some performance advantages. Any performance advantage, no matter how slight, is still a positive gain. 

 

The only thing I see 'threatened' by the disabling of Secure Boot is Windows user share, which doesn't mean anything outside of Microsoft corporate headquarters. Ubuntu is plenty secure enough to not be seen as a threat & many world governments & leading financial sectors (think Wall Street) are running modified versions of Ubuntu for their needs. So does many services we depend on daily runs some form of Linux for day to day operations, from your local banks, retailers (physical & online), medical offices, and in many instances, the ISP one's running is Linux powered. 

 

All of this is 'smoke & mirrors', Microsoft & their partners looking for an excuse to bake Secure Boot into new computers, taking away the right to disable the plague. You own the hardware, yet will not have full rights over it. That's the real agenda, and was discussed in the article that JohnC posted above. Consumers will have to rally for change, inaction equates acceptance. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#9 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 803 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 31 January 2016 - 12:28 PM

 

Secure Boot does not prevent nor block Malware from loading on a system.

 

Not quite true. It does prevent some malware from loading, it just doesn't prevent all malware from loading, but then nor does anything else.

 

 A few years back when Windows was mostly 32 bit, there was a lot of trouble with rootkit concealed Malware, the rootkits were installed at kernel level by loading a modified driver.

 

So when Microsoft moved over to 64 bit Operating Systems, they introduced driver check, which checked to ensure that only signed drivers could be loaded.

 

To get round this problem the Malware writers modified the MBR of the computer they wished to infect, and inserted a new hidden partition. This partition was marked as the boot partition, so was the first to be loaded by BIOS. Instructions on that partition "switched off" driver check, so that malware drivers could now load.

 

These became known as "bootkits", as they ran at boot time.

 

To prevent the loading of bootkits, Microsoft introduced 2 new features, both of which became possible because of the move to UEFI style booting.

 

The first was Secure Boot, which only allowed signed Operating Systems to load (thus preventing the creation of unauthorised partitions), and the second was ELAM (early launch anti-malware) which loaded the drivers for approved anti-virus and anti-malware programs first, that way they were able to detect any attempt to install a malware driver.

 

Since these were introduced, the number of bootkit and rootkit based infections seen in the malware help forums has plummeted, and is probably the reason that Ransomware and Junkware infestations are now so prevalent.

 

Unfortunately the side affect of this is to cause problems for those of us who wish to run Linux, since not all Linux versions are "approved" to run on a system where Secure Boot is enabled.

 

As long as a User is able to manually disable the Secure Boot option in UEFI, then it really shouldn't be a problem, it's only when there's a move by some manufacturers to disable the option to de-select Secure Boot, that the "sh*t hits the fan".


Edited by Gary R, 31 January 2016 - 12:30 PM.


#10 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 31 January 2016 - 01:02 PM

Thank you for taking the time to explain about Secure Boot, Gary. :)  I already knew this, but I hope it would help others who have an unreasonable bias against Secure Boot to gain a better understanding of it.  Like you, I have no problems with Secure Boot as long as there is a way to turn it off.



#11 JohnC_21

JohnC_21
  • Topic Starter

  • Members
  • 23,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 PM

Posted 31 January 2016 - 01:04 PM

It is kind of ironic that the introduction of Secure Boot led to an increase in Ransomware. @Gary R, of two would you consider Rootkits or Ransomware the most dangerous?



#12 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 803 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:16 AM

Posted 31 January 2016 - 01:57 PM

It is kind of ironic that the introduction of Secure Boot led to an increase in Ransomware. @Gary R, of two would you consider Rootkits or Ransomware the most dangerous?

 

It's a matter of perspective.

 

From a technical standpoint, Ransomware is fairly easy to remove from a computer, however, recovering the encrypted files can often be impossible. Mitigating a ransomware infection attack is really dependant on having a set of air-gapped backups. If you've got a recent set, then the attack causes minimal inconvenience, if you don't then the ramifications are serious.

 

Bootkits are or rather were more technically difficult to deal with, since by their very nature they hid their presence, so it wasn't always obvious that one was present. However, once we knew what to look for they could be both detected and removed, although sometimes the removal wasn't a straightforward proposition. Some versions resisted removal, and you could often spend as much time patching the damage caused removing them, as in the actual removal itself.

 

However, as this is a Linux forum, and since this only obliquely touches on the topic subject, I'll refrain from saying any more.



#13 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:07:16 AM

Posted 31 January 2016 - 11:21 PM

Not too worried about Linux rootkits/bootkits.... yet.

 

Would be highly concerned if my brand spanking new PC wouldn't run Linux though.



#14 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,002 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:16 PM

Posted 01 February 2016 - 01:41 AM

Not too worried about Linux rootkits/bootkits.... yet.

 

Would be highly concerned if my brand spanking new PC wouldn't run Linux though.

 

+1! :thumbup2:

 

You mean baked in Secure Boot? While it may not be here now, it's coming, and woe to the first OEM that does so! :angry:

 

Chances are that many will boycott the first that does, yet there'll be a 2nd, then 3rd & it's on. Consumers who cares about their future will pay the jacked up prices for new computers w/out it baked in, regardless of configuration, or may look at Apple & Google offerings. Or better yet, if a desktop PC user, learn how to build their own, or pay someone else who has the knowledge to do it for them. Notebook users will be the ones in the worst jam, though for at least a year, there will still be sealed Haswell pickings from which to choose, just not on the floors of retailers. Rather by 3rd party sellers, and this is where one will have to be careful, though eBay & Amazon both has consumer protection, and sites such as Newegg won't sell used products as new (unless specified). 

 

Plus there's a plethora of refurbished notebooks (many former business models) available through most all of the OEM 'outlet stores', though be sure to inquire about disabling Secure Boot before purchase, and be sure to keep any correspondence. There's lots of other sites that also sells these, so in the immediate future, there's not a serious threat, as I prefer legacy PC's as my 2nd & 3rd string models anyway, just as some wouldn't dare to get rid of their older vehicle, I feel the same way about my late Vista/early Windows 7 computers. 

 

Finally, if I were in the market for a new notebook, it would likely either be a Chromebook, or from one of the Linux vendors, by then they'll be doing more business, which will mean they can negotiate for lower prices on their hardware. Which for the most part, keeps pricing as jacked up as they are, not enough customers. When the effect of this policy is finally felt by consumers, they'll be looking in another direction, and other than Apple or Google, Linux vendors are plentiful, and none of the Secure Boot garbage will be baked in. 

 

Secure Boot is a strategy that will backfire badly, who becomes the winner once the dust has settled, in time we'll see. We do know whom it won't be. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#15 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 803 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:16 PM

Posted 01 February 2016 - 06:10 AM

There's no doubt at all that for a Linux user, Secure Boot without the ability to disable it is a non-starter, and I'd be surprised if it's actually legal to create a hardware platform that deliberately shuts out Linux installation by compulsory enforcement of Secure Boot.

 

When Microsoft first wanted to introduce it, they wanted it switched on by default, and there was a hell of a lot of resistance to that, in and out of court, so that in the end they left the option to switch it on or off to the computer owner.

 

I'd be surprised if there was any less resistance if they attempted to remove people's choice now, especially since a legal precedent may have already been set when they backed down last time.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users