undefined | Better HN

0 pointsadrian_b9mo ago0 comments

Nevertheless, it is trivial to make any BIOS-based computer at least as secure as the most secure UEFI/secureboot-based computers.

For that, any SSDs/HDDs included in the computer should be non-bootable and fully-encrypted.

Then the BIOS will happily run whatever an intruder will attempt to run, but nonetheless the intruder will not have any access, neither for reading nor for writing, to the data hosted by the computer.

The owner can boot from a removable USB memory, used as a computer key, whose content cannot be modified by someone else as long as the owner keeps it.

All Intel/AMD CPUs have backdoors in the form of the System Management Mode and of various hardware management engines, which can be exploited by a malicious BIOS or UEFI firmware to monitor what the operating system that is controlled by the user does, but SecureBoot also offers no protection against such backdoors. ARM CPUs are no better, because many of them have copied Intel, so they have the equivalent of the SMM: EL3.

If you run yourself a hostile application after booting, then SecureBoot also does not offer any protection against that.

0 comments

JCattheATM9mo ago

> Nevertheless, it is trivial to make any BIOS-based computer at least as secure as the most secure UEFI/secureboot-based computers.

Mmm....no.

I use my own keys and removed vendors keys from my secureboot setup. Hard disk is encrypted and automatically pulls keys from the TPM to boot into a guest OS, which is running something akin to prey. If the hard drive is removed, it can't be read or examined, and you can't replace the HDD with a different OS to get it to boot.

How would you recreate that setup with just a BIOS?

adrian_bOP9mo ago

The setup that I have described has identical behavior, except that I use a removable USB memory (containing a bootable OS kernel and encrypted SSD/HDD keys) instead of a TPM and a firmware implementing SecureBoot, which are included in the computer motherboard.

In my variant, you do not need to trust anyone but yourself, because an attacker will have access only to a system where the component that needs to be secure is not present. In your variant, you must trust the vendors of the TPM and of the firmware, that their products do not have either intentional backdoors or bugs that would allow the extraction of the secret keys.

Having seen first hand how the development of "secure" products is done even at the companies that do not have bad intentions, I do not trust anyone, except myself.

JCattheATM9mo ago

> The setup that I have described has identical behavior, except that I use a removable USB memory

That's a huge difference though!

With my setup, if someone steals the device, they get a fully useable laptop with no password, locked down and restricted - they can join wifi networks, use the browser, download etc, but can't access the 'real' OS, and the laptop won't boot from anything other than the encrypted HDD it has the keys for.

It sounds like your setup leaves out the guest OS aspect, and is just set to boot into an encrypted OS only if a hardware key is present, which is quite a bit different.

> In my variant, you do not need to trust anyone but yourself,

That's true for my setup as well. Secureboot has an opensource reference implementation that has been in Coreboot for a long time, and it's not necessary to keep or add any vendor keys.

1 more reply

j / k navigate · click thread line to collapse

0 pointsadrian_b9mo ago0 comments

Nevertheless, it is trivial to make any BIOS-based computer at least as secure as the most secure UEFI/secureboot-based computers.

For that, any SSDs/HDDs included in the computer should be non-bootable and fully-encrypted.

The owner can boot from a removable USB memory, used as a computer key, whose content cannot be modified by someone else as long as the owner keeps it.

If you run yourself a hostile application after booting, then SecureBoot also does not offer any protection against that.

0 comments

JCattheATM9mo ago

> Nevertheless, it is trivial to make any BIOS-based computer at least as secure as the most secure UEFI/secureboot-based computers.

Mmm....no.

How would you recreate that setup with just a BIOS?

adrian_bOP9mo ago

Having seen first hand how the development of "secure" products is done even at the companies that do not have bad intentions, I do not trust anyone, except myself.

JCattheATM9mo ago

> The setup that I have described has identical behavior, except that I use a removable USB memory

That's a huge difference though!

It sounds like your setup leaves out the guest OS aspect, and is just set to boot into an encrypted OS only if a hardware key is present, which is quite a bit different.

> In my variant, you do not need to trust anyone but yourself,

That's true for my setup as well. Secureboot has an opensource reference implementation that has been in Coreboot for a long time, and it's not necessary to keep or add any vendor keys.

1 more reply

j / k navigate · click thread line to collapse