UEFI bootkit

[jdow]

On 2012/09/20 19:38, JD wrote:
>
> On 09/20/2012 07:56 PM, Eddie G. O'Connor Jr. wrote:
>> On 09/20/2012 08:24 AM, jdow wrote:
>>> On 2012/09/20 04:45, Matthew Miller wrote:
>>>> On Thu, Sep 20, 2012 at 04:29:47AM -0700, jdow wrote:
>>>>> That is why I like my unique to the machine key that is supplied to the
>>>>> user along with the board serial number. So he can make changes. But the
>>>>> changes for his system cannot affect other systems. That would make
>>>>> custom signed Linux kernels possible for a person testing kernel builds
>>>>> or compiling in obscure filesystems, such as I do from time to time.
>>>>
>>>> You will be able to do this -- at least, on x86. Some lobbying on the ARM
>>>> front is needed.
>>>>
>>>> It won't be a key that's supplied to the user, though. The user will be able
>>>> to add their own.
>>>
>>> As long as the key is unique to one single machine the idea is sound
>>> except for the "user too stupid to live" cases.
>>>
>>> {^_^}
>>
> What is it that will check "uniqueness" of the key?
> Over the internet? Check with what/who ?

Nothing. The user would have the option in the BIOS to generate, somehow,
a random number. He's told to type keys on the keyboard, any keys at all,
with the intervals feeding some randomness into the system. Then the key
for signing is presented on the screen for the user to copy down, pen and
paper mode. (Yeah, that is SO centuries ago. But, it's not in electronic
form, yet, so it is quite secure. If the machine makes sure nothing is
plugged in other than keyboard, mouse, and monitor it's not likely to be
siphoned off by monitoring malware.)

{^_^}