TechEcho

12 comments

cvwilliamsalmost 5 years ago

As usual, there are prophetic warnings from Linus:<a href="https://yarchive.net/comp/linux/efi.html" rel="nofollow">https://yarchive.net/comp/linux/efi.html</a>BIOS should be simple, because it is buggy anyway. Handing over to a bootloader in the MBR is all that a BIOS should do. Now one is at the mercy of NVRAM, grub2 and loads of gratuitous complexity.

评论 #24020455 未加载

评论 #24028021 未加载

评论 #24021501 未加载

评论 #24021957 未加载

评论 #24022515 未加载

评论 #24021073 未加载

评论 #24020217 未加载

fideloperalmost 5 years ago

Ubuntu had this as well, but got a release out quickly so it seems to have not been too huge an issue.Bug report: <a href="https://bugs.launchpad.net/cloud-init/+bug/1877491" rel="nofollow">https://bugs.launchpad.net/cloud-init/+bug/1877491</a>Description/remediation: <a href="https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass?_ga=2.62301103.2044889230.1596151413-1800768090.1596151413" rel="nofollow">https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2Secu...</a>

评论 #24020470 未加载

nullcalmost 5 years ago

Number of users saved from attack by secure boot: 0 Number of systems bricked by fixes to secure boot vulnerabilities: ManySad to see TSA in software form.

cpncrunchalmost 5 years ago

We have a centos 8 server that has been bricked, and there doesn't seem to be any solution right now. Downgrading the packages shows "lowest version already installed, cannot downgrade it.", and I can't manually install the old packages because there doesn't seem to be any way of getting them. Someone says to use <a href="http://mirror.centos.org/centos-8/8.2.2004/BaseOS/x86_64/os/Packages/" rel="nofollow">http://mirror.centos.org/centos-8/8.2.2004/BaseOS/x86_64/os/...</a> but that seems to have the very latest packages and even after updating the affected ones it still fails to boot.

评论 #24021144 未加载

评论 #24020471 未加载

评论 #24021404 未加载

noahblissalmost 5 years ago

Hey all, just wanted to make you aware of the mortar project here: <a href="https://github.com/noahbliss/mortar" rel="nofollow">https://github.com/noahbliss/mortar</a>It takes a comprehensive approach rather than piecemeal like a lot of these patches, leveraging technology already in your system to build a conceptually airtight and fully audited system. Happy to get some of your opinions on it, constructive criticism, and pull requests!

ginkoalmost 5 years ago

I still don't understand why this even needed to be fixed. Finding a way to circumvent UEFI DRM seems to be a good thing.

评论 #24020868 未加载

qalmakkaalmost 5 years ago

I'm kind of out of the loop - is BootHole a UEFI or GRUB2 vulnerability?

评论 #24021825 未加载

benttoothpastealmost 5 years ago

The most secure boot is the one that does not take place ;) So maybe there is a method in this madness?

fomine3almost 5 years ago

It seems that it's really critical issue. How does this patch pass Red Hat's test?

评论 #24019962 未加载

cpncrunchalmost 5 years ago

Fixes now available for RHEL, still waiting for CentOS.

Jonnaxalmost 5 years ago

Is Secure Boot on Linux actually secure?I remember reading it was like a signed loader and that's it. But I presume that's incorrect?

评论 #24020320 未加载

评论 #24020652 未加载

评论 #24020300 未加载

fortran77almost 5 years ago

That's the great thing about open source, though. You guys can fix it yourself. Me, I'm stuck on Windows 10.

评论 #24021483 未加载

12 comments

cvwilliamsalmost 5 years ago

评论 #24020455 未加载

评论 #24028021 未加载

评论 #24021501 未加载

评论 #24021957 未加载

评论 #24022515 未加载

评论 #24021073 未加载

评论 #24020217 未加载

fideloperalmost 5 years ago

评论 #24020470 未加载

nullcalmost 5 years ago

Number of users saved from attack by secure boot: 0 Number of systems bricked by fixes to secure boot vulnerabilities: ManySad to see TSA in software form.

cpncrunchalmost 5 years ago

评论 #24021144 未加载

评论 #24020471 未加载

评论 #24021404 未加载

noahblissalmost 5 years ago

ginkoalmost 5 years ago

I still don't understand why this even needed to be fixed. Finding a way to circumvent UEFI DRM seems to be a good thing.

评论 #24020868 未加载

qalmakkaalmost 5 years ago

I'm kind of out of the loop - is BootHole a UEFI or GRUB2 vulnerability?

评论 #24021825 未加载

benttoothpastealmost 5 years ago

The most secure boot is the one that does not take place ;) So maybe there is a method in this madness?

fomine3almost 5 years ago

It seems that it's really critical issue. How does this patch pass Red Hat's test?

评论 #24019962 未加载

cpncrunchalmost 5 years ago

Fixes now available for RHEL, still waiting for CentOS.

Jonnaxalmost 5 years ago

Is Secure Boot on Linux actually secure?I remember reading it was like a signed loader and that's it. But I presume that's incorrect?

评论 #24020320 未加载

评论 #24020652 未加载

评论 #24020300 未加载

fortran77almost 5 years ago

That's the great thing about open source, though. You guys can fix it yourself. Me, I'm stuck on Windows 10.

评论 #24021483 未加载

Red Hat and CentOS systems aren’t booting due to BootHole patches

12 comments

Red Hat and CentOS systems aren’t booting due to BootHole patches

12 comments