Questions tagged [secure-boot]
The secure-boot tag has no summary.
62 questions
1
vote
2
answers
146
views
Does a signed TPM2 PCR policy verify the EFI code similarly to secure boot?
For context, my question relates to the use of the systemd-cryptenroll and the related TPM enrollment options where one set of options "configures a TPM2 signed PCR policy to bind encryption to.&...
- 109
0
votes
2
answers
183
views
Does SecureBoot+Lockdown help protect against getting firmware-level malware, even if an attacker gains Root access?
This Reddit comment suggests that even if malicious software gains root access, SecureBoot + Lockdown mode in the Linux kernel can help prevent malware from gaining access to the kernel to perform ...
- 131
3
votes
1
answer
414
views
Does Secureboot require an EFI password to be effective?
A lot of systems have secureboot but don't require any password to access bios/efi settings, which means you can disable secureboot without authentication.
Additionally, it seems like many Linux ...
- 131
1
vote
0
answers
189
views
U-Boot hardening - how manage U-Boot Environment Variables
I'm running on a Linux Embedded product and U-Boot Bootloader.
I enabled the Secure Boot Chain of Trust, from ROM to Kernel + DM-verity and DM-Crypt partition protection.
Now I'm worried about the U-...
- 11
1
vote
0
answers
167
views
Are there any known BIOS that clear a TPM on disabling secure boot?
I noticed that when the secure boot options is disabled on a Bitlocker enabled Windows laptop with TPM, in order to boot into a forensic live OS like Kali in Forensic Mode or Parrot OS that the TPM is ...
- 7,715
4
votes
2
answers
353
views
Do I need to verify a .ISO before flashing, if my laptop has secure boot?
My Dell XPS 9310 has secure boot enabled and the BIOS is up to date and there are no manual keys added there.
Can I download a ubuntu .ISO from anywhere and flash into any computer without worrying ...
- 317
1
vote
1
answer
175
views
Does Bitlocker provide a degree of protection from PKFail?
I have searched online, but have not been able to find anything about this.
I understand the PKFail can compromise the boot process by allowing a signed key to sign malware to insert into the UEFI, ...
- 713
0
votes
1
answer
169
views
Is the ability to use Machine Owner Keys effectively a bypass of SecureBoot security?
SecureBoot uses a PKI path to verify particular signed bootloader binaries before it runs these binaries. This PKI, as far as I understand, is basically owned by Microsoft, meaning that only Microsoft ...
- 607
1
vote
0
answers
76
views
Is PUF Challenge-Response Authentication applied on every power-up event? [closed]
Are PUFs used, EVERY time we power on the computer to verify that nothing has been tampered with (by using CRP authentication)?
Which element performs this authentication? (bios, secureboot, I don't ...
- 513
-1
votes
2
answers
335
views
Laptop Repair vs. Evil Maid
Suppose you need a laptop repair, so you bring it to
A big box store where you have some sort of coverage (who will have the computer for 2-3 weeks)
A small chain of repair shops
a small independent ...
1
vote
1
answer
556
views
Why the TPM PCRs does not consider a UEFI settings change? If someone resets CMOS, it's undetected
In my laptop I've set up a bios password when I power on the laptop, and once I enter it the laptop starts my linux distro and decrypts the disk without asking any other password. To do this I've set ...
- 137
1
vote
1
answer
283
views
How do nonce hashes prevent replay attacks on Apple Silicon?
Apple Silicon-based Macs have a LocalPolicy file that controls the secure boot process. To prevent replay attacks of the LocalPolicy, hashes of nonces are used. From here:
The lpnh is used for anti-...
- 276
0
votes
2
answers
303
views
Secure Boot: Can Firmware verify every component?
As far as I've seen, the Secure Boot process is described like so: A firmware stored in read-only memory and therefore considered secure starts. It verifies the next software component (e.g. a ...
2
votes
1
answer
874
views
In a secure boot bootloader chain, does a bootloader image contain the RootCA certificate of the next bootloader?
This is coming from Qualcomm's Secure Boot explanation.
https://www.qualcomm.com/content/dam/qcomm-martech/dm-assets/documents/secure-boot-image-authentication_11.30.16.pdf
Within it, it explains that ...
- 121
2
votes
1
answer
3k
views
What does Secure Boot protect against?
As far as I understand, Secure Boot protects system from running code not signed by a specific vendor(s) during early boot stages.
In order to attempt an attack on the bootloader in the first place, ...
- 123