Leaked stolen Nvidia key can sign Windows malware The private key of an Nvidia code-signing certificate was among the mountain of files stolen and leaked online by criminals who ransacked the GPU giant's internal systems. At least two binaries not developed by Nvidia, but signed this week with its stolen key, making them appear to be Nvidia programs, have appeared in malware …
So what happens if say an iMac 2009 (as an example) with Nvidia 9400GM Graphics/(Bootcamp) using either Nvidia 340.108 (Linux) or Nvidia 342.01 Windows drivers which are no longer supported but still work fine, are these machines going to the price paid by consumers for this fcuk up by Nvidia? More landfill crud, where end users are the innocent party in this.
All seems very convenient, to sell a shitload of tech, off the back of this, for both MS and Nvidia.
To MS/Nvidia, you better sort this out for all legacy drivers, not just current ones, anything else is unacceptable. Nvidia make 340.108 compatible with Linux 5.15 kernel while you're at it.
And just to make the point regarding Windows 11, a TPM module and secure boot, doesn't save anyone from this type of malware where there is a compromised certificate. Plenty have made that point very vocal in the last few months.
Windows, the utter trash - just keeps on giving.
<Iron> Look, if you want to shoot the messenger, fine.
Linux's reputation is getting trashed because of Nvidia's proprietary drivers. Upgrading Linux Mint 20.3 using kernel 5.8 to 5.13, ends up with a flashing cursor on reboot, without using third-party patched drivers.
And yes, angry – because it's relentless, and it's always the end user that gets pushed around, forced to do things Microsoft's way. The Windows team seems to be concentrating on the superficial fringes, aka. Notepad tinkering, rather than attacking the entangled patched, patch on patch, tangled spaghetti blob of Windows code.
Stipulating a TPM Module is Microsoft's answer equivalent to Boeing's sticking plaster MCAS system.
How about explaining how a TPM Module and Secure Boot supposedly helps if malware is embedded in a signed low level Nvidia driver code, if you know a way it does. A graphics driver generally is something that has is 'access all areas' to the core OS.
In theory, it could help encrypt different sections of the core operating system code (but with the overhead of doing that), from prying eyes, but is that really possible within legacy Windows code? Bearing in mind, this is a potentially malware infected 'signed' all access low level graphics driver, with root privileges?
It seems a moot point, given the overhead and given the security attack vectors the TPM chips have themselves been shown to have themselves.
If I'm wrong, point out how this is wrong, I've never stopped learning, and listening, but let's have some transparency here. How does it help in this situation? I just can't see how it does.
I love how Nvidia failing to update drivers for Linux kernel compatibility is now Microsoft's fault. The Linux-related comments are on Nvidia and I'm not here to defend them. While I'm not here to defend Microsoft either, I must also point out that the comments about the TPM are missing the point about what that is there to do. I think that requiring one for Windows 11 is useless and generates unnecessary obsolescence, but nobody claimed that having it would in some way prevent malware. You appear to be complaining that the chip doesn't do something that it was never designed to do, and if it did do you still wouldn't support. This leads me to think that, instead of raising actual problems, you are just angry and would like to blame Microsoft for anything that doesn't work as expected.
I'm with the OP.
I too guess owners of older Nvidia cards on Windows will now have to buy new video cards, for Nvidia obviously won't issue updated drivers for EOL kit.
Obviously if you're of the "shiny-shiny" people who change car, computer, phone and spouse every year for the latest and greatest you won't be affected. Problem is, other people who don't appreciate blind consumerism will, and the fact you consider them to be stupid doesn't change anything.
Also, this shows once again what a chocolate teapot program signing is. It's only good to control independent developers, as a security tool it is hopeless, it's not like certificates aren't leaked/stolen/forged all the time.
Yes, I believe that's its intended purpose
It seems to me, the only point of TPM is to force smaller developers out of the market and to let Microsoft, Google, Amazon et al take over everything. And it will be used for unbreakable DRM for the likes of Disney, netflix, etc.
It was never about security - that was always just an excuse.
driver certs: a Charlie Foxtrot "Circular Fire Drill" by any other name
the whole "driver signing" system needs to be DUMPED. no more automaticaly trusting kernel drivers just because they're "signed". I bet this whole "driver signing" nonsensical CRAP has CREATED more problems than it EVAR solved (especially for small time independent developers and OPEN SOURCE in general, having to "pay the toll" to ship or even COMPILE a driver binary from source - noting that for video drivers, you do not have many options available to you OTHER than driver signing)
(And, THiS is just one example of why - think 'stolen keys to a back door' and you're opn the right track)
(thankfully this driver signing fiasco is NOT on my FreeBSD or Linux desktops)
These are 100% unrelated.
Firmware files are signed using internal NVIDIA's keys specific to the company and its hardware.
Lastly, it's _not_ about signatures - you can trivially extract the said firmware files from publicly released NVIDIA drivers.
NVIDIA does _not_ license these firmware files for use with nouveau - that's the issue.
"NVIDIA does _not_ license these firmware files for use with nouveau - that's the issue."
We are quite happy to ignore what NVIDIA licenses and doesn't license, it matters very little to us. However what is an issue is NVIDIA have made it impossible to access key hardware functionality because of a requirement on signed firmware.
(Apologies for the reddit post but it contained both links):
https://www.reddit.com/r/linux_gaming/comments/cnpuss/nouveau_developer_explaining_how_exactly_nvidia/
So are these things really completely unrelated?
Drivers for Linux are traditionally reverse engineered and Nouveau are no exception. So you think they had a license for that?
Red Hat are a prominent developer in the Linux ecosystem but you are absolutely doing all the thousands of independent an insulting disservice by saying things like "driver development teams are all paid by Red Hat".
Reverse engineering requires no license, and Red Hat does it.
Cutting signed binary firmware out of Nvidia drivers and shipping that does. I think even the most novice software developer should have that level of copyright knowledge.
Yes - look up the list of who employs the Nouveau developers: it's Red Hat. I assume you are not a Nouveau contributor? BTW I have submitted one bug fix patch to it, and I don't pretend to describe myself as a Nouveau developer.
> We are quite happy to ignore what NVIDIA licenses and doesn't license, it matters very little to us.
Are you quite happy to be sued into oblivion as well?
How does a MICROSOFT code signing certificate used for WINDOWS DRIVERS help you in any way whatsoever with FIRMWARE?
Hint: It doesn't.
Who moved the stone that was covering the blithering idiots?
"Are you quite happy to be sued into oblivion as well?"
Using a leaked private signing key for hardware I own? Hah, yeah I will take the chances.
Frankly the reverse engineering work used for most drivers is much more risky than using a that.
Perhaps you should get out from under that rock and live a little too. Don't fear the big scary commercial companies. Yes, they are bigger and better than us but don't have such a defeatist attitude.
Ok - how about this... You can use the certificate to sign drivers (but you don't have to - you can just get your own certificate to sign drivers if you need to). You can't sign Nvidia firmware because firmware is not the same thing as a driver and isn't signed by the leaked Verisign private keys.
Reverse Engineering is a well documented and litigated topic back to the first IBM clone. It isn 't the same thing as pretending to be Nvidia using stolen private keys. It isn 't the same thing as copying BLOBs out of Nvidia copyright software.
> What if you're legitimately using this key?
I imagine your old Nvidia driver will henceforth be flagged as "unfit for duty" by Windows and if that video card is not brand new, you will have to immediately buy a new one, since EOLed products don't get updates. Profit! (For Nvidia obviously, not for you. It's users who always pick up the pieces and foot the bill when things like that happen...)
Exactly, those using EOL products are the innocent victims here.
End users using legacy hardware shouldn't be the victims in all this as a result of Nvidia's failed security, and from what we can tell so far, exploiting weaknesses in Windows code to gain access.
My gripe with Microsoft, is the current concentration of efforts on superfluous BS, like Notepad's look and feel. Windows Update is still clunky, often doesn't work, essentially, a bag of rusty old nails, but Notepad's look and feel is clearly more important to the head of the Windows development team.
The fact that a minor 'dark mode' update to Notepad had to go through the insider programme before release, just shows how bad their own internal testing regimes are now, to the point of being non-existent.
Microsoft has the wrong people in charge of Marketing (how they've kept their job this long, god only knows) and of Windows. They also need to employ an exceptional person for the role of heading up Windows Update, that has a brain with OCD (Obsessive compulsive disorder), for detail. That's what it is going to take to detangle the mess that is 'patch on patch' Windows now.
Things need to change.
> Marketing (how they've kept their job this long, god only knows)
Apparently by having everybody else fired. (Except of course the cleaning staff, and the intern who does the coding, when he's not putting fresh toner into the printers or making coffee.)
Only an option if:
1- you're buying a new computer
2- if you want a notebook, finding one with AMD can be hard
3- you have a desktop, you can't change graphic cards on notebooks
4- you can find a card at a decent price.
What we need is more competition. Intel can probably get in on the game, though only using their better graphics chips as integrated on their most expensive processors doesn't help consumers at all.
Agree, though on #2 there are reasonable options available now. And for a work laptop AMD/Intel integrated stuff is fine. Alchemist - whenever it finally launches en mass will hopefully help with the desktop market somewhat too.
On #4; which we are far from reasonable just yet, there are signs of some improvement. No doubt to be scuppered by the third in trilogy of sucky years.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
