back to article Secure Boot useless on hundreds of PCs from major vendors after key leak

Protecting computers' BIOS and the boot process is essential for modern security – but knowing it's important isn't the same as actually taking steps to do it. For instance, take the research published last week by security boffins at firmware security vendor Binarily. The researchers found hundreds of PCs sold by Dell, Acer, …

  1. billdehaan
    Thumb Down

    The only thing worse than bad security

    is false security.

    I ran the check (efi-readvar -v PK in Linux), and my systems are okay. Mind you, they're HP, Zotac, and Lenovo, who weren't listed in the exposed systems. But honestly, the idea that we need to protect the BIOS / UEFI in the first place is a design failure. Putting crap like programmable vendor logos and user-defined backgrounds into the boot sequence is just asking for trouble. And now that they've handed the bad guys a way to load undetectable code that executes before any defence or corrective action can be taken, the only solution is to replace the motherboard entirely, which more often than not means junking the PC.

    1. S4qFBxkFFg

      Re: The only thing worse than bad security

      Sometimes I wish all BIOSs/UEFIs/Bootloaders were replaced by a very small piece of code which simply does a breadth-first search on all attached storage and boots the first thing it can find.

      Let the OS handle everything else.

      1. mfalcon
        Unhappy

        Re: The only thing worse than bad security

        I'm not a security expert but am a long term user of Unix workstations, Unix servers, Linux, and Windows machines. My gut feeling has for a long time been that the complexity of UEFI and the growing number of theoretical and actual vulnerabilities of Secure Boot show that a lot of it is simply a bad idea. I never expected to have my suspicions proven so definitively.

        I don't know what the solution moving forward is but continuing to assume that Secure Boot is the way to go surely must be seriously questioned.

        1. Anonymous Coward
          Anonymous Coward

          Re: The only thing worse than bad security

          Due respect to your gut -- whose feeling is spot-on, make no mistake -- we don't need that to know that UEFI and/or Secure Boot are bad ideas.

          There have been plenty of engineers and developers, including some with security bone fides, who said from the beginning that UEFI was fraught with peril. And some went on to say, as others up-thread have also observed, that Secure Boot was as much a ham-fisted attempt at vendor lock-in as anything else.

        2. ecofeco Silver badge
          Facepalm

          Re: The only thing worse than bad security

          As someone who has had to image, re-image and dig into the BIOS of literally 10s of thousands of PCs far too often than I should have to because the "security" setting within the BIOS were not playing nice with something, your gut feeling is not intuition, but solid fact.

          BIOS has always had it own unique frailty and faults, but the suite of security besides just UEFI has made it far worse. For a reasonably competent and experienced support tech, it's all just security theater and CAN be bypassed. For an experienced and rogue programmers, it's a thin veil at best.

          For the daily support tech, it's all a pain in the ass.

      2. Kurgan

        Re: The only thing worse than bad security

        Like... a BIOS? We had it, when IT was not such a shitshow.

        We all know that UEFI is a pile of useless trash and that Secure Boot was invented to make sure that only windows would be able to boot (and then failed at that).

        I'd really like to have old BIOS back.

        1. Anonymous Coward
          Anonymous Coward

          Re: The only thing worse than bad security

          The problem with (x86) old BIOS is that it's 16 bit. As in, if you're in 32 bit ("protected") or 64 bit ("long") mode, you have to switch back to 16 ("real") mode, call your BIOS function, then undo the switch. It's... a bit of a pain. So if at all possible anything not running real mode would bypass the BIOS as much as it could. There's a lot more wrong with it, like how it assumes a single user sitting in front of the box. There's lots of hardware, even a complete CPU in the southbridge with sees-traffic-before-you-do access to the network and a OS you can't neither access nor update, to sort-of make up for (some of) those deficiencies.

          The problems with (U)EFI start with massive over-engineering ("second-system effect"), and it goes downhill from there. (Let's skip the list.) Secure Boot certainly isn't its only problem; even on the best of days it's really a control mechanism, not a security mechanism. It also doesn't resolve the manageability problems BIOS gave us, and so perpetuates those.

          In short. PCs are a limited idea, and (U)EFI doesn't really fix most of BIOS' problems for a rather large complexity bill. The security problems didn't get resolved, but mostly added to.

          Going back to BIOS is not something anyone who has to work with it really wants, but (U)EFI isn't the solution either. Me, I'd do a rethink of the concept "PC" and design a firmware to match that. Possibly something along the lines of OpenBOOT (Open Firmware) with some nice frontage for the blinkenlights set. But then I'm neither intel nor microsoft so nobody's gonna listen to me.

          But there's still truth in the old adage: "Real servers are headless." PCs can't do that, neither BIOS nor (U)EFI. Old Unix boxen could, even if they came as workstations and so did have a head.

        2. Anonymous Coward
          Anonymous Coward

          Re: The only thing worse than bad security

          IMO it's all been downhill since OFW fell by the wayside.

    2. hgfdhgddghgfh

      Re: The only thing worse than bad security

      Its a short list for HP and Lenovo, but they're not excluded from the issue.

  2. Mage Silver badge

    Yes, UEFI is mostly Security Theater.

    Protecting computers' BIOS and the boot process is essential for modern security – but knowing it's important isn't the same as actually taking steps to do it.

    So why is Autorun (even net shares), uPNP, remote registry, remote desktop, file and print sharing all on by default on Windows. Why did they add autorun and have it on by default on some Linux distros. Amiga was the warning.

    Maybe it's important, but has anyone done it properly? I remember a school with Research Machine brand PCs that the school had not set the boot password on, because that would be awkward. One student/pupil set it on an entire room. However the security setting was stored in an 8 pin IC on a socket. I demonstrated by removing one and left it to the teacher to remove the rest.

    A 3rd level business college that year found no PCs would start. Someone stole all the RAM.

    More recently a motherboard on an All-in-one PC died. The owner had not done backups and needed the project work. But protected by bitlocker. There are ways round that, but the key had been put into a spreadsheet, which was only stored on MS Server (so called cloud).

    Or the guy that used his fav football team for all passwords.

    Or people that open all email attachments and can't be bothered with a script blocker on Browser. Email & Web are the biggest risks along with uPNP enabled by default on some routers and all windows.

    1. Pascal Monett Silver badge

      Re: Yes, UEFI is mostly Security Theater.

      Everything you say is, I'm sure, absolutely true, but you cannot compare user failures to product or systems failures.

      Users are stupid, unaware or uncaring. You can try to convince them to do things right, but most won't get the message until it's too late.

      UEFI was supposed to have been created by engineers. That is not the same level of importance.

      1. Mage Silver badge
        Coffee/keyboard

        Re: Yes, UEFI is mostly Security Theater.

        See also:

        Jtag over USB, Intel Management Engine, USB HID.

        These are not just user issues, though user training is abysmal, but bad engineering.

        Lack of security or security flaws on Bluetooth, WiFi. Wired Ethernet with no security (security options available for years). Internet before websites: What were they thinking about POP3, SMTP, the entire email eco-system and earlier number spoofing designed in on PSTN to make PABX returned calls simpler. Fax, where you could put in any number as source?

        Security has always been an after thought. The "wire fraud" Man-in-the-middle attacks first used with optical telegraph. Spam messages started within an hour of install of telegraphs outside post-offices in Victorian London.

      2. Anonymous Coward
        Anonymous Coward

        Re: Yes, UEFI is mostly Security Theater.

        "UEFI was supposed to have been created by engineers."

        Seems like "supposed to" is probably doing a lot of work, there.

        It's not as if Intel have a spotless track record of decision-making, let alone actual implementation. Plus the bigger and more fundamental the project (product), the more people want to be attached to it.

        More people increases the odds of bikeshedding, design-by-committee, camel nose tenting, etc. Aside from Windows there's practically nothing more fundamental and important to making the PC hardware run than the firmware which starts up the thing. People want to say "Oh, *I* had a hand in that!"

        Which is how you end up with some project people who are likely not top notch engineers -- e.g. there will also be marketing types talking about putting pretty graphics and logos in, eh?

        It's also a fair bet that Microsoft directing Intel from the sidelines didn't help matters.

  3. xanadu42
    Facepalm

    NOT FOR PRODUCTION USE

    I remember seeing NOT FOR PRODUCTION USE displayed during the BIOS boot process on machines as far back as the late 1990's on desktop machines using either a Phoenix or Megatrends BIOS

    So the key issue with Secure Boot BIOS's is no surprise...

  4. Anonymous Coward
    Anonymous Coward

    Wasn't the whole point fo Secure Boot

    just to allow Wintel to try to nobble Linux?

    1. Mage Silver badge
      Linux

      Re: Wasn't the whole point fo Secure Boot

      "Just to allow Wintel to try to nobble Linux?"

      So I've read, but it was inept if that was true. Linux installs on more HW inc all Windows HW and easier to boot from USB on EFI?

      However, not actually on a literal plain dead badger.

    2. Anonymous Coward
      Anonymous Coward

      Re: Wasn't the whole point fo Secure Boot

      CrApple loved it too

      1. Dave 126 Silver badge

        Re: Wasn't the whole point fo Secure Boot

        Apple aren't fussed about which OS you run as long as you buy their hardware. They even made noises about helping Microsoft make a version of Windows for Apple silicon, but MS didn't get back to them. Apple haven't done anything to stop Ashai Linux, event if they haven't actively lifted the kimono on their GPU drivers. Linus Torvalds has been known to use a Mac laptop and its native OSX.

        Besides, running an OS that has been designed hand in hand with the hardware it runs on has its advantages.

        1. Anonymous Coward
          Anonymous Coward

          Re: Wasn't the whole point fo Secure Boot

          "Linus Torvalds has been known to use a Mac laptop and its native OSX"

          Yeah, but if you've actually read into this, his list of requirements is actually quite small. He's essentially not that fussed about his hardware as long as it can perform his list of requirements relatively well.

          For his actual kernel development I believe he is using a Ryzen 5800X...for consumer related stuff he uses consumer related hardware...doesn't mix business with pleasure.

        2. shawn.eary

          Re: Wasn't the whole point fo Secure Boot

          "Besides, running an OS that has been designed hand in hand with the hardware it runs on has its advantages." - We didn't have all of these problems when the Amiga 500 was in its prime...

  5. b1k3rdude

    So it been said by people that have more knowledge on the subject than myself, but "secure boot" is NOT secure, it never was. It was yet another means by M$ to vaily try and coherce user and the industry at large to do things thier way.

    Its not helpled when major manufactures/venders, drop the ball - https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/

  6. Anonymous Coward
    Anonymous Coward

    Would be nice to be able to get info on the BIOS running, not just the status of an installer file.

    1. PRR Silver badge

      > Would be nice to be able to get info on the BIOS running

      Google returns such as this:

      "You can also find your BIOS version in the System Information window by typing "msinfo32" in a Run box."

      How to Check Your BIOS Version and Update it - How-To Geek

      msinfo32 on my machine returns much text, including:

      System Manufacturer MSI - System Model MS-7817

      BIOS Version/Date American Megatrends Inc. V1.7, 7/18/2014 ---- hmmmm, 10 years old last week....

      AFAIK, this BIOS is "Wanton Boot"; it will boot anything, or try to. It has tried to boot an iPod. I think it used to try to boot from my mouse. I now disconnect most of the USB when booting.

  7. Will Godfrey Silver badge

    Predicable

    The recent cloudstrike was a perfect example of the dangers of a monoculture. While a boot system can never be completely secure, the more different systems there are, the lower the chance (and impact) of a breach.

    1. Lee D Silver badge

      Re: Predicable

      "Hey, everyone, I've made this new utility that allows you not to worry about the 46-different types of system and instead allow you to publish your software just once from our tool and we'll handle all the specifics for each system."

      That's a perfectly viable, sensible and almost entirely necessary thing to do.

      Monoculture is fine and also pretty unavoidable, the problem lies elsewhere - implementing stupid ideas to "keep up with the Jones's" (i.e. Microsoft basically forced everyone to use UEFI), making those stupid ideas inherent and obvious vectors for compromise, and then not having any sufficient control over them to be able to implement security once deployed (e.g. allow a user to delete a particular UEFI key, disable access to certain parts of UEFI, etc.).

      It's 2024 and we're still all shipping single mass keys to millions of machines when if they each had their own unique individual one at the factory, secured by a larger, revocable key in a certificate authority structure, that the user can blacklist, override, rekey or otherwise manage, etc. etc. etc.

    2. Bitsminer Silver badge

      Re: Predicable

      Be careful there. Warning about the monoculture can cost you your job:

      https://www.wired.com/2004/02/warning-microsoft-monoculture/

  8. Doctor Syntax Silver badge

    That explains the bind9 updates that landed here at the weekend.

  9. Luiz Abdala
    Pirate

    Wasn't Xbox or the Nintendo Switch or...

    Or some of these new(ish) games console that was signed with the SAME key on everything, and once the pirates figured it out, they could copy / decrypt every single piece of software written to run on the thing?

    So, nothing new.

  10. ChrisElvidge Silver badge

    TracFone has agreed to pay the FCC $16 million to end investigations

    This has to stop. Ending the investigation before a proper conclusion has been reached obviates the investigation. When do we find out what went wrong? Who gets the money? $16M is not exactly peanuts. Who at TracFone (Vodaphone) will lose their jobs over this?

  11. Anonymous Coward
    Anonymous Coward

    How much cost is this useless feature (and UEFI more generally) adding?

    As far as I can tell it's there to protect MS hegemony to no tangible benefit to anyone downstream.

  12. Anonymous Coward
    Anonymous Coward

    Trust, you said...............

    Quote: "...Binarily has released a free scanning tool ...."

    Yup......about trusting that "free scanning tool".......

    ........you are kidding......please say you are kidding.............

  13. Plest Silver badge
    Facepalm

    Oh come on!

    We all know SecureBoot has one purpose, just a single purpose, it was designed for Microshit to dominate as many PCs as they could, make life as difficult as possible for anyone else ( ie Linux and BSD ) to boot. That's it, nothing else!

    Just another aspect of the "security theatre" shitshow we have to put up with today.

  14. Christian Berger

    I mean it's "Secure Boot"

    It's a highly risky technology, originally designed to enable censorship for operating systems which, at best, protects you from some highly selected attacks.

  15. shawn.eary

    This is precisely why Microsoft should drop the TPM requirement for Windows 11. TPMs are basically useless... Well, they aren't actually useless, but they aren't as secure as people have been led on to believe. From my understanding, it's very easy for skilled Electrical Engineers or state actors to hack TPMs.

  16. BenMyers

    Binarily free scannng tool is not usable by regular people.

    "Binarily has released a free scanning tool", but it is not friendly. It uploads a UEFI firmware image, which most of us do not have available for our computers. SO regular computer owners cannot use it. I think that the purpose is to all to the growing list of motherboards that test positive for PKFAIL.

    Yet another message here says that someone managed to run the Binarily PKFAIL test. I wonder how.

  17. Someone56

    Smaller OS devs should be celebrating

    At least this could give smaller open source Linux/Other OS devs who cant afford to pay Micro$oft, the chance to get their OSes working on more secure boot hardware using these keys.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like