Collaborate Disseminate
SoC’s have begun integrating a hardware Root-of-Trust to mitigate attacks on Secure Boot. Examples include Google’s OpenTitan & Intel PFR. What are the threats addressed by discrete "Secure Enclave" type root-of-trust solutio… Continue reading What are the threats addressed by a Hardware Root-of-Trust?
I’m trying to understand the secure boot process of an OS but there are few points I can’t wrap my head around.
At a high level, afaik, secure boot ensures that the loaded OS is authenticated by its respective vendor. If an adversary modif… Continue reading Understanding Secure Boot
I’ve been instructed to use the state of our system’s TPM’s PCR registers to prevent the system we’re working on from booting if one of the PCR registers is different from what we expect. In service of that goal, I’m reading over this arti… Continue reading What kind of "actions" can a TPM2 policy authorize?
I’m setting up custom secure boot keys on an Asus Z87I-Deluxe motherboard. On other computers I’ve setup with secure boot, I’ve been able to either write the PK, KEK, and DB keys into the EFI variables via the /sys/firmware/efi/efivars fil… Continue reading Time Authenticated EFI Variable
According to the Debian wiki on SecureBoot,
This removes the risk of userland malware potentially enrolling new keys and therefore bypassing the entire point of SB.
So SecureBoot stops users from installing keys without UEFI confirma… Continue reading Is SecureBoot of any use if I keep my private key in a root accessible file?
Suppose we’re using secure boot and remote attestation to prove to a server what client software is talking to it.
What stops an attacker from doing this:
Start a legitimate copy of the client software on machine A.
Get a remote attesta… Continue reading How do we know that input to TPMs actually comes from the measured code?
I was robbed…
That included my Linux notebook and my company’s notebook. Both are encrypted.
Mine is encrypted with LVM over LUKS, using a passphrase to unlock the hard drive once the kernel has been started by the UEFI. But Secure Boot… Continue reading Is it possible to make a laptop useless to thieves?
I am looking for a Company/Organization, which can be the “Provision Entity” for me.
To explain what criteria a provision entity has to fulfil, I draw a picture of the case:
I have a open network, where everyone should be allowed to join… Continue reading "Provision Entity" for an open source approach to remote attestation
Microsoft UEFI Revocation List File update causes problems on some devices. Here’s what you need to know about the latest Windows Update problem.
The post Microsoft Removes Standalone Security Update Causing Issues on Some PCs appeared first on Petri.
Continue reading Microsoft Removes Standalone Security Update Causing Issues on Some PCs
It is often cited “to load from untrusted memory to a trusted system memory” when describing the secure boot process. I wonder, when can we consider a memory as “trusted”?