DonationCoder.com Forum
Main Area and Open Discussion => General Software Discussion => Topic started by: 40hz on February 16, 2013, 07:38 PM
-
From the blog of Jim Bottomley comes a mostly complete step-by-step on pwning your own UEFI PC:
Owning your Windows 8 UEFI Platform
Posted on 15 February 2013 by jejb
Even if you only ever plan to run Windows or stock distributions of Linux that already have secure boot support, I’d encourage everybody who has a new UEFI secure boot platform to take ownership of it. The way you do this is by installing your own Platform Key. Once you have done this, you can use key database maintenance tools like keytool to edit all the keys on the Platform and move the platform programmatically from Setup Mode to User Mode and back again. This blog post describes how you go about doing this.
<more> (http://blog.hansenpartnership.com/owning-your-windows-8-uefi-platform/)
Read full article here (http://blog.hansenpartnership.com/owning-your-windows-8-uefi-platform/).
Warning: It's not exactly a simple or intuitive process,
8)
-
Warning: It's not exactly a simple or intuitive process,
8)-40hz
Seems reasonably straightforward to me.
Not end-user-simple, but the steps are pretty logical?
-
Owning your Windows 8 UEFI Platform
Even if you only ever plan to run Windows or stock distributions of Linux that already have secure boot support, I’d encourage everybody who has a new UEFI secure boot platform to take ownership of it.
-40hz
:-[
Most of the time English is understandable to me, but not always. The sentence "Even if you only ever plan to run Windows" (etcetera), may be straight forward to you, but it surely isn't straight nor forward to me. Is he trying to say something similar to "if you run Windows 8, take ownership of the boot section"?
:tellme:
-
@Curt- he's recommending you always take ownership.
-
Turning it around makes it a little easier:
I’d encourage everybody who has a new UEFI secure boot platform to take ownership of it, even if you only ever plan to run Windows, or stock distributions of Linux (that already have secure boot support).
but it doesnt win any prizes for accessibility :)
-
Not end-user-simple, but the steps are pretty logical?
-f0dder
Agree. But it is much more complex (and manufacturer/model dependent) than I would have wished.
[ You are not allowed to view attachments ]
They have so very much to 'show' us...
Especially since it's so unnecessary to implement it the way they have. And how effective SB will be still remains to be seen. I suspect it will only be temporarily effective against the 'cookbook' malware composers and the hax0r/script-kiddie types. I'm pretty sure all it will do to the professional bad guys is make some extra work for them. (Although I wouldn't mind being completely wrong on that point. There are still some things I don't want to be right about. :mrgreen:)
I expect my Linux cohorts will be walking a lot of newer users through it slowly - and probably just "doing it for" most Linux newbies and first-time adopters.
So it goes. :-\
-
it doesnt win any prizes for accessibility :) -tomos
My problem was with the sentence: >even if you only ever plan to run Windows<.
1) It is very clumsy English.
2) A computer can officially only run Windows 8 if it has the very same "new UEFI secure boot platform",
so it doesn't matter what else I might be planning, if my plans included Win 8
-
it doesnt win any prizes for accessibility :) -tomos
My problem was with the sentence: >even if you only ever plan to run Windows<.
1) It is very clumsy English.
2) A computer can officially only run Windows 8 if it has the very same "new UEFI secure boot platform",
so it doesn't matter what else I might be planning, if my plans included Win 8
-Curt
@Curt - Since I'm a grandmaster of writing overly wordy and clumsy English, you have my sympathies. ;D
And you are correct. Just removing the word "ever" from the sentence would make it clearer and less clumsy...
even if you only ever plan to run Windows
Or you could mentally restructure it to read:
even if Windows is all you ever plan on running
Unfortunately for you Curt, you probably have a better grasp of proper English than many who speak it natively. Try not to let our use (and misuse) of the language drive you too crazy. ;D :Thmbsup:
-
-thanks, 40hz.
I re-edited my initial text right before posting because I suddenly felt too pettiness minded. My first post included these sentences of mine:
">even if you only ever plan to< is not proper use of the word "ever"! I have several translation programs to back up my accusation, because none of them will translate the quoted sentence the way it was intended by the original author. Not one of them!-Curt
-but then I deleted it, because I felt I was pouring water over a goose. I guess I still am. ;D
-
Especially since it's so unnecessary to implement it the way they have. And how effective SB will be still remains to be seen.-40hz
Unnecessary? The overall design is actually pretty open and flexible. If you want a trusted boot sequence, it could be done a helluva lot worse. Yes, the UX is clumsy, but (for UEFI implementations that do have key management features), you actually have full control and quite a bit of flexibility, and you aren't limited to One Master Key To Bind Them.
As for effectiveness, we'll see indeed. There's no such thing as perfect security, and if you can escalate your exploit-code to kernelmode you'll probably be able to defeat SecureBoot easily. And UEFI is a big and complex beast, so there's probably exploitable bugs in it. But the key architecture seems sound, and security is about a mix of breadth and depth - and SB does raise the bar against pre-OS attacks.
I do predict a lot of people are going to work hard on attacking it, though, since it's such a hated featured and high-profile target.
A computer can officially only run Windows 8 if it has the very same "new UEFI secure boot platform", so it doesn't matter what else I might be planning, if my plans included Win 8
-Curt
While UEFI+SB might be a requirement to get the "designed for windows 8" certification, Win8 works just perfectly without SecureBoot, and it doesn't need UEFI either, works fine with BIOS booting.
-
While UEFI+SB might be a requirement to get the "designed for windows 8" certification, Win8 works just perfectly without SecureBoot, and it doesn't need UEFI either, works fine with BIOS booting.-f0dder
-thanks for telling, f0dder.
I have Windows 8 Pro, but has not installed it because the Microsoft Upgrade Adviser said No!
-
I have Windows 8 Pro, but has not installed it because the Microsoft Upgrade Adviser said No!-Curt
Interesting - it's the smoothest Windows experience I've had so far, and should run better than XP (at least the bloated SP3 pig) even on old hardware :)
-
I have Windows 8 Pro, but has not installed it because the Microsoft Upgrade Adviser said No!-Curt
Interesting - -f0dder
Sorry, I was of course exaggerating. The adviser said that because my machine doesn't have this and that technique, upgrading would make me miss this and that feature, merely.
---------------
re-edit: re-reading the advice, I (again) think it said No. The lack of "NX" is vital, isn't it?
---------------
click thumbs to enlarge:
My advices in Danish:
[ You are not allowed to view attachments ]
[ You are not allowed to view attachments ]
Look at the Pro's new Danish price: kr 2000 = $333 :o
I am pleased that I took the introduction offer (https://www.donationcoder.com/forum/index.php?topic=33883.msg316571#msg316571) just in time!
-
re-edit: [/color]re-reading the advice, I (again) think it said No. The lack of "NX" is vital, isn't it?-Curt
Hmmm, which CPU do you have? It has to be of almost archeological quality to not support NX (the ability to mark memory, in page-sized (4k) regions, as "not executable" - a security feature that was added ages ago).
You might have disabled NX support in your BIOS, though. (And some really lame, especially laptop, BIOSes turn NX-support off without offering you a way to enable it, even though the CPU is capable. One has to wonder, sometimes ::) ).
-
From the blog of Jim Bottomley comes a mostly complete step-by-step on pwning your own UEFI PC:-40Hz
Bookmarked. :Thmbsup:
some really lame, especially laptop, BIOSes turn NX-support off without offering you a way to enable it, even though the CPU is capable. One has to wonder, sometimes-f0dder
My single-core 64-bit is nx-capable, but I can find NOWHERE in the BIOS how to enable it. Wonder, indeed.
From lshw:
*-cpu:0
description: CPU
product: AMD Athlon(tm) 64 Processor 4000+
vendor: Advanced Micro Devices [AMD]
physical id: 3
bus info: cpu@0
version: AMD Athlon(tm) 64 Processor 4000+
slot: Socket 939
size: 1800MHz
capacity: 3700MHz
width: 64 bits
clock: 200MHz
capabilities: fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt x86-64 3dnowext 3dnow up rep_good nopl pni lahf_lm cpufreq
:(
-
My single-core 64-bit is nx-capable, but I can find NOWHERE in the BIOS how to enable it. Wonder, indeed.-Edvard
Funny thing is (if memory serves me right): NX is enabled by default after a CPU reset - you have to actively disable it in software (after which it cannot be software-enabled without a CPU reset).
So why do BIOSes do this? I'm guessing two possible reasons: 1) marketing worms that wanted to use NX-enabled as an upsell. 2) buggy BIOS SMMw. 3) (least likely) known hardware implementation bug.