How-to on taking ownership of your new UEFI equipped PC

[40hz]

From the blog of Jim Bottomley comes a mostly complete step-by-step on pwning your own UEFI PC:

Owning your Windows 8 UEFI Platform
Posted on 15 February 2013 by jejb   

Even if you only ever plan to run Windows or stock distributions of Linux that already have secure boot support, I’d encourage everybody who has a new UEFI secure boot platform to take ownership of it.  The way you do this is by installing your own Platform Key.  Once you have done this, you can use key database maintenance tools like keytool to edit all the keys on the Platform and move the platform programmatically from Setup Mode to User Mode and back again.  This blog post describes how you go about doing this.

<more>

Read full article here.

Warning: It's not exactly a simple or intuitive process,
 

[f0dder]

Warning: It's not exactly a simple or intuitive process,
 

-40hz (February 16, 2013, 07:38 PM)

Seems reasonably straightforward to me.

Not end-user-simple, but the steps are pretty logical?

[Curt]

Owning your Windows 8 UEFI Platform

Even if you only ever plan to run Windows or stock distributions of Linux that already have secure boot support, I’d encourage everybody who has a new UEFI secure boot platform to take ownership of it.

-40hz (February 16, 2013, 07:38 PM)

 
Most of the time English is understandable to me, but not always. The sentence "Even if you only ever plan to run Windows" (etcetera), may be straight forward to you, but it surely isn't straight nor forward to me. Is he trying to say something similar to "if you run Windows 8, take ownership of the boot section"?
 

[40hz]

@Curt- he's recommending you always take ownership.

[tomos]

Turning it around makes it a little easier:

I’d encourage everybody who has a new UEFI secure boot platform to take ownership of it, even if you only ever plan to run Windows, or stock distributions of Linux (that already have secure boot support).

but it doesnt win any prizes for accessibility

[40hz]

Not end-user-simple, but the steps are pretty logical?

-f0dder (February 17, 2013, 03:46 PM)

Agree. But it is much more complex (and manufacturer/model dependent) than I would have wished.


They have so very much to 'show' us...

Especially since it's so unnecessary to implement it the way they have. And how effective SB will be still remains to be seen. I suspect it will only be temporarily effective against the 'cookbook' malware composers and the hax0r/script-kiddie types. I'm pretty sure all it will do to the professional bad guys is make some extra work for them.  (Although I wouldn't mind being completely wrong on that point. There are still some things I don't want to be right about.  )

I expect my Linux cohorts will be walking a lot of newer users through it slowly - and probably just "doing it for" most Linux newbies and first-time adopters.

So it goes.

[Curt]

it doesnt win any prizes for accessibility

-tomos (February 18, 2013, 12:14 PM)

My problem was with the sentence: >even if you only ever plan to run Windows<.
1) It is very clumsy English.
2) A computer can officially only run Windows 8 if it has the very same "new UEFI secure boot platform",
so it doesn't matter what else I might be planning, if my plans included Win 8

[40hz]

it doesnt win any prizes for accessibility

-tomos (February 18, 2013, 12:14 PM)

My problem was with the sentence: >even if you only ever plan to run Windows<.
1) It is very clumsy English.
2) A computer can officially only run Windows 8 if it has the very same "new UEFI secure boot platform",
so it doesn't matter what else I might be planning, if my plans included Win 8

-Curt (February 18, 2013, 04:35 PM)

@Curt - Since I'm a grandmaster of writing overly wordy and clumsy English, you have my sympathies.

And you are correct. Just removing the word "ever" from the sentence would make it clearer and less clumsy...

           even if you only ever plan to run Windows

Or you could mentally restructure it to read:

            even if Windows is all you ever plan on running

Unfortunately for you Curt, you probably have a better grasp of proper English than many who speak it natively. Try not to let our use (and misuse) of the language drive you too crazy.

[Curt]

-thanks, 40hz.
I re-edited my initial text right before posting because I suddenly felt too pettiness minded. My first post included these sentences of mine:

">even if you only ever plan to< is not proper use of the word "ever"! I have several translation programs to back up my accusation, because none of them will translate the quoted sentence the way it was intended by the original author. Not one of them!

-Curt

-but then I deleted it, because I felt I was pouring water over a goose. I guess I still am. 

[f0dder]

Especially since it's so unnecessary to implement it the way they have. And how effective SB will be still remains to be seen.

-40hz (February 18, 2013, 03:34 PM)

Unnecessary? The overall design is actually pretty open and flexible. If you want a trusted boot sequence, it could be done a helluva lot worse. Yes, the UX is clumsy, but (for UEFI implementations that do have key management features), you actually have full control and quite a bit of flexibility, and you aren't limited to One Master Key To Bind Them.

As for effectiveness, we'll see indeed. There's no such thing as perfect security, and if you can escalate your exploit-code to kernelmode you'll probably be able to defeat SecureBoot easily. And UEFI is a big and complex beast, so there's probably exploitable bugs in it. But the key architecture seems sound, and security is about a mix of breadth and depth - and SB does raise the bar against pre-OS attacks.

I do predict a lot of people are going to work hard on attacking it, though, since it's such a hated featured and high-profile target.

A computer can officially only run Windows 8 if it has the very same "new UEFI secure boot platform", so it doesn't matter what else I might be planning, if my plans included Win 8

-Curt (February 18, 2013, 04:35 PM)

While UEFI+SB might be a requirement to get the "designed for windows 8" certification, Win8 works just perfectly without SecureBoot, and it doesn't need UEFI either, works fine with BIOS booting.

[Curt]

While UEFI+SB might be a requirement to get the "designed for windows 8" certification, Win8 works just perfectly without SecureBoot, and it doesn't need UEFI either, works fine with BIOS booting.

-f0dder (February 18, 2013, 05:59 PM)

-thanks for telling, f0dder.
I have Windows 8 Pro, but has not installed it because the Microsoft Upgrade Adviser said No!

[f0dder]

I have Windows 8 Pro, but has not installed it because the Microsoft Upgrade Adviser said No!

-Curt (February 18, 2013, 06:07 PM)

Interesting - it's the smoothest Windows experience I've had so far, and should run better than XP (at least the bloated SP3 pig) even on old hardware

[Curt]

I have Windows 8 Pro, but has not installed it because the Microsoft Upgrade Adviser said No!

-Curt (February 18, 2013, 06:07 PM)

Interesting -

-f0dder (February 18, 2013, 06:31 PM)

Sorry, I was of course exaggerating. The adviser said that because my machine doesn't have this and that technique, upgrading would make me miss this and that feature, merely.

---------------
re-edit: re-reading the advice, I (again) think it said No. The lack of "NX" is vital, isn't it?
---------------

click thumbs to enlarge:

My advices in Danish:

How-to on taking ownership of your new UEFI equipped PC

How-to on taking ownership of your new UEFI equipped PC

Look at the Pro's new Danish price: kr 2000 = $333    
I am pleased that I took the introduction offer just in time!

[f0dder]

re-edit: [/color]re-reading the advice, I (again) think it said No. The lack of "NX" is vital, isn't it?

-Curt (February 19, 2013, 01:57 AM)

Hmmm, which CPU do you have? It has to be of almost archeological quality to not support NX (the ability to mark memory, in page-sized (4k) regions, as "not executable" - a security feature that was added ages ago).

You might have disabled NX support in your BIOS, though. (And some really lame, especially laptop, BIOSes turn NX-support off without offering you a way to enable it, even though the CPU is capable. One has to wonder, sometimes ).

[Edvard]

From the blog of Jim Bottomley comes a mostly complete step-by-step on pwning your own UEFI PC:

-40Hz

Bookmarked.  

some really lame, especially laptop, BIOSes turn NX-support off without offering you a way to enable it, even though the CPU is capable. One has to wonder, sometimes

-f0dder

My single-core 64-bit is nx-capable, but I can find NOWHERE in the BIOS how to enable it.  Wonder, indeed.
From lshw:

*-cpu:0
          description: CPU
          product: AMD Athlon(tm) 64 Processor 4000+
          vendor: Advanced Micro Devices [AMD]
          physical id: 3
          bus info: cpu@0
          version: AMD Athlon(tm) 64 Processor 4000+
          slot: Socket 939
          size: 1800MHz
          capacity: 3700MHz
          width: 64 bits
          clock: 200MHz
          capabilities: fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt x86-64 3dnowext 3dnow up rep_good nopl pni lahf_lm cpufreq

 

[f0dder]

My single-core 64-bit is nx-capable, but I can find NOWHERE in the BIOS how to enable it.  Wonder, indeed.

-Edvard (February 19, 2013, 07:25 PM)

Funny thing is (if memory serves me right): NX is enabled by default after a CPU reset - you have to actively disable it in software (after which it cannot be software-enabled without a CPU reset).

So why do BIOSes do this? I'm guessing two possible reasons: 1) marketing worms that wanted to use NX-enabled as an upsell. 2) buggy BIOS SMM^w. 3) (least likely) known hardware implementation bug.