In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access.
mutual_ayed@sh.itjust.works
on 28 May 01:32
nextcollapse
Any environment that uses ipxe or maas is susceptible to these attacks
Or just leak the signing keys like they did with MSI. That quote describes the theory, but there are tons of shit-for-brains humans that can screw it up. The UEFI attack surface is much bigger than it has any right to be.
Shit like this is why I’m glad that AMD stays on top of BIOS updates. Built my first AMD machine in 2022 and it’s blowing my mind that my motherboard is still being supported 3 years later. (I wanted to switch sooner, but my timing between builds was always bad. Missed out on Kuma, missed out on the Athlon era when they were embarrassing the Pentium 4.) When I was with Intel, I’d be lucky to get one BIOS update, if even that.
Can’t wait for the end of the AM5 platform in a few years, when I’ll be able to upgrade my 7700X to the latest X3D chip, and practically have a brand new PC all over again.
threaded - newest
Well… As long as I don’t reboot my computer, I’m safe. 😤
Even safer if you never boot it in the first place.
rollsafe.jpg
What the “How do attackers get in?” part doesn’t mention: What attackers actually need to get in.
For Boot Hole for example (taken from here: access.redhat.com/security/…/grub2bootloader):
Any environment that uses ipxe or maas is susceptible to these attacks
Or just leak the signing keys like they did with MSI. That quote describes the theory, but there are tons of shit-for-brains humans that can screw it up. The UEFI attack surface is much bigger than it has any right to be.
Shit like this is why I’m glad that AMD stays on top of BIOS updates. Built my first AMD machine in 2022 and it’s blowing my mind that my motherboard is still being supported 3 years later. (I wanted to switch sooner, but my timing between builds was always bad. Missed out on Kuma, missed out on the Athlon era when they were embarrassing the Pentium 4.) When I was with Intel, I’d be lucky to get one BIOS update, if even that.
Can’t wait for the end of the AM5 platform in a few years, when I’ll be able to upgrade my 7700X to the latest X3D chip, and practically have a brand new PC all over again.