
Secure Golden Key Boot - dmitrygr
https://rol.im/securegoldenkeyboot/
======
ge0rg
TL;DR: Microsoft's Secure Boot bootloader is vulnerable to an attack where you
use a (Microsoft-signed) supplemental boot policy instead of a regular boot
policy, effectively removing the Secure Boot lock and allowing to run unsigned
code.

This affects locked devices (Windows RT, Phone, ...) and might be used for
jailbreaking devices as well as to attack their security.

~~~
OrangeTux
> can be used for jailbreaking devices as well as to attack their security.

This sounds quite negative. Another (very postive) consequence is to install
unsigned OS'es (read: Linux).

~~~
ge0rg
I tried to remain as neutral as possible with the summary. My personal opinion
is that it should be possible for the owner of a device to install any OS they
wish, and do so without compromising the device security.

Unfortunately, we are very far away from that goal. Either there is no
(official) way to unlock the bootloader, or we get a full unlock where
everybody with physical access to the device can install whatever rootkit they
wish.

~~~
mixedCase
>Unfortunately, we are very far away from that goal.

Not at all. It's commonplace in UEFI motherboards. You can supply your own
keys and then sign your kernel/bootloader.

Microsoft just decided the owners of these devices should not be allowed to
control their device's boot process.

~~~
soylentcola
I think that's why the "jailbreak" wording I've seen used is fairly
appropriate. The flip side to the risks that result from trusting some sort of
locked bootloader for security also mean that you can gain more control over
your gear.

On one hand, I think that aspect is wonderful news but on the other hand,
there are already a lot of options for devices with unlocked (or unlockable)
bootloaders and some orgs may have specifically desired the locked option as
part of their security setup and this undermines that.

The only thing that is relevant regardless is how it illustrates the flaws in
any system that relies on secret master keys/backdoors

------
scrollaway
Heads up: Audio on page. Neat, but loud.

Text-only mirror:
[https://gist.github.com/anonymous/c94cadade3a8b87dcdc52c639f...](https://gist.github.com/anonymous/c94cadade3a8b87dcdc52c639f0641b4)

~~~
mtgx
Also quite distracting, especially since the text itself keeps moving. The
"cute" presentation takes away from this major discovery and almost makes it
seem like it's not something very serious.

~~~
mindslight
Yeah, the jumping text is terrible for readability.

Then again, _the content is still plain text_. You can paste it somewhere
else, and easily read it without any distractions. So it's actually still
_more_ accessible than your average web page these days.

------
vardump
Oooh, that Amiga Topaz font that page uses! Still immediately recognizable. So
nice to see it after all these years, it's like returning home.

Chiptune, cheesy starfield and a rotating vector. I see, a Cracktro. Hey
slipstream/RoL, you forgot copper effects! ;-)

~~~
slipstream-
Maybe so; but I didn't want to implement _too many_ effects. :)

------
userbinator
IMHO it's rather disappointing that they decided to tell MS about it, instead
of just releasing it as a jailbreak, because every time secure boot comes up
I'm reminded of [https://www.gnu.org/philosophy/right-to-
read.en.html](https://www.gnu.org/philosophy/right-to-read.en.html) and that
classic Benjamin Franklin quote...

~~~
my123
A jailbreak was released on the IRC channel :) If someone is too lazy to read
the writeup, it's #rtchurch on irc.rol.im

------
iuguy
Loving the chiptune. This is how you do an advisory.

~~~
jokoon
If you really want to keep that song: find the .xm file in the page, play it
with xmplay, convert it to wav with xmplay.

~~~
joebergeron
Or just use Winamp as your media player (how I miss it so) which has native
support for xm, mod, what have you. Or VLC for that matter.

~~~
StavrosK
Aw, Winamp :( It was so glorious, that era...

~~~
Senji
It still works on Win10 even.

~~~
StavrosK
Yes, but I use Linux, and it's really bad under Wine :(

------
my123
On the IRC channel, the link to the PoC is included :)

------
no_news_is
POC link from the IRC channel topic:

Windows on ARM&ARM64 channel. :: Secure Boot unlocked. Package for RT devices.
[https://rol.im/SecureBoot.zip](https://rol.im/SecureBoot.zip) Works with even
full updates! See the readme inside the zip. :: you need to use the signtool

------
icelancer
This is a web version of a pirated piece of software, complete with
keygen/crack. Unbelievable. I love it.

~~~
bluehazed
Well, it's a security advisory designed to look like scene keygen/crack
programs do (nice little nostalgia factor).

------
jugbee
How about this fix? Does it solve it? Https://support.microsoft.com/en-
us/kb/3172729

~~~
slipstream-
No, it doesn't. It merely prevents the use of _one way_ to install _some_
policies on _Windows RT_ devices.

------
CAT0
Maybe a stupid question but does this enable eg. Android running on a Surface
with Windows RT?

~~~
my123
Yes, dealing with the kernel porting isn't that easy though, as expected. :)

~~~
holmb
Perhaps that will change in Linux 4.8. See
[http://betanews.com/2016/08/07/linux-microsoft-
surface-3/](http://betanews.com/2016/08/07/linux-microsoft-surface-3/)

~~~
my123
The Surface 3 has positively nothing to do with it :)

------
pingec
So are there any cheap WinRT leftover devices worth having and installing
linux on :)?

------
widforss
So, what does this mean? Should I consider Secure Boot broken on x86 systems?

~~~
Natanael_L
On systems trusting Microsoft as a CA, unless it has these certs blacklisted
yet, yes.

------
ikeboy
Cert on the site expired today, ironically.

~~~
slipstream-
Already fixed, 10 minutes after I noticed myself.

Yay for Let's Encrypt.

~~~
ikeboy
Yeah. cpanel has one-click support for Let's Encrypt now, I recently set up
hosting and got https super easily without thinking about it.

