Eclypsium researchers have discovered UEFI shells, authorized via Secure Boot, on Framework laptops. The UEFI shells contain capabilities that allow attackers to bypass Secure Boot on roughly 200,000 affected Framework laptops and desktops.
  • deadcade@lemmy.deadca.de
    1·
    27 days ago

    This is heavily sensationalized. UEFI “secure boot” has never been “secure” if you (the end user) trust vendor or Microsoft signatures. Alongside that, this ““backdoor”” (diagnostic/troubleshooting tool) requires physical access, at which point there are plenty of other things you can do with the same result.

    Yes, the impact is theoretically high, but it’s the same for all the other vulnerable EFI applications MS and vendors sign willy-nilly. In order to get a properly locked-down secure boot, you need to trust only yourself.

    When you trust Microsoft’s secure boot keys, all it takes is one signed EFI application with an exploit to make your machine vulnerable to this type of attack.

    Another important part is persistence, especially for UEFI malware. The only reason it’s so easy is because Windows built-in “factory reset” is so terrible. Fresh installing from a USB drive can easily avoid that.

    • eldavi@lemmy.mlEnglish
      0·
      26 days ago

      this is one of the reasons why i’ve only purchased systemd w libre/coreboot

      i’m aware that it doesn’t completely mitigate it; but it’s the only viable step in the right direction of choices that we’re allowed to have.

      i sometimes wish i could go back to buying american, but the likes of system76 have already made their allegiances clear.

      • MonkeMischief@lemmy.today
        0·
        26 days ago

        the likes of system76 have already made their allegiances clear.

        Aw crap. What did they do? :(

        Been somewhat out of the loop lately.

        • eldavi@lemmy.mlEnglish
          0·
          19 days ago

          then you’re in luck because it’s old news. (circa 2016 iirc).

          tldr: they decided to pull away active development on some foss projects because they conflicted with their profit motive.

          it’s easy to appreciate why a for-profit company would want to protect its revenue stream and it would seem that the waters would get really murky when their products rely on free and open sourced work; but i know from personal experience that much bigger fish like google and oracle have made it work REALLY well for themselves and in much better fashion (atleast publicly) than system76 has.

          • MonkeMischief@lemmy.today
            0·
            19 days ago

            Ah I see what you’re saying.

            Thanks for taking the time for the clarification! I’m sure this would clear it up for some other folks as well.

            I also know they’re a fraction of the size of those giants who can probably field staff specifically for FOSS contribution, but that’s still a bit disheartening. I hope things improve.

            Every time they’ve seemed like a good option I find myself balking at the price though lol.

            • eldavi@lemmy.mlEnglish
              1·
              4 hours ago

              my last linux rig died and i had to buy a new one and system76 price tag made me go with ordinary windows laptop and putting linux on it.

              i’m currently getting reminded of how much headache buying a from a linux-first company alleviates too; it’s taken me over a week to setup an encrypted installation to dual boot with windows. lol