UEFI discussion (was: Announcement: The Nexware Project)

All off topic discussions go here. Everything from the funny thing your cat did to your favorite tv shows. Non-programming computer questions are ok too.
Post Reply
nexos
Member
Member
Posts: 1078
Joined: Tue Feb 18, 2020 3:29 pm
Libera.chat IRC: nexos

UEFI discussion (was: Announcement: The Nexware Project)

Post by nexos »

Since my thread is going off topic, I will start a new one :D .
bzt wrote:Too bad the law of free market is just a fairy tale, and no one actually expects that to happen...
Actually, that can be attributed to the free market. Because of the free market, Microsoft was able to take it over. Free market is a wonderful thing, but monopolies need to controlled. Microsoft is making mine and everyone else on this forum's lives miserable, because of Secure Boot. Maybe it should be called Controlled Boot? Or MS-Only Boot?
"How did you do this?"
"It's very simple — you read the protocol and write the code." - Bill Joy
Projects: NexNix | libnex | nnpkg
nullplan
Member
Member
Posts: 1767
Joined: Wed Aug 30, 2017 8:24 am

Re: UEFI discussion (was: Announcement: The Nexware Project)

Post by nullplan »

Or "Dirty Patch"? Code signing does not help if the signed code is insecure (as the recent GRUB debacle showed). Therefore we can always try to exploit MS signed code into loading our kernels. The best protection we have against oppression is the incompetence of our oppressors.
Carpe diem!
User avatar
bzt
Member
Member
Posts: 1584
Joined: Thu Oct 13, 2016 4:55 pm
Contact:

Re: UEFI discussion (was: Announcement: The Nexware Project)

Post by bzt »

@Nexos, @nullplan: you both have good ideas. The problem is, when Adam Smith wrote about free market, there were no corporations. He was implicitly talking about competing products with *equal* chances, where the consumers are deciding which one is better. Back then there were simply no monopolic entities (monopoly meant a right issued by the state/king, like mining and such, not the status-quo when a single company owns almost the whole market).
nexos wrote:Because of the free market, Microsoft was able to take it over.
Nope, it was their unethical and aggressive attitude that killed their competition. It's easy to win when there are no more competing companies left... They steal without remorse, and if they can't acquire and buy out the competition, they destroy them like happened with Commodore (they simply bought all chips so that no more left, therefore Commodore couldn't ship as promised and bankcrupted), not to mention their government bribery that spread Win in the first place (there are still numerous cases under investigation as we speak, mostly in Europe). Windows had never ever need to compete as a product, and an average PC end-user has no other options than Win.

And in general, this is a common scheme these days. There's no free market because it's not the products that compete any more, but the companies with the force of all of their capital and law departments. What their product can do, and how good they are is simply not in the equation any more. The same goes for Google and Facebook too. Do you really think that an independent search-engine or social-network have any chance to compete with those? Or that any Android like OS could be run on smartphones? They will kill it long before it could get a name on the market. The consumers are left without a choice.
nexos wrote:but monopolies need to controlled.
Yes, but the current laws are formed as monopolies want them to be, so this is not going to happen. First, corporations should not be considered as "legal persons" (what a lunatic mindf*ck is that, anyway?), so they couldn't acquire other companies, and their shareholders should be kept responsible. That's a bare minimum to have real control over monopolies, but I don't see that happen in the foreseeable future. And we got back to the starting point: because monopolies are uncontrollable they own the whole market and leave no choice to the end-users, there can be no free market.
nexos wrote:Maybe it should be called Controlled Boot? Or MS-Only Boot?
Haha, I like that! It is definitely not secure, that's for sure!

Cheers,
bzt
testjz
Posts: 23
Joined: Thu Aug 20, 2020 6:11 am

Re: UEFI discussion (was: Announcement: The Nexware Project)

Post by testjz »

Because I don't want the politics involved in this discussion to outweight the topic itself, I won't talk about politics much. I'd only like to say that I think that a "free market" cannot exist. It's controlled either by large corporations (therefore not "free"), or by the governments (therefore also not "free"). I think the corporations should be controlled by the governments and pay higher taxes, and the governments should be controlled by the entirety of citizens (and no, one election per 4 or so years is not enough). Let's go to Microsoft and UEFI now...
nexos wrote:Maybe it should be called Controlled Boot? Or MS-Only Boot?
Actually, the Free Software Foundation calls it "Restricted Boot". They even have/had a relevant campaign.
bzt wrote:
nexos wrote:Because of the free market, Microsoft was able to take it over.
Nope, it was their unethical and aggressive attitude that killed their competition. It's easy to win when there are no more competing companies left... They steal without remorse, and if they can't acquire and buy out the competition, they destroy them like happened with Commodore (they simply bought all chips so that no more left, therefore Commodore couldn't ship as promised and bankcrupted), not to mention their government bribery that spread Win in the first place (there are still numerous cases under investigation as we speak, mostly in Europe). Windows had never ever need to compete as a product, and an average PC end-user has no other options than Win.
Microsoft and Bill Gates himself have always been aggressive. For example, already in the 1970s we had the Open Letter to Hobbyists, though this one would be maybe justified if it were somewhat toned down. Later, the agreement with Spyglass that gave Microsoft a licence to the Mosaic source code stated that Microsoft would pay Spyglass royalties from the Internet Explorer revenues, but subsequently Microsoft bundled Internet Explorer "for free" with Windows, thus avoiding to pay any royalties except a small quarterly fee and, more importantly, making Internet Explorer the "default" browser for every Windows user. This had the result of putting every competing browser out of the market for more than 5 years, until finally the reincarnation of Netscape as Firefox gained some traction.

Edit: I forgot to say that we also have more recent examples. There is the Windows Subsystem for Linux, which I think is just as much of an "embracing" of (GNU+)Linux as a constrictor snake "embracing" its prey. Then there is the acquisition of GitHub by Microsoft, which means that they control the majority of source code repositories. And of course, there is the telemetry stuff in Windows 10 (and I suspect that in earlier versions too, just without any relevant settings). The default setting is "on" (if it even has an effect) and most people don't seem to care, thus they leave telemetry enabled. And finally, Windows has been always assuming that it's the sole OS on the disk, with various results for other installed OSes. All of these (and more) show the mentality of Microsoft (but other giants are usually no better and can be even worse actually).
bzt wrote:And in general, this is a common scheme these days. There's no free market because it's not the products that compete any more, but the companies with the force of all of their capital and law departments. What their product can do, and how good they are is simply not in the equation any more. The same goes for Google and Facebook too. Do you really think that an independent search-engine or social-network have any chance to compete with those? Or that any Android like OS could be run on smartphones? They will kill it long before it could get a name on the market. The consumers are left without a choice.
Or a new CPU fab. Intel routinely invests several billions each time they open a new fab.

We need another search engine, one that doesn't spy on you, isn't linked to your email, isn't linked to analytics that are shared by the 80% of all websites and isn't linked to your entire browser or even device. Most people actually do use Google, Gmail, Chrome, and Android smartphones, and don't try to block as much analytics as possible. Only advertising is sometimes blocked because it's "annoying". As for social networks, well, we have mastodon, though I haven't used it. (That said, I haven't used any actual social networks, except forums and IRC).

As for Android, well, I use a plain dumbphone. I think everyone should do the same. Apart from SMSing and talking, just do the work on an actual computer that you can for the most part control what it does. For the most part, not only because of restricted implementations and/or configurations of Secure Boot, but also because of things like the Intel Management Engine, the BIOS or UEFI firmware itself, and all of the undocumented hardware and thus proprietary drivers and/or firmware. I used to have some hopes for RISC-V, but they already ported UEFI to it from what I remember.
bzt wrote:
nexos wrote:but monopolies need to controlled.
Yes, but the current laws are formed as monopolies want them to be, so this is not going to happen.
And at this point we are talking about corruption that's caused by money-in-the-middle attacks! It even has the same acronym! Good pun maybe, but it's the sad reality, not only for market laws but for practically everything...
User avatar
bzt
Member
Member
Posts: 1584
Joined: Thu Oct 13, 2016 4:55 pm
Contact:

Re: UEFI discussion (was: Announcement: The Nexware Project)

Post by bzt »

I've figured out a way to load any OS circumventing Secure Boot!

Long story short: one of my BOOTBOOT users reported a problem on real hw and together we've narrowed it down that calling ExitBootServices freezes. So I took a deep dive into the specs and UEFI forums to figure out why. And I've found interesting things!

First, I was surprised that the websearch gave me a wikileaks page for such a technical phrase. As it turned out, you can install hooks on ExitBootServices and the CIA is known to use that to run spyware to violate innocent citizen's privacy. The wikileaks page is kind enough to provide an example source code too on how to do that: https://wikileaks.org/ciav7p1/cms/page_36896783.html.
wikileaks wrote:If you're here, it's because you want to know more about ExitBootServices, and probably want to hook it so you can do things to the OS.
wikileaks wrote:Because the ExitBootServices service can be found by getting its pointer from the global EFI_BOOT_SERVICES table, hooking the ExitBootServices call is trivial. From within a UEFI driver, you store the original pointer and then replace the table's pointer with one to your hook function. From there, you let your driver run and wait for ExitBootServices to be called by the OS loader, and your hook code will run just before the OS loader gets control. When you're running in UEFI, that EFI_BOOT_SERVICES table isn't protected by anything, so you can just write directly to it.

At this point, you can do whatever you want. UEFI boot services are still running (because they will be terminated when the real ExitBootServices is called), and the OS is sitting there.
Now looking at the EDK, the next interesting thing is, that not all device drivers are checked against signature! All drivers that are considered to provide primary user interface can be loaded without signatures. Most notably video card drivers. So if you write a fake UEFI video card driver that hooks at ExitBootServices, then you can essentially load ANY operating system you want regardless to the loader and Secure Boot! You'll have to clean up the OS that's being loaded, sure, but you can definitely do that and then load your OS instead. And then when the control is returned to the original loader calling ExitBootServices, it's none the wiser! It will simply execute your modified OS image instead of the signature checked one. Or if you don't want to deal with the original loader, you can just load and execute your kernel image from the hook...

Cheers,
bzt
nullplan
Member
Member
Posts: 1767
Joined: Wed Aug 30, 2017 8:24 am

Re: UEFI discussion (was: Announcement: The Nexware Project)

Post by nullplan »

You know, I had never considered that. And it is true; all the EFI functions are only called by pointer from the system table. Anyone can just overwrite it. There is little the firmware can do about it, short of verifying the system table after each call into a driver, but that would be time-consuming and not accomplish a whole lot. I suppose they could put the system table into read-only memory and turn on the WP bit in CR4, but any malicious driver can just turn it off again. And the system table is, to my knowledge, dynamic enough that actually putting it into a ROM (the only defence against this attack) is impractical or impossible.

Of course, this requires that you install hardware into the victim's computer so that the option ROMs can be found and loaded. So there's a saving grace at least.
Carpe diem!
testjz
Posts: 23
Joined: Thu Aug 20, 2020 6:11 am

Re: UEFI discussion (was: Announcement: The Nexware Project)

Post by testjz »

This could be used by non-malicious developers (for example, most if not all of us here), except that we need to already be somehow running in order to install such hooks and, if we already are somehow running, we can load the OS that we want. And, if we could install such hooks, then wouldn't it be really trivial for malicious parties to install their own hooks, maliciously?

By the way, I had already found this exact page some months ago, and I saved it locally to my computer to guard against the case it would disappear for any reason, predictable or not.
Post Reply