UEFI rootkits

[Njk]

Or course UEFI is more vulnerable, simply because it's more standardized. But it's not a technical problem, it's a compliance enforcement problem. On the other hand, it's an open standard so everyone is free to learn it and to test particular UEFI implementation to make sure there are no obvious security holes.

Set a password for your bios. That simple measure will (hopefully) implement a physical presence check making it more difficult to compromise your computer.

BTW Microsoft is moving in right direction mandating a TPM device on every Win11 mobo.

[Karel]

BTW Microsoft is moving in right direction mandating a TPM device on every Win11 mobo.

No, they are not. The only reason for TPM is that they don't want you to be in control of your computer.
Ideally (from the viewpoint of tech giants) you can't have a root/admin account anymore like
with android phones and ios devices (ipad, iphone). Soon, without TPM, no netflix, no online banking,
no government communication, etc. They say it's for security but they don't care sh*t about security.
They care about controlling what you can do with your computer. Period.

[Njk]

Well, I'm not going to spark another round of MS-vs-NonMS debate. Frankly, I'm not sure what is better, one big parasite or a billion of small, hungry, agile and therefore more vocal ones. All of them wants your money trying to sell something that you don't actually need. Nobody is perfect but MS is a gold standard for ordinary users. IBM, MS, Intel. Only rebellious teenagers are refusing to say thanks to them (as to anyone).

As for TPM, it just provides a mechanism to verity integrity of every system component, from the root of trust (which is CPU) down to an application program. Bios included. The standard is well known and is matured enough, we have the second incarnation of it. And it's in use in the corporate computing environment over a long time. Now MS have decided to extend its usage to all users. For sure, TPM is not the only possible arrangement. The ARM world uses a different approach, but the PC world is much older so it's more difficult to implement a new thing without the risk of impacting backward compatibility.

Of course, no technology provides an absolute protection, it's always a cat and mouse game. And again, the problem is not in the technology. MS is big enough to actually enforce the usage. Any enforcement creates the risk of abuse. But that's the price. And we have no monopoly anyway.

[madires]

Please don't forget that TPM comes with its own security issues. Let's try to fix a security issue by introducing new ones.

[Njk]

It's a routine task to fix something (e.g. the Infineon TPM issue). What's more important is to maintain a policy.

[Karel]

As for TPM, it just provides a mechanism to verity integrity of every system component, from the root of trust (which is CPU) down to an application program. Bios included.

Not just that. It provides a means to securely identify a computer which can and will be used by third parties for "security" reasons.
For example, software licences can be connected to a system much more secure using the TPM.
Software can check if your system is "trusted" (for whatever that means). I would be surprised if this is not going to be used to effectively cancel out opensource software
and opensource operating systems. There's already something similar going on with widevine from google. It's why you can't watch netflix on a raspberry & Linux for example.
It's the wet dream for digital rights management.

[Njk]

Agree it has some unpleasant implications. But:

1. Internet security is a growing problem that needs to be addressed. I'm not sure how it can be done without a reliable method of device identification.

2. There are many interested parties and it'll take a time for them to really start using the TPM to their advantages. Definitely it will not happen simultaneously.

3. Technically, it's possible to migrate almost all information (except the root keys but that keys are not used directly anyway) from one TPM to another for backup purposes.

4. It's not clear on what legal ground it can be used against the OSS community.

BTW I think it's not convenient to watch Netflix etc. on the computer screen.

[Karel]

Agree it has some unpleasant implications. But:

1. Internet security is a growing problem that needs to be addressed. I'm not sure how it can be done without a reliable method of device identification.

It cannot be addressed. At least not completely. Accepting that and using alternatives is the first step in not using TPM.
And for sure, taking away control of somebodyelses computer is not the way to do that. But security is a fake argument, tech giants want to be in control for other motives.

2. There are many interested parties and it'll take a time for them to really start using the TPM to their advantages. Definitely it will not happen simultaneously.

I don't care. It will happen sooner or later.

3. Technically, it's possible to migrate almost all information (except the root keys but that keys are not used directly anyway) from one TPM to another for backup purposes.

It's not in the advantage of the enduser.

4. It's not clear on what legal ground it can be used against the OSS community.

It can be used to make it difficult to install alternative operating systems.
Some apps don't work if you rooted your device.

BTW I think it's not convenient to watch Netflix etc. on the computer screen.

Because you think it's not convenient it's less important for others? A lot of people watch streaming video on a portable device.
Anyway, the Raspberry Pi I used as an example runs Libreelec/Kodi software in order to act as a multimedia player and it's connected to a normal TV.

[Njk]

It cannot be addressed. At least not completely. Accepting that and using alternatives is the first step in not using TPM.
And for sure, taking away control of somebodyelses computer is not the way to do that. But security is a fake argument, tech giants want to be in control for other motives.

Tech giants, in theory, can be repelled legally. As for the swarm of a not so smart fraudsters, the only way to stop them is to set up a reasonably strong technical obstacles. Did you ever received a funny e-mails saying that you're hacked, all your sensitive data are stolen and you've to pay now, otherwise... Looks like the guys don't understanding what's this all about but have learned from the other losers about the magic words that can bring fast cash. Internet is very popular now.

Some apps don't work if you rooted your device.

If it's a banking app, maybe that's not so bad. Have you ever asked to show your ID at the supermarket?

Because you think it's not convenient it's less important for others? A lot of people watch streaming video on a portable device.
Anyway, the Raspberry Pi I used as an example runs Libreelec/Kodi software in order to act as a multimedia player and it's connected to a normal TV.

There is no TPM on any RPi, AFAIK. And that boards are created as an eval /edu platforms. Because of that, security hardening is not enforced. If one wants to use them for a gray business, that's OK, but he's on his own. A lot of ways, as we know.

Once I designed a USB device with the thumb drive functionality so the app was installing automatically when the device has plugged in. Soon after MS disabled that capability, at least for the ordinary thumb drives. No problem, because the reason was strong indeed.

[Karel]

Tech giants, in theory, can be repelled legally. As for the swarm of a not so smart fraudsters, the only way to stop them is to set up a reasonably strong technical obstacles. Did you ever received a funny e-mails saying that you're hacked, all your sensitive data are stolen and you've to pay now, otherwise... Looks like the guys don't understanding what's this all about but have learned from the other losers about the magic words that can bring fast cash. Internet is very popular now.

That doesn't justify the use of TPM. It's the same lame excuse as "we do it to fight terrorism and childpr0n"...

Again, it's not about security. It's about being in control in order to make money.

Some apps don't work if you rooted your device.

If it's a banking app, maybe that's not so bad. Have you ever asked to show your ID at the supermarket?

It is when banks start to not offer any alternatives anymore. That effectively means I'm obliged to buy a smartphone
controlled by a tech giant which is controlled by shareholders in order to get access to my bank account.
Fortunately I found a bank who was willing to sell me a physical token which I can use to access my account without
the need for some "app". But I fear the day will come that no bank will offer that possibility anymore.

Because you think it's not convenient it's less important for others? A lot of people watch streaming video on a portable device.
Anyway, the Raspberry Pi I used as an example runs Libreelec/Kodi software in order to act as a multimedia player and it's connected to a normal TV.

There is no TPM on any RPi, AFAIK. And that boards are created as an eval /edu platforms. Because of that, security hardening is not enforced. If one wants to use them for a gray business, that's OK, but he's on his own. A lot of ways, as we know.

Security hardening is important for the owner of the device. So the computer owner must be in control of all parts
of the hardware including any TPM. Actually, the TPM is designed to give control of your computer to a third party,
that's the probem.

Once I designed a USB device with the thumb drive functionality so the app was installing automatically when the device has plugged in. Soon after MS disabled that capability, at least for the ordinary thumb drives. No problem, because the reason was strong indeed.

Fortunately there's Linux so people who don't like that behaviour can use an alternative.
As long as if there's real choice and competion, there's usually no problem.
Problems start to appear when there's a lack of choice and almost no competition like with smartphones.
There's only android and ios and neither of them give you full access to all the parts of your device and neither
of them let you create a root/admin account so that you can be in control.