this post was submitted on 15 Jun 2024
29 points (100.0% liked)

Linux Questions

1149 readers
3 users here now

Linux questions Rules (in addition of the Lemmy.zip rules)

Tips for giving and receiving help

Any rule violations will result in disciplinary actions

founded 1 year ago
MODERATORS
 

I dual boot Windows 10 and Linux. Whnever Windows freezes or boot gets interrupted etc. I lose access to Linux because UEFI offers only Windows as boot options. On checking EFI partition still has rEFInd and PCLinuxOS entries needed.

I wonder why it cannot see them?

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 3 points 5 months ago (1 children)

Related q:

So I have a machine with fde, + just one os present, + uefi password protected, + only the internal drive as a boot option. I also have sb enabled, but it was off during install (ventoy doesn't play nice with it, at least for me) so there's no keys registered, and I've reset sb keys anyway (for windows) since installation. Sb on but dormant.

How vulnerable am I to a theoretical attack? With the drive encrypted and no alternative boot options, an attacker would need to somehow get to /boot/efi from the machine itself, right? Maybe a exploit in uefi? Am I missing any big pieces to the puzzle?

[โ€“] [email protected] 2 points 5 months ago

I don't know hardware/systems like this. I'm an abstract thinker. I like to break down and distil complicated subjects to a level I intuitively understand.

Secure boot uses a Trusted Protection Module (TPM) chip. It is usually a dedicated chip, although there is a sketchy way it can be implemented in software. The idea is that the TPM chip is not connected internally to your computer at all. The chip can issue a new key that is only hashed with an internal key on the chip. There is never a point where that internal key on the chip is present in your computer. If any key present in your computer is generated from a TPM module, there is no way for anyone to swap, modify, or access the private key pair inside the TPM.

Secure Boot is using this key to check that the bootloader and all kernel code hashes against the TPM secret key. Running SB with a TPM keyset is essentially saying no part of the chain is trusted, so we're making an extra sandboxed place that we can trust and making it exist in a space with no possible connections in software. There are possible exploits in an electronics lab with physical access to the hardware, but that is well outside of the average person's reasonable security model.

If anyone modifies the bootloader binary, it is extremely difficult to detect after it is compromised.