[Discuss] Fighting UEFI: cert revocation

[tmetro+blu at gmail.com (Tom Metro)]

Daniel Feenberg wrote:
> Chuck Anderson wrote:
>> Jack Coats wrote:
>>> I am guessing someone will either come up with a crack, or will buy a
>>> 'certificate' and it will be 'leaked' or otherwise subverted before
>>> long.
>>
>> If that happens, the key will just be revoked.
> 
> How will a motherboard check for revoked keys? Will the vendor add them
> to a list in ROM? I can't imagine BIOS vendors will be enthusiastic
> about that chore, or be prompt in doing so.

Exactly my question. Certificate revocation in browsers was supposed to
be handled using a web service, Online Certificate Status Protocol
(OCSP)[1], but browsers that did implement it, shipped with it disabled,
as they feared the performance impact. (And Google has since dropped
support in Chrome.) So the defacto mechanism is maintaining a relatively
static list in a file that is part of the browser's installed files and
updated when the browser has a security update.

Using OCSP pre-boot would be impractical. So that means either the list
only gets updated when the hardware vendor originally Flashed the ROM,
or issues BIOS updates, or (seems unlikely) Microsoft adds some service
to Windows that updates the Flash as needed.

Seems like with any of the options, if you are aware of what mechanism
is being used, you can fairly easily avoid it on a machine being used
exclusively for Linux. The most likely place you'd get tripped up is
installing an BIOS update.

 -Tom

1. http://en.wikipedia.org/wiki/Ocsp

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/