On Fri, Mar 6, 2020 at 2:07 PM Wols Lists <antli...@youngman.org.uk> wrote: > > On 06/03/20 13:48, Rich Freeman wrote: > > If you fall into this camp you need to still update your firmware to > > address the non-TPM-user and to avoid making it trivial for software > > to steal your keys/etc. However, you need to be aware that you are no > > longer secure against physical theft of your device. Somebody who > > steals your laptop with passwordless encryption might be able to break > > the encryption on your device. > > It's worse that that, he's dead, Jim! > > The summary on LWN is an easy read. Somebody who steals your Intel > laptop WILL be able to break the encryption on your device. > > tl;dr summary - the microcode that *boots* the cpu has been compromised. > So even while it is setting up tpm and all that malarkey, malware can be > stealing keys etc.
They don't detail the effort required. If the firmware is patched it sounds like it still requires tinkering with hardware. However, there really isn't nothing you said that doesn't agree with what I said. Whether they "WILL" be able to break the encryption on your device depends a lot on the details and the knowledge of the attacker. Hence the reason I said "might." In any case, might is good enough to not rely on a broken security feature. > Which means that Intel's master signing key will soon be cracked and > compromised. Yes, but keep in mind the signing keys have nothing to do with disk encryption. It is for remote attestation. Hence my Netflix comment. -- Rich
