Re: Help: explanation of secure flash?
On Wednesday, July 07, 2021 08:57:30 PM Polyna-Maude Racicot-Summerside wrote: > Are you a TikiWiki user ? No -- TWiki / Foswiki
Re: Help: explanation of secure flash?
Hi, > (Try to ignore the markup -- it is what I use in what I sometimes call my > offline TWiki.) > >* Are you a TikiWiki user ? -- Polyna-Maude R.-Summerside -Be smart, Be wise, Support opensource development OpenPGP_signature Description: OpenPGP digital signature
Re: Help: explanation of secure flash?
On Tuesday, July 06, 2021 07:07:29 PM Jeremy Nicoll wrote: > On Tue, 6 Jul 2021, at 23:37, rhkra...@gmail.com wrote: > > I've seen warnings (against hacks) that say (among other things) to > > enable "secure flash". I've been googling to learn more about that, but > > I haven't found any good explanation. > > > > I'm beginning to get hints that it is not so much a thing (to be > > enabled), but more the (a) process to update the computer's BIOS. > > (e.g., "'Unable to start a Secure flash session' error message.") > > It might be a suggestion that you use your BIOS or UEFI to disable the > machine's ability to boot off a USB stick ... because that - if it's on - > allows anyone to reboot your machine with the OS and tools of their > choice. Thanks to all who replied! I found some more information. It seems that SecureFlash might be an American Megatrends (AMI) thing related to SecureBoot and UEFI. It is a apparently a means to flash a BIOS and make sure that the new image is "secure" (for some definition of secure). The word that I could not remember exactly was rollback (not rollover) and "anti-rollback" is apparently intended to prevent a hacker from rolling back the BIOS to an earlier less secure version. The following is a link to an old (20120220) presentation on the subject, with some quotes captured from the slides. I don't know if Secure Flash is still a thing or has been replaced by something else. (Try to ignore the markup -- it is what I use in what I sometimes call my offline TWiki.) * [[https://members.uefi.org/learning_center/UEFI_Plugfest_2012Q1_v3_AMI.pdf] [Secure Firmware Update]]: "UEFI Winter Plugfest – February 20-23, 2012: Presented by Zachary Bobroff(AMI)" `= Why Secure Flash Update? •••Platform security is a broad topic... – Many overlapping technologies (TPM, secure boot, secure flash update, etc) – System complexity is increasing with new technologies (Execute Disable, virtualization, etc) – No one specification ties all security technologies together Firmware modification/tinkering by the hobbyist is becoming more commonplace The UEFI specification completely documents all interfaces – Malicious software can attack the firmware ... Connection with Secure Boot Secure boot dictates that all external images must be authenticated prior to execution Secure boot ensures the system booted in a trusted state Secure boot prevents attacks targeting the firmware to OS handoff Secure boot does not prevent any direct attacks on the firmware itself, and the UEFI specification has no provisioning for firmware protection ... Secure Flash Demonstration • The following will be demonstrated: – The capsule update method using AMI ASFU (AMI Secure Flash Update) Utility – Anti-Rollback will be tested by trying to flash original image – A modified binary will be used to simulate a malicious BIOS update • A binary modified after signing will have an invalid signature ='
Re: Help: explanation of secure flash?
Hi, On 2021-07-07 8:46 a.m., rhkra...@gmail.com wrote: > On Tuesday, July 06, 2021 10:53:52 PM Kevin N. wrote: >>> Can somebody provide either a little more explanation and / or a link to >>> a (reasonably simple) reference? >> >> https://www.embeddedcomputing.com/technology/security/network-security/secu >> re-flash-the-cure-for-insecurity-in-connected-automotive-and-industrial-app >> lications-part-1 >> >> https://www.embeddedcomputing.com/technology/security/network-security/secu >> re-flash-the-cure-for-insecurity-in-connected-automotive-and-industrial-app >> lications-part-2 > This was a good explanation to the original thread name. > Thanks to all who replied! > > This (the link above) happens to be one of the links I did find and read / > skim > -- it didn't seem applicable. > > I thought it would be something applicable to secure boot or similar. > What you may want to use is secure boot. Your original message was related to something different and this seem why you got the links above. > Maybe unrelated but I also came across some kind of option in my search, > which > without looking for again, is something like diable > rollover (right word?). For sure, if you write messages using such precision as " " then your risk of receiving answer that are good but don > I guess I'll let things sit for now, and when I install Debian (presumably > Bulleye) on my newest computer, I'll look again. > Maybe reading on the subject of Secure Boot (on Debian doc is a good start) and the general subject of hardware security in general would help you for the next step. You can find much information online. If you get into a link that is not closely related to your problem, read it anyway as it will allow you to get better understanding of other use-case. Sincerely, -- Polyna-Maude R.-Summerside -Be smart, Be wise, Support opensource development OpenPGP_signature Description: OpenPGP digital signature
Re: Help: explanation of secure flash?
On Tuesday, July 06, 2021 10:53:52 PM Kevin N. wrote: > > Can somebody provide either a little more explanation and / or a link to > > a (reasonably simple) reference? > > https://www.embeddedcomputing.com/technology/security/network-security/secu > re-flash-the-cure-for-insecurity-in-connected-automotive-and-industrial-app > lications-part-1 > > https://www.embeddedcomputing.com/technology/security/network-security/secu > re-flash-the-cure-for-insecurity-in-connected-automotive-and-industrial-app > lications-part-2 Thanks to all who replied! This (the link above) happens to be one of the links I did find and read / skim -- it didn't seem applicable. I thought it would be something applicable to secure boot or similar. Maybe unrelated but I also came across some kind of option in my search, which without looking for again, is something like diable rollover (right word?). I guess I'll let things sit for now, and when I install Debian (presumably Bulleye) on my newest computer, I'll look again.
Re: Help: explanation of secure flash?
Can somebody provide either a little more explanation and / or a link to a (reasonably simple) reference? https://www.embeddedcomputing.com/technology/security/network-security/secure-flash-the-cure-for-insecurity-in-connected-automotive-and-industrial-applications-part-1 https://www.embeddedcomputing.com/technology/security/network-security/secure-flash-the-cure-for-insecurity-in-connected-automotive-and-industrial-applications-part-2 Cheers, K.
Re: Help: explanation of secure flash?
On Tue, Jul 6, 2021, at 5:43 PM, Rick Thomas wrote: > On Tue, Jul 6, 2021, at 3:37 PM, rhkra...@gmail.com wrote: > > I've seen warnings (against hacks) that say (among other things) to enable > > "secure flash". I've been googling to learn more about that, but I haven't > > found any good explanation. ... > Use your favorite search engine to look for "self encrypted ssd" > (without the quotes). In particular: https://www.crucial.com/articles/about-ssd/self-encrypting-ssd-for-data-security
Re: Help: explanation of secure flash?
On Tue, Jul 6, 2021, at 3:37 PM, rhkra...@gmail.com wrote: > I've seen warnings (against hacks) that say (among other things) to enable > "secure flash". I've been googling to learn more about that, but I haven't > found any good explanation. > > I'm beginning to get hints that it is not so much a thing (to be enabled), > but > more the (a) process to update the computer's BIOS. (e.g., "'Unable to start > a Secure flash session' error message.") > > Can somebody provide either a little more explanation and / or a link to a > (reasonably simple) reference? There are available on the market SATA and USB interface flash or SSD drives that have built-in encryption. they require the user to enter an encryption key when they start up. The software to handle requesting and passing the key can be in the BIOS or in a user-supplied boot-loader or user-mode app that resides on a non-encrypted disk. The advantage of this mode vs software encryption is that the encryption engine resides in the firmware of the disk so it doesn't eat up CPU or GPU cycles that should be better applied to running user apps. Use your favorite search engine to look for "self encrypted ssd" (without the quotes). Does that help? Rick
Re: Help: explanation of secure flash?
On Tue, 6 Jul 2021, at 23:37, rhkra...@gmail.com wrote: > I've seen warnings (against hacks) that say (among other things) to enable > "secure flash". I've been googling to learn more about that, but I haven't > found any good explanation. > > I'm beginning to get hints that it is not so much a thing (to be enabled), > but > more the (a) process to update the computer's BIOS. (e.g., "'Unable to start > a Secure flash session' error message.") It might be a suggestion that you use your BIOS or UEFI to disable the machine's ability to boot off a USB stick ... because that - if it's on - allows anyone to reboot your machine with the OS and tools of their choice. So, you go into the BIOS, find the right option(s) and disable them, then make sure you have passwords set to control access to the BIOS if you didn't already have them set, then save & exit. If YOU ever need to boot from a USB stck you enter the BIOS again, supplying its password, and turn the option back on. Don't forget after that to disable it again. As to what the options(s) are actually called in your machine's BIOS, who knows? In my experience BIOS options normally have very terse names and the "help" text is only marginally more useful. But you should be able to google on the option name and the BIOS supplier's name and the BIOS version to find out more. -- Jeremy Nicoll - my opinions are my own.
Help: explanation of secure flash?
I've seen warnings (against hacks) that say (among other things) to enable "secure flash". I've been googling to learn more about that, but I haven't found any good explanation. I'm beginning to get hints that it is not so much a thing (to be enabled), but more the (a) process to update the computer's BIOS. (e.g., "'Unable to start a Secure flash session' error message.") Can somebody provide either a little more explanation and / or a link to a (reasonably simple) reference?
