On 8/2/20 1:19 PM, John Pierce wrote:> One of the things that bugs me about PKI trust chains like this, what > happens if the unthinkable happens, and Microsoft's RootCA gets compromised > and has to be revoked... does that mean every single piece of UEFI > hardware out there needs a BIOS upgrade?Yes.? They'll be vulnerable to malware signed by the old CA until they're updated. That's better than systems without a PKI trust chain, which are vulnerable all of the time.
On Sun, Aug 2, 2020 at 3:54 PM Gordon Messmer <gordon.messmer at gmail.com> wrote:> On 8/2/20 1:19 PM, John Pierce wrote: > > One of the things that bugs me about PKI trust chains like this, what > > happens if the unthinkable happens, and Microsoft's RootCA gets > compromised > > and has to be revoked... does that mean every single piece of UEFI > > hardware out there needs a BIOS upgrade? > > > Yes. They'll be vulnerable to malware signed by the old CA until > they're updated. > > That's better than systems without a PKI trust chain, which are > vulnerable all of the time.isn't it more that they simply won't work with newer boots that were signed by the new keys? and the updated BIOS's won't boot older OS versions that weren't signed by the new keys? BIOS updates are often not available for sligthly older hardware, once it goes out of production most vendors lose all interest.> >-- -john r pierce recycling used bits in santa cruz
On 8/2/20 4:11 PM, John Pierce wrote:> isn't it more that they simply won't work with newer boots that were signed > by the new keys? and the updated BIOS's won't boot older OS versions that > weren't signed by the new keys?I don't know if the Secure Boot PKI has a publicly documented contingency plan for a compromised CA, but my understanding is that there are multiple slots for signatures: http://dreamhack.it/linux/2015/12/03/secure-boot-signed-modules-and-signed-elf-binaries.html So, I would guess that clients would receive a new trust DB that did not contain the old root CA, and new bootloaders signed by both the old root CA and the new CA.? The new bootloaders would work on both new and old systems, having signatures from both. Old bootloaders would not work on new clients.