Welcome!
Important information
-- Spectre and Meltdown vulnerabilities
-- Change in MX sources

News
-- MX Linux on social media: here
-- Mepis support still here

Current releases
-- MX-17.1 Final release info here
-- antiX-17 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

Bios vulnerabilities continue despite fixes being available

Here users can ask questions about security and tutorials about security can be posted to help others, too.
Message
Author
User avatar
lucky9
Forum Veteran
Forum Veteran
Posts: 11380
Joined: Wed Jul 12, 2006 5:54 am

Bios vulnerabilities continue despite fixes being available

#1 Post by lucky9 » Sun Aug 03, 2014 12:46 pm

Yes, even I am dishonest. Not in many ways, but in some. Forty-one, I think it is.
--Mark Twain

User avatar
Richard
Posts: 1779
Joined: Fri Dec 12, 2008 10:31 am

Re: Bios vulnerabilities continue despite fixes being availa

#2 Post by Richard » Sun Aug 03, 2014 4:45 pm

Interesting.
I'd just asssumed that UEFI
was to keep Linux off of Microsoft installs.
MX17.1____: T430-2017, 8 GB RAM, 4.15.0-1-amd64, 119 SSD
antiX-/MX-171: AA1/Eee, 1 GB RAM, 4.15.0-1-686-pae, 149 HDD
DoubleCmd, LO604, Dropbox, Slimjet, FFesr, mPDFed, Py3, CherryT, Vbox

User avatar
jdmeaux1952
Forum Regular
Forum Regular
Posts: 404
Joined: Wed Jan 08, 2014 11:55 pm

Re: Bios vulnerabilities continue despite fixes being availa

#3 Post by jdmeaux1952 » Sun Aug 03, 2014 6:11 pm

They can never keep linux out. :fox:
MSI S6000 i5-460M 4Gb mem
I am not CrAzY. And I have a paper from the doctors to prove it!
LRU# 563815
Phear the Penguin

User avatar
lucky9
Forum Veteran
Forum Veteran
Posts: 11380
Joined: Wed Jul 12, 2006 5:54 am

Re: Bios vulnerabilities continue despite fixes being availa

#4 Post by lucky9 » Sun Aug 03, 2014 8:02 pm

My understanding is that Secure Boot is for keeping Linux or other unsigned code from running.

You can pay Microsoft and get a certificate that covers your code or OS. But if there is any change in your code you need to re-certify. At least that's my understanding.

There are workarounds that may work, or they may not. RedHat and Ubuntu may work. But it depends on the UEFI implementation. I've read at least one account of UEFI code that looked for a Microsoft string even if Secure Boot was disabled. I think that was changed pretty quickly as the howls of dismay flooded the manufacturer.
Yes, even I am dishonest. Not in many ways, but in some. Forty-one, I think it is.
--Mark Twain

User avatar
uncle mark
Forum Veteran
Forum Veteran
Posts: 4955
Joined: Sat Nov 11, 2006 10:42 pm

Re: Bios vulnerabilities continue despite fixes being availa

#5 Post by uncle mark » Sun Aug 03, 2014 8:42 pm

I just this evening built a new machine and am running MX live on a shakedown run. It's built on an ASUS A55BM-E mobo with EFI. I've been through the "bios" settings a couple times and can't see any place to set legacy-boot or to disable Secure Boot, but it does say it's "Windows 8.1 Ready" on the box. At any rate, I was able to set it to boot to DVD, and here I am. With every other new build I've done over the last couple years, I could at least find settings/toggles for legacy-boot and Secure Boot, but if this thing's got them I sure can't find 'em. They may be calling 'em something different that I'm not realizing, but I've gone through everything I can and don't see it. Who freaking knows. This whole EFI thing is a mess, everybody is implementing it differently, and the different vendors are using different terminology.
Desktop: Custom build Asus/AMD/nVidia -- MEPIS 11
Laptop: Acer Aspire 5250 -- MX-15
Assorted junk: assorted Linuxes

User avatar
peregrine
Forum Regular
Forum Regular
Posts: 964
Joined: Wed Jul 12, 2006 7:39 am

Re: Bios vulnerabilities continue despite fixes being availa

#6 Post by peregrine » Sun Aug 03, 2014 8:59 pm

@ uncle mark I have been looking into building a new machine. This gets so confusing. I don't need windows, just MX14. What do I look for so I get a motherboard that will work? I thought until I read your post that I needed to be able to enable legacy-boot.
Asus A78M - AMD A10-6800K - 8GB Ram - 120GB SSD - Samsung SyncMaster 2243SWX LCD MX17 ------ Asus X550LA intel i5 4200 / MX17 | W10

User avatar
uncle mark
Forum Veteran
Forum Veteran
Posts: 4955
Joined: Sat Nov 11, 2006 10:42 pm

Re: Bios vulnerabilities continue despite fixes being availa

#7 Post by uncle mark » Sun Aug 03, 2014 9:18 pm

peregrine wrote:@ uncle mark I have been looking into building a new machine. This gets so confusing. I don't need windows, just MX14. What do I look for so I get a motherboard that will work? I thought until I read your post that I needed to be able to enable legacy-boot.
That was my impression as well, and that hasn't changed. There's nothing I can see right now on this new build that makes me think it won't work like a conventional "bios" -- it just has me scratching my head as to why I'm not seeing any settings/toggles in the setup screens.

This machine is getting a W7/Linux dual boot setup, and the guy I'm building it for won't be getting me the W7 license until Tuesday (his daughter is getting it through her University account), so that's when I'll be actually starting in on setting it up. By all rights there shouldn't be a problem, but like I said, who freakin' knows. I can't imagine in my wildest dreams that it can't be set up in legacy-boot mode. I've done enough of these that I don't usually bother to RTFM, it's normally pretty obvious what needs to be set and how once I get into the "bios" setup dialogs, but this one isn't like any others I've seen.

So, to answer your question directly, I wouldn't worry about it. Get what you want spec-wise; it'll work, I'm sure, it's just that this particular one has me scratching my head.
Desktop: Custom build Asus/AMD/nVidia -- MEPIS 11
Laptop: Acer Aspire 5250 -- MX-15
Assorted junk: assorted Linuxes

User avatar
kmathern
Forum Veteran
Forum Veteran
Posts: 9279
Joined: Wed Jul 12, 2006 2:26 pm

Re: Bios vulnerabilities continue despite fixes being availa

#8 Post by kmathern » Sun Aug 03, 2014 9:20 pm

Disabling Secure Boot was pretty easy on my Win 8.0 machine. Getting it to boot in a "legacy" mode was more of a problem, mainly because I was unfamiliar with the names of the various options. On my machine the option that makes it boot in a legacy mode is "Launch CSM ..... [ALWAYS]". There's a catch though, you can't change the Launch CSM setting until you've disabled Secure Boot.

Here's a youtube video for my Machine on how to disable Secure boot and change the Launch CSM setting https://www.youtube.com/watch?feature=p ... nG4zMdrHKs (I found that video about a month after I really needed it)


For the ASUS A55BM-E there's a online manual here: http://www.manualslib.com/manual/565348 ... ml?page=63. I think the Secure Boot "[Other OS]" setting disables secure boot. Then you can go up to the CSM [Compatability Support Module] setting and enable it.

User avatar
uncle mark
Forum Veteran
Forum Veteran
Posts: 4955
Joined: Sat Nov 11, 2006 10:42 pm

Re: Bios vulnerabilities continue despite fixes being availa

#9 Post by uncle mark » Sun Aug 03, 2014 9:42 pm

kmathern wrote:For the ASUS A55BM-E there's a online manual here: http://www.manualslib.com/manual/565348 ... ml?page=63. I think the Secure Boot "[Other OS]" setting disables secure boot. Then you can go up to the CSM [Compatability Support Module] setting and enable it.
Yup. That's it exactly. Two things threw me. One, on the screen where those choices are available, you have to scroll down to see them. Not used to scrolling in a "bios" setup screen. The other is the terminology -- CSM is a new one on me.
Desktop: Custom build Asus/AMD/nVidia -- MEPIS 11
Laptop: Acer Aspire 5250 -- MX-15
Assorted junk: assorted Linuxes

User avatar
BitJam
Forum Guide
Forum Guide
Posts: 2472
Joined: Sat Aug 22, 2009 11:36 pm

Re: Bios vulnerabilities continue despite fixes being availa

#10 Post by BitJam » Sun Aug 03, 2014 9:55 pm

@peregrine, for UEFI hardware to be "Windows Ready" on x86 and x86-64 (but not ARM), the user must be able to disable secure boot and get to legacy mode. Apparently, having these options easy to find is optional. Until this policy changes almost any motherboard should work.

Post Reply

Return to “Security”