Linux UEFI TPM 2.0 security impacts
The "security chain"
begins with one or more TPM 2.0 "Endorsement Keys"
(EK), that are stored on the motherboard and that cannot be overwritten without "allowance"
by either the owner (hardware manufacturer) or somebody, that is "higher"
in key hierarchy, such as Microsoft or U.S. government authorities.
Key Exchange Keys (KEK) establish a trust relationship
between the operating system and the platform firmware. Each operating system (and potentially each 3rd party application, that needs to communicate with platform firmware) enrolls a public key (KEKpub) into the platform firmware.
When your hardware comes "Windows Certified"
, the "Endorsement Key"
already is initialized, is signed by Microsoft and U.S. authorities. "Windows certified"
here automatically means "NSA backdoor" included and activated
in all encryption modules.
Hardware encryption on newer INTEL Xeon machines, at boot, load those key rings from UEFI tables into processor buffer. From then on, the CPU hardware encrypts everything with Microsoft and U.S. authorities keys being enclosed in the key ring, independent of used operating system!
And surprisingly, it depends on your compiler settings, if your software then uses "hardware accelerated encryption"
(fast, but unsafe, since NSA key ring is enclosed) or pure (slower, but NSA safe!) "software encryption"
. But you have to make sure, that your software encryption libraries do not load Endorsement Keys
from UEFI tables. In Red Hat Linux, they do. Red Hat binaries are closed source, can not be rebuilt from src.rpm files.
So everything, that is encrypted on your Windows or Red Hat Linux machine, has a backdoor for U.S. authorities. SSLv2, SSLv3 data, OpenVPN transfers included. On Debian / UBUNTU / FreeBSD / OpenBSD it depends on compiler settings and CPU type used.
On modern INTEL Xeon processors, using "hardware acceleration"
at compile time, it automatically generates U.S. backdoors in all kinds of encryption. Note: Independent of OS used!!!
Using software encryption
sometimes does not help, since a "secure tunnel"
(e.g. to your bank) is build up with help of your own key ring and
the bank's key ring.
Since your bank's key ring always is "signed"
by U.S. authorities, they automatically can decode all your SSL traffic.
Note: SSL traffic between two partners can be decoded, when key from only one side is known!
Cisco routers, Akamai silent proxies - globally - do a "full take"
of all traffic around the world that finally is stored and automatically decoded, read by N.S.A.
There simply is no secrecy/privacy
any longer. Even THREEMA isn't safe any longer, because now hardware encryption processor instructions in INTEL XEON processors automatically include the NSA key.
Pretending to "fight terrorism"
, U.S.A. is spying everywhere to gain strategical advantage over markets, industries, economies, banks, countries, foreign politicians
. See Erdogan / J. Tymoshenko phone disclosures, "Edathy case", Merkel mobile spying, Snowden reports about CIA and a swiss banker or BNP Paribas 9 billion "punishment":http://www.businessinsider.com/edward-snowden-describes-cia-tricks-2013-6http://www.disclose.tv/action/viewvideo/169947/Tymoshenko_tape_leak_Time_to_grab_guns_and_kill_damn_Russians_RT/http://www.reuters.com/article/2015/05/01/us-bnp-paribas-settlement-sentencing-idUSKBN0NM41K20150501http://www.bbc.com/news/world-europe-26336354http://www.telegraph.co.uk/news/worldnews/europe/germany/10407282/Barack-Obama-approved-tapping-Angela-Merkels-phone-3-years-ago.html
With Linux kernel 4.2, around 100 UEFI / encryption / key signing / key revocation functions have been added, that give U.S. authorities absolute control over "secure boot" - Linux kernel and drivers, all hardware (in processor) encryption and also about what (signed) software is allowed to run on your machine.
In Red Hat Linux that is already included! See: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.0/html/Deployment_Guide/SubsystemOverview.html
Also see EDKII specifications: http://tianocore.sourceforge.net/wiki/EDK_II_Specifications
Finally, they will charge you even for free and open source software, that only can be installed and started when "U.S. certificate" tax ($99 per software version) is properly paid to Verisign / Microsoft / Symantec owners.
So, "uncertified" Linux kernels won't run on on "Windows certified" UEFI hardware any longer. And Microsoft / Verisign, in future, simply won't sign Linux kernels or drivers without having TPM 2.0 and hardware encryption included and activated!!!It's time for a "Windows / NSA uncertified" label!
Get rid of UEFI, TPM 2.0, use LinuxBIOS (aka Coreboot aka SeaBIOS), exclusively, that automatically comes with Google Chromebooks, Chromeboxes.
is based on QEMU: http://wiki.qemu.org/Features/TPM
Don't use new INTEL XEON processors!!! They're coming with NSA keys included in their hardware encryption module!!!
If unsure, use own, pure software encryption!
List of hardware supporting Coreboot is available here: http://www.coreboot.org/Supported_Motherboards
Interestingly, UEFI "secure boot"
doesn't make computers more secure. They are still vulnerable to runtime attacks, e.g. buffer overflows, stack/heap overflows
. These mechanisms only prevent, that "U.S. uncertified"
($99 per certificate!) software cannot be started
Thanks for understanding!