Skip to content

Disabling boot-time security: lines to not cross

Let’s assume that we are on a platform which actually allows to boot unsigned operating systems. What are the bad things that such a platform can have?

The most ubiquitous issue is reminding the user at each boot that their device has a reduced security policy.

Such a tamper-evident mechanism annoys users and is ineffective in practice. Having device encryption as on and tied to a TPM can also provide that property just as well.

After setting the security policy once, the device should behave just as before (one exception might be DRM turned off).

There are multiple variants of devices which don’t respect that rule:

  • On the Surface product line, a red banner shown on top during boot.

That doesn’t provide protection, as conventionally under Windows OSes, user-space is not covered by code signing. As such, with Secure Boot on, an OS can still be loaded from a USB stick without relaxing Secure Boot settings.

This provides a false sense of security. TPMs can be used to secure the boot chain instead, and are not reliant on Secure Boot past the UEFI firmware itself being loaded (with the proper PCR configuration).

  • On some Android devices, warning on each boot with a time counter before it continues booting.

This is an inconvenience which isn’t only visual, because it slows boot by 5 seconds. The boot experience is not the same between a locked and an unlocked device.

The even bigger problem is the data wipe during boot loader unlock, which adds a lot of friction to the unlock process. You already have to allow boot loader unlocks in developer settings, so why add a data wipe as part of the actual unlock process? This is user-hostile.

  • On Chrome OS devices: warning on each boot, with a “space button to recovery” option

Same comment as above for Android.

PCs allow to set a new Secure Boot root of trust with its own keys. Apple Silicon Macs allow to specifically enrol one executable per volume which can be ran as an unsigned kernel, with authentication beforehand.

On quite some mobile devices, this choice isn’t present, with only unlocked or locked choices being possible.

Leave a Reply

Your email address will not be published. Required fields are marked *