As Ars Technica, Binarly, and others have reported, UEFI Secure Boot on at least 200 device models from at least 5 major vendors is completely compromised by the leak of their Platform Key. We’ve discussed Secure Boot insecurity before, and it is unlikely that these devices will ever see updates addressing this problem.
PureBoot is immune to this type of compromise because it does not have centralized signing keys. You do not delegate your security to an authority in PureBoot – you are in control. If your key becomes compromised, you can rotate to a new key at any time.
If this sounds familiar to you, it’s because it is. Last year, MSI’s keys used for Boot Guard were leaked (again reported by Binarly and Ars Technica). Again, this completely compromises UEFI Secure Boot. With this key, an attacker can sign altered firmware as if it had come from MSI. Boot Guard Keys are only programmable once while the system is in manufacturing mode, so there is no way to change them. Those keys are a permanent part of the CPU or PCH.
Second verse, same as the first (with apologies to Herman’s Hermits.)
The Platform Key is, in simple terms, a link in the chain just after the Boot Guard key. There are several links between the Boot Guard root in the hardware and a signed operating system. All of those links must hold up for Secure Boot to be secure. Compromising the Platform Key has the same result. With this key, an attacker can sign altered firmware as if it had come from the vendor.
Vendors have no way to revoke or replace these keys. Revocation lists only exist for later links in the chain, and even then, they are not effective. An attacker with the ability to alter the installed operating system can often alter firmware too, so they could simply revert to the old, vulnerable firmware. Vendors rarely revoke keys in practice, because doing so would cause widespread breakage for users that hadn’t updated their operating system yet.
UEFI Secure Boot has a long history of failures. This isn’t a series of independent problems; it’s the inevitable result of a system using centralized signing keys.
To do better, we must eliminate centralized signing keys. You, or your IT team, should be in control of your signing keys, not a large centralized third-party vendor. PureBoot uses a signing key controlled by you and stored on your Librem Key. If you purchase a Purism device with the PureBoot Bundle or anti-interdiction, we prepare an individual signing key for you, which you then can replace with your own key upon receiving the device.
Model | Status | Lead Time | ||
---|---|---|---|---|
Librem Key (Made in USA) | In Stock ($59+) | 10 business days | ||
Librem 5 | In Stock ($699+) 3GB/32GB | 10 business days | ||
Librem 5 COMSEC Bundle | In Stock ($1299+) Qty 2; 3GB/32GB | 10 business days | ||
Liberty Phone (Made in USA Electronics) | Backorder ($1,999+) 4GB/128GB | Estimated fulfillment February | ||
Librem 5 + SIMple (3 GB Data) | In Stock ($99/mo) | 10 business days | ||
Librem 5 + SIMple Plus (5 GB Data) | In Stock ($129/mo) | 10 business days | ||
Librem 5 + AweSIM (Unlimited Data) | In Stock ($169/mo) | 10 business days | ||
Librem 11 | In Stock ($999+) 8GB/1TB | 10 business days | ||
Librem 14 | Backorder ($1,370+) | Estimated fulfillment December | ||
Librem Mini | Backorder ($799+) | 10 business days | ||
Librem Server | In Stock ($2,999+) | 45 business days |