No Central Signing Keys in PureBoot

As Ars Technica, Binarly, and others have reported, UEFI Secure Boot on at least 200 device models from at least 5 major vendors is completely compromised by the leak of their Platform Key.  We’ve discussed Secure Boot insecurity before, and it is unlikely that these devices will ever see updates addressing this problem.

PureBoot is immune to this type of compromise because it does not have centralized signing keys. You do not delegate your security to an authority in PureBoot – you are in control.  If your key becomes compromised, you can rotate to a new key at any time.

This Sounds Familiar

If this sounds familiar to you, it’s because it is.  Last year, MSI’s keys used for Boot Guard were leaked (again reported by Binarly and Ars Technica).  Again, this completely compromises UEFI Secure Boot.  With this key, an attacker can sign altered firmware as if it had come from MSI.  Boot Guard Keys are only programmable once while the system is in manufacturing mode, so there is no way to change them.  Those keys are a permanent part of the CPU or PCH.

Second verse, same as the first (with apologies to Herman’s Hermits.)

The Platform Key is, in simple terms, a link in the chain just after the Boot Guard key.  There are several links between the Boot Guard root in the hardware and a signed operating system.  All of those links must hold up for Secure Boot to be secure.  Compromising the Platform Key has the same result.  With this key, an attacker can sign altered firmware as if it had come from the vendor.

Vendors have no way to revoke or replace these keys.  Revocation lists only exist for later links in the chain, and even then, they are not effective.  An attacker with the ability to alter the installed operating system can often alter firmware too, so they could simply revert to the old, vulnerable firmware.  Vendors rarely revoke keys in practice, because doing so would cause widespread breakage for users that hadn’t updated their operating system yet.

Systemic Problems Require Systemic Solutions

Photo of Librem Key inserted into Librem 14, with green LED lit

UEFI Secure Boot has a long history of failures.  This isn’t a series of independent problems; it’s the inevitable result of a system using centralized signing keys.

To do better, we must eliminate centralized signing keys. You, or your IT team, should be in control of your signing keys, not a large centralized third-party vendor. PureBoot uses a signing key controlled by you and stored on your Librem Key.  If you purchase a Purism device with the PureBoot Bundle or anti-interdiction, we prepare an individual signing key for you, which you then can replace with your own key upon receiving the device.

Purism Products and Availability Chart

 ModelStatusLead Time 
USB Security Token Purism Librem KeyLibrem Key

(Made in USA)
In Stock
($59+)
10 business days
Librem 5In Stock
($699+)
3GB/32GB
10 business days
Librem 5 COMSEC BundleIn Stock
($1299+)
Qty 2; 3GB/32GB
10 business days
Purism Liberty Phone with Made in USA ElectronicsLiberty Phone
(Made in USA Electronics)
Backorder
($1,999+)
4GB/128GB
Estimated fulfillment February
Librem 5 + SIMple
(3 GB Data)
In Stock
($99/mo)
10 business days
Librem 5 + SIMple Plus
(5 GB Data)
In Stock
($129/mo)
10 business days
Librem 5 + AweSIM
(Unlimited Data)
In Stock
($169/mo)
10 business days
Librem 11In Stock
($999+)
8GB/1TB
10 business days
Most Secure Laptop Purism Librem 14Librem 14Backorder
($1,370+)
Estimated fulfillment December
Most Secure PC Purism Librem Mini
Librem MiniBackorder
($799+)
10 business days
Most Secure Server Purism Librem ServersLibrem ServerIn Stock
($2,999+)
45 business days
The current product and shipping chart of Purism products, updated on October 18th, 2024

Recent Posts

Related Content

Tags