My new Microsoft Surface Book let’s me switch to 3rd party CAs or even none at all, with no problem. This sounds like a Lenovo issue.
On top of that, I would prefer if my machine is by default, in a secure configuration when I buy it. Since the laptops come with Windows pre-installed and Microsoft signed bootloaders, it is fundamentally more secure than if the 3rd parties CAs are enables. I don’t want an attacker chain loading Linux and KVM beneath my Windows OS.
>I don’t want an attacker chain loading Linux and KVM beneath my Windows OS.
If your Windows install was protected by Bitlocker, and the decryption key was stored in the TPM, and the TPM was set up to require attestation to unseal the key, then such chainloading wouldn't be an issue. (This is also explained in the article.)
BTW, the default for the firmware interface is that it is not password-protected, so even this particular Lenovo device is vulnerable to the evil maid attack you're describing in its "default secure configuration", because the maid can just toggle that option to enable the UEFI CA, or even disable SB entirely. Unless Lenovo is planning to make the UEFI password a required step in their purchase order process, you can expect that the default configuration is going to be an unprotected UEFI. That's why the way to resolve the threat is not to prevent other bootloaders, but to prevent them from reading the data on disk.
> It is still an issue. A different OS could load and mimic the normal boot procedure to steel any credentials entered.
What credentials? The bitlocker key is in the TPM. It's not something a human can enter.
>Also, the whole scenario you depict is quite unreasonable to expect of a default install - which is exactly what is being talked about.
I'm confused. Are you referring to the scenario of the Windows install with the bitlocker key in the TPM, or the scenario of the evil maid attack? The former is already how Windows works by default, and the latter is precisely the scenario that helloooooooo was talking about, so I'm not sure which one you're calling unreasonable.
Not really; most people unlock Bitlocker via TPM, that's why a shitton of people don't even realize they have it. If the TPM doesn't give up the key, you are asked for the _recovery key_, not a passphrase.
And the fact they have no clue what the "recovery key" is, that is how most people realize they had Bitlocker on...
MS actually keeps a copy of _your_ PC's recovery key on their servers when you install Windows; that's one of the official reasons they have for requiring a MS account when you set Windows up: so that they can store your recovery key for you and give it back to you if ask nicely. (Moral implications of this best left for another discussion). This is for the personal editions of Windows, in the business editions of Windows; your IT (via ActiveDirectory) will store your recovery key for you.
I know. So walk me through it, you turn on the machine. Windows boots, you are greeted with a login/password prompt. The user enters their password and now typically have access to everything of value on that machine.
You don't have anything of value on that machine, at least not yet. The user entered their Windows login creds into the fake prompt, but the Windows partition itself is still encrypted.
Now, if this is a Microsoft account whose login creds you've stolen, and if the user doesn't have 2FA set up on their account / you are in a position to manipulate them into allowing the 2FA, then yes you can get into their Microsoft Account and access the data there. And if the recovery key is easily extractable from there as AshamedCaptain said in their comment, then yes you have access to the encrypted disk too. And of course if they reused those creds on other websites you have those too, yada yada.
But still, we are still talking about default configurations, right? You still haven't addressed my point that this evil maid attack already works on any machine where the UEFI isn't password-protected by default.
... or you can just login on the device itself.
(for which I certainly hope doesn't require todays crappy 2FA to work (unless you have something like a yubikey))
Yes, that is still an issue - for now. Which is arguably why these steps are being made. To close that hole one step at a time.
So just to be clear, the hole you're hoping to be closed is not Lenovo's "Allow UEFI CA" checkbox. The hole you're hoping to be closed is a) the ability to change the CAs at all, and b) the ability to disable SB. In other words you're hoping for hardware that can only boot Windows in perpetuity, nothing else.
It's fine if that's what you're hoping for, but I just want you to be aware of that in case you weren't already.
But I do think it is reasonable for a "windows PC" (one where the device is sold with windows preinstalled) only can boot windows by default. As that is what will benefit the absolute vast majority of users (though to be fair, there is plenty of lower hanging fruits than the boot process for most users).
But it is wholly unreasonable for the owner of the PC not to be able to disable that by themselves (without internet access or anything). If the solution to that is to require a UEFI password to be setup (perhaps windows could set the UEFI-password to the same as the main user if it hadn't already been set) - and resetting the uefi-password would wipe any encryption keys in the TPM that is fine (as long as the option to reset the uefi password exist).
And further, not allowing the owner the control to dual-boot windows and any other OS is also wholly unreasonable (but I'm fine with the owner having to enable it in UEFI first).
Can I hope for it? Would put an end to the "slapping Linux on a Windows box and complaining about how it doesn't work right" nonsense. (Probably in the bad way, and almost certainly with massive damage to the wider x86 hardware market, but still....)
One of the things Apple did kinda right was forcing you to buy Apple hardware to run OSX. It would be deeply ironic of Microsoft to cause the same end effect by locking Linux _out_ of all the Windows computers.
That is highly unlikely. The default configuration with a password includes a verification with the TPM. So the process is like this:
power on -> BitLocker asks for password -> password unlocks the TPM -> TPM does its boot verification -> TPM releases the encryption key -> you can boot into win
If you're on a win home installation the password thing isn't even an option, you just get boot verification and have to retrieve the recovery key from your microsoft account if TPM trips (imo somewhat questionable by MS).
Yes an attacker still could. BitLocker is handled within Microsoft binaries in the windows EFI partition. I believe it is specifically bootmgr.efi.
You can still chain load up windows on KVM at this point, however getting the Windows partition decrypted may be difficult and requires faking up a few TPM measurements.
Lenovo locks down hardware. I tried to upgrade the WiFi card in my Yoga 2 and got an "unauthorized hardware" message from the UEFI and it refused to boot until I removed the hardware.
I would not at all be surprised if they're just over reaching.
On top of that, I would prefer if my machine is by default, in a secure configuration when I buy it. Since the laptops come with Windows pre-installed and Microsoft signed bootloaders, it is fundamentally more secure than if the 3rd parties CAs are enables. I don’t want an attacker chain loading Linux and KVM beneath my Windows OS.