Hello Sami, it was great session, but I have some additional questions to it, could you please reply?
1. You have mentioned, that for W8.1 with SecureBoot you recommend using Bitlocker TPM + NO PIN. But also with enabled Secureboot I am still able to boot minilinux from USB – so I can read the content of freezed memory. Or did you have something other in mind when you were describing this cold boot attack, which was not possible to proceed with SecureBoot?
2. You have also recommended to enable hibernation on close lid action via GPO, but when I will follow recommendation W8.1 – Secureboot and NO PIN -> is hibernation really needed?
SecureBoot can block you from booting minilinux. Can you please provide me more specific examples if you can do it. SecureBoot does allow you to change the trusted certificates so your SecureBoot can By default be a bit more trusting than mine of course. But this can be changed,
I'd say that you don't need to use the hibarnate if you don't have or can block the DMA bus and follow all the other recommendations.
now I believe, that I see your point... So you mean, that I should sign Windows bootloader by my certificate and just this certificate set in Bios as trusted? Or set just Microsoft certificate as trusted?
Hello Sami, it was great session, but I have some additional questions to it, could you please reply?
ReplyDelete1. You have mentioned, that for W8.1 with SecureBoot you recommend using Bitlocker TPM + NO PIN. But also with enabled Secureboot I am still able to boot minilinux from USB – so I can read the content of freezed memory. Or did you have something other in mind when you were describing this cold boot attack, which was not possible to proceed with SecureBoot?
2. You have also recommended to enable hibernation on close lid action via GPO, but when I will follow recommendation W8.1 – Secureboot and NO PIN -> is hibernation really needed?
Hi Peter,
ReplyDeleteSecureBoot can block you from booting minilinux. Can you please provide me more specific examples if you can do it. SecureBoot does allow you to change the trusted certificates so your SecureBoot can By default be a bit more trusting than mine of course. But this can be changed,
I'd say that you don't need to use the hibarnate if you don't have or can block the DMA bus and follow all the other recommendations.
Hi Sami,
Deletenow I believe, that I see your point... So you mean, that I should sign Windows bootloader by my certificate and just this certificate set in Bios as trusted? Or set just Microsoft certificate as trusted?
Thank you
I'm rather saying that you can get rid of extra trusted certs. SecureBoot uses a multi-level trust hierarchy that can be altered in many ways.
ReplyDelete