Pureboot attacks

Hi all,

I wanted to know if there were any attacks possible in pureboot, I’m sure there is some vulnerabilities just like any other software/firmware.

I have seen online that some people or forums bag pureboot compared to uefi bios, but i am a believer in foss. I own a librem 14 with pureboot, QubesOS and love it.

So what actual attacks are possible against pureboot? Is it more secure than traditional bios?
Can attacks be done remotely?
How can you reduce the chances against boot attacks?
With boot attacks does it come down to physical security?

Thanks, looking forward to answers and opinions.

Well, yes, it is always possible that there are bugs. If there were known bugs, they are likely to get fixed.

Once you admit the possibility of bugs, you can’t make a theoretical comparison of security because anything can be completely flawed if it has bugs. (For example, advocates of a trusted boot path would have to admit that you no longer have any such thing as a trusted boot path if there is a bad enough bug in the code that implements it.)

I don’t think bugs are a very profitable avenue to discuss since bugs are by definition unintentional (except when they are intentional :wink:) and have no bound on how severe they are in their effect.

People bagging it out in that way are probably advocating for a trusted boot path i.e. you can only run software that some Big Tech company or companies somewhere in the world decide you can run - or, even worse, on top of that, your government using leverage over said Big Tech company or companies therefore also decides what you can and cannot run.

So it comes down to wanting freedom and control over your own life … or not.

There is definitely a theoretical discussion to be had on this issue (trusted boot path) but if a trusted boot path is incompatible with your values then there is no discussion to be had.

Pureboot with a Librem Key is a philosophically different approach. It should offer the same level of integrity as a trusted boot path - but it puts the control and responsibility onto the customer. Instead of Big Tech companies signing things, you do.

I think someone would have to demonstrate an actual attack, which would make for a concrete discussion. I dare say that if there were known remote attacks, they would get fixed very quickly.

Remote attacks are difficult against the early boot process because the network isn’t even up (depending of course on what you mean by “remote” - I mean a nearby attacker might have more success against Bluetooth if you choose to enable Bluetooth in the early boot - as you may have to do if you have a Bluetooth keyboard).

There are a whole range of concerns about Intel’s homunculus CPU that might allow network attacks (remote attacks) before the computer even boots. Those concerns would seriously undermine all approaches to boot security - so I believe that the Librem 14 (and other Purism laptops) would leave that ethernet unconnected and have a separate ethernet for actual use.

My guess is that eventually Intel will extend those concerns to wireless networking.

For the Librem 14, yes. Someone with physical access can change the firmware. Someone with physical access to the Librem Key can presumably do bad things to it. So you should retain custody of your devices at all time.

It is usually the case that someone with physical access will find a way to compromise your computer.


Thank you for your detailed and long response, @irvinewade you have cleared up a lot of fud for me.

Also if you did not get the anti-interdiction service, how could you confirm there was no attack made? And if the device was compromised would downloading pureboot and re-flashing be enough?

Only if you trust the bios.

Obviously it is assumed that you have another computer, that is not compromised and which you can use to download Pureboot or anything else.

For most threats, reflashing would be enough.

Depending on your threat model, it may be better to download Pureboot well in advance of needing it.

The truly paranoid might reflash directly using a suitable hardware device.

1 Like