[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[libreplanet-discuss] FWD: Linux UEFI TPM 2.0 security impacts etc

From: A. Mani
Subject: [libreplanet-discuss] FWD: Linux UEFI TPM 2.0 security impacts etc
Date: Sun, 25 Oct 2015 03:04:21 +0530

Forwarding two posts by Guido Stepken in Ubuntu G+ community for discussion


Linux UEFI TPM 2.0 security impacts

The "security chain" begins with one or more TPM 2.0 "Endorsement
Keys" (EK), that are stored on the motherboard and that cannot be
overwritten without "allowance" by either the owner (hardware
manufacturer) or somebody, that is "higher" in key hierarchy, such as
Microsoft or U.S. government authorities.

Key Exchange Keys (KEK) establish a trust relationship between the
operating system and the platform firmware. Each operating system (and
potentially each 3rd party application, that needs to communicate with
platform firmware) enrolls a public key (KEKpub) into the platform

When your hardware comes "Windows Certified", the "Endorsement Key"
already is initialized, is signed by Microsoft and U.S. authorities.

"Windows certified" here automatically means "NSA backdoor" included
and activated in all encryption modules.

Hardware encryption on newer INTEL Xeon machines, at boot, load those
key rings from UEFI tables into processor buffer. From then on, the
CPU hardware encrypts everything with Microsoft and U.S. authorities
keys being enclosed in the key ring, independent of used operating

And surprisingly, it depends on your compiler settings, if your
software then uses "hardware accelerated encryption" (fast, but
unsafe, since NSA key ring is enclosed) or pure (slower, but NSA
safe!) "software encryption". But you have to make sure, that your
software encryption libraries do not load Endorsement Keys from UEFI
tables. In Red Hat Linux, they do. Red Hat binaries are closed source,
can not be rebuilt from src.rpm files.

So everything, that is encrypted on your Windows or Red Hat Linux
machine, has a backdoor for U.S. authorities. SSLv2, SSLv3 data,
OpenVPN transfers included. On Debian / UBUNTU / FreeBSD / OpenBSD it
depends on compiler settings and CPU type used.

On modern INTEL Xeon processors, using "hardware acceleration" at
compile time, it automatically generates U.S. backdoors in all kinds
of encryption. Note: Independent of OS used!!!

Using software encryption sometimes does not help, since a "secure
tunnel" (e.g. to your bank) is built up with help of your own key ring
and the bank's key ring.
Since your bank's key ring always is "signed" by U.S. authorities,
they automatically can decode all your SSL traffic.

Note: SSL traffic between two partners can be decoded, when key from
only one side is known!

Cisco routers, Akamai silent proxies - globally - do a "full take" of
all traffic around the world that finally is stored and automatically
decoded, read by N.S.A.

There simply is no secrecy/privacy any longer. Even THREEMA isn't safe
any longer, because now hardware encryption processor instructions in
INTEL XEON processors automatically include the NSA key.

Pretending to "fight terrorism", U.S.A. is spying everywhere to gain
strategical advantage over markets, industries, economies, banks,
countries, foreign politicians. See Erdogan / J. Tymoshenko phone
disclosures, "Edathy case", Merkel mobile spying, Snowden reports
about CIA and a swiss banker or BNP Paribas 9 billion "punishment":

With Linux kernel 4.2, around 100 UEFI / encryption / key signing /
key revocation functions have been added, that give U.S. authorities
absolute control over "secure boot" - Linux kernel and drivers, all
hardware (in processor) encryption and also about what (signed)
software is allowed to run on your machine.

In Red Hat Linux that is already included! See:

Also see EDKII specifications:

Finally, they will charge you even for free and open source software,
that only can be installed and started when "U.S. certificate" tax
($99 per software version) is properly paid to Verisign / Microsoft /
Symantec owners.

So, "uncertified" Linux kernels won't run on on "Windows certified"
UEFI hardware any longer. And Microsoft / Verisign, in future, simply
won't sign Linux kernels or drivers, that do not have TPM 2.0 and
hardware encryption included and activated!!!

It's time for a "Windows / NSA uncertified" label! Get rid of UEFI,
TPM 2.0, use LinuxBIOS (aka Coreboot aka SeaBIOS), exclusively, that
automatically comes with Google Chromebooks, Chromeboxes.

Btw: Docker is based on QEMU:

Don't use new INTEL XEON processors!!! They're coming with NSA keys
included in their hardware encryption module!!!

If unsure, use own, pure software encryption!

List of hardware supporting Coreboot is available here:

Interestingly, UEFI "secure boot" doesn't make computers more secure.
They are still vulnerable to runtime attacks, e.g. buffer overflows,
stack/heap overflows. These mechanisms only prevent, that "U.S.
uncertified" ($99 per certificate!) software cannot be started any

Thanks for understanding!


Another good reason to use UBUNTU

Red Hat, unlike UBUNTU, has a PKI (Public Key Infrastructure) on
board. Not only all encryption modules have U.S. controlled backdoors,

They also may revoke Linux boot loader UEFI certificates any time,
they want! Sources are closed. Not included in RedHat or Fedora source
.src.rpm files.

U.S. certification authorities, e.g. Symantec, as well as Microsoft,
Red Hat, CISCO have same "top institutional holders". In fact, it's
one organisation, owned by same U.S. hedge funds:

Their biggest customer(s) are NSA and U.S. gov. These U.S. companies
or U.S. authorities may revoke any UEFI Linux boot signature, any time
they want. Same for CISCO routers VPN (tunnel) encryption.

Never, ever believe, that your Red Hat or Microsoft Windows 10 "UEFI
dual boot" computer or VPN encryption keys would be under your
control. Its certificates already could have been revoked without
telling you. Try to reboot and your computer hangs. VPN IPsec
infrastructure keys could have been already revoked.

That already happened with some ten thousands of machines with Realtek
drivers, whose network driver certificates were revoked because of
Iran and Stuxnet virus.

In fact, all U.S. software and certification, encryption keys are
under control of "U.S. department of commerce".

"Department of commerce" falls under "U.S. patriot act".

Quote from MS EULA:

"Your Services’ data may be transferred to, stored and processed in
the United States or any other country where Microsoft or its
affiliates, subsidiaries or service providers maintain facilities.
Microsoft abides by the U.S.-EU Safe Harbor Framework and the
U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department
of Commerce regarding the collection, use, and retention of data from
the European Economic Area, and Switzerland."

According to "U.S. patriot act", U.S. government may look into all
your data, either stored in cloud, on your enterprise servers or on
your private desktop. Without asking a judge. Globally.

With installing Red Hat Linux or Windows 10 you are signing a
contract, where you explicitly allow U.S. software companies (and
indirectly U.S. gov.) to look into, to search your private data.

Don't use UEFI computers, don't use Red Hat Linux, don't use Windows
10, don't use U.S. clouds or any U.S. company's services outside
U.S.A. These automatically fall under "U.S. patriot act".

Thanks for understanding.



A. Mani

Prof(Miss) A. Mani

reply via email to

[Prev in Thread] Current Thread [Next in Thread]