Monday, 14 January 2013

Java Vulnerability Note VU#625617 - Java 7 fails to restrict access to privileged code

Posted on 16:27 by Unknown

This is an unusually Strong Warning about a Java Vulnerability. Read on...

Don

Vulnerability Note VU#625617

Java 7 fails to restrict access to privileged code

Original Release date: 10 Jan 2013 | Last revised: 14 Jan 2013

Overview

Java 7 Update 10 and earlier versions of Java 7 contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. OpenJDK is an open-source implementation of the Java platform, and the IcedTea project aims to make it easier to deploy OpenJDK, including a web browser plugin.

The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException".

By leveraging the a vulnerability in the Java Management Extensions (JMX) MBean components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving recursive use of the Reflection API via the invokeWithArguments method of the MethodHandle class, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected. The invokeWithArguments method was introduced with Java 7, so therefore Java 6 is not affected.

This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected.

Impact

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability.

Solution

Read More...
http://www.kb.cert.org/vuls/id/625617

References

Credit

Thanks to Kafeine for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2013-0422
Date Public: 10 Jan 2013
Date First Published: 10 Jan 2013
Date Last Updated: 14 Jan 2013
Document Revision: 107

Posted in | No comments

Friday, 4 January 2013

Coreboot, formerly known as LinuxBIOS - The Solution to the Secure Boot Fiasco

Posted on 17:08 by Unknown

TLWIR 51: Coreboot: the Solution to the Secure Boot Fiasco

by Rex Djere on December 29, 2012 · 3 comments

in TLWIR

Summary: Is it possible that the recent attempts to push secure boot onto computer users was a response to the growing hardware vendor support for coreboot back in 2011? This is only speculation on my part, but I suspect that this might be the case. Coreboot is a badly needed solution that can restore freedom to PC users while updating the outdated PC BIOS technology.

What is CoreBoot?
Coreboot is a free software replacement for the BIOS currently found in most computers. It is also a better alternative than UEFI/secure boot because it gives the owner of a computer the freedom to do whatever they want. If you buy a Windows 8 PC with secure boot, AND you want to enable secure boot, you are met with certain restrictions. Secure boot uses public key cryptography to restrict what operating system(s) can boot on a PC with secure boot enabled. The concept behind secure boot is good from a security standpoint, but if you want to use it AND use GNU/Linux, you have to use a cryptographic key signed by Microsoft. Microsoft could revoke this key at any time, effectively giving them the ability to prevent you from using GNU/Linux and secure boot at the same time. NO ONE should be able to dictate to you, the PC owner, what you can or cannot do on your computer system, in my humble opinion. Coreboot offers the same security benefits as secure boot, and it maintains the user’s freedoms.

The “Reddit” Arguments
Read on the Site...

TLWIR 51: Coreboot: the Solution to the Secure Boot Fiasco

Why We Need Coreboot
UEF/secure boot supports the effective duopoly that currently exist in PC hardware. AMD and any other company, such as a motherboard manufacturer, who does not get on the UEFI train is effectively locked out. To me, it is pretty clear that UEFI/secure boot encourages those who make a certain set of decisions, and punishes those who make another set of decisions. I won’t spell out all of my conclusions here. However, I came to them by studying the history of EFI and UEFI paying close attention to Apple’s shift from open firmware to UEFI. I looked at who created EFI, who financed EFI, and who stands to gain financially if UEFI/secure boot are implemented on x86 PCs.
In 2011, AMD began to dive deeply into supporting coreboot. On February 28, 2011, they released technical details of source code that AMD released in support of the coreboot project [1]. On May 6, 2011, AMD pledged to support booting with coreboot in all of its future microprocessors [2]. This revolution would have given the average PC user a lot more freedom, and a lot more control, over their computer system. A few months after this revolution started, it was announced that Windows 8 would be released with a version of secure boot that would turn back the hands of time, and greatly restrict what a PC user was able to do. I suspect that AMD’s support of coreboot scared someone. I believe that pressure was applied to AMD to get them to join the UEFI Board of Directors. THe UEFI Board has no members from the Free Software Community [5]:

Intel
Lenovo
AMD
Insyde
American Megatrends
Apple
Dell
IBM
Microsoft

Let us review the various PC firmware systems in the context of Richard Stallman’s Four Essential Freedoms [3]:

Freedom	Firmware
Freedom	coreboot	secure boot	bios
The freedom to run the program, for any purpose.	Yes	No	Yes
The freedom to study how the program works, and change it so it does your computing as you wish.	Yes	No	No
The freedom to redistribute copies.	Yes	No	No
The freedom to distribute copies of your modified versions to others.	Yes	No	No
*Based on outdated technology.	No	No	Yes

Table 1: The PC Firmware Freedom Matrix *Not one of the four essential freedoms.
Table 1 clearly shows that coreboot best protects the freedoms of the PC user. Now, let us revisit the question from earlier: Why in the world would anyone have thought that UEFI/secure boot was a better solution? If you look at Table 1, can anyone give me a rational reason why UEFI/secure boot would be a superior alternative to coreboot? Faster boot time? More secure? Better for the consumer? What was the MOST likely motive for picking secure boot? I would would love to hear any responses to these question in the comments.

What You Can Do
There are at last 2 petitions created to protect the freedoms of PC user, one by the Free Software Foundation, and the other one on WhiteHouse.gov. Signing them would send a powerful message to the PC and motherboard industries that coreboot is a better choice than secure boot.

FSF petition: http://goo.gl/OXba3
White House.gov petition: http://wh.gov/Rt33

Ronald G. Minnich, one of the co-authors of coreboot, has been a vocal opponent of secure boot, as has the Free Software Foundation. Minnich explains coreboot far better than I could in this 2008 video.

Thank you for reading The Linux Week in Review 51!

References
[1]. AMD Guest Blogger. (2011, February 28). Technical details on amd’s coreboot source code release. Retrieved from http://goo.gl/Qd0FE
[2]. Jones, Marc. (2011, may 6). Amd commits to coreboot. Retrieved from http://goo.gl/hOYyP
[3]. Stallman, Richard. (no date). The free software definition. Retrieved from http://goo.gl/8BDDQ
[4]. Linuxbsdos. (2012, November, 21). German govt comes out against Trusted Computing and Secure Boot. Retrieved from http://goo.gl/X12fl
[5]. UEFI. (no date). Uefi – board of directors. Retrieved from http://goo.gl/TD5Ws

Tagged as: bios, coreboot, freedom, secureboot, uefi

Comments

Go there...
http://beginlinux.com/blog/2012/12/tlwir-51-coreboot-the-solution-to-the-secure-boot-fiasco/

coreboot is a Free Software project aimed at replacing the proprietary BIOS (firmware) found in most computers. coreboot performs a little bit of hardware initialization and then executes additional boot logic, called a payload.
With the separation of hardware initialization and later boot logic, coreboot can scale from specialized applications that run directly from firmware, run operating systems in flash, load custom bootloaders, or implement firmware standards, like PC BIOS services or UEFI. This allows for systems to only include the features necessary in the target application, reducing the amount of code and flash space required.
coreboot currently supports over 230 different mainboards. Check the Support page to see if your system is supported.
coreboot was formerly known as LinuxBIOS.

Read More...
http://www.coreboot.org/Welcome_to_coreboot

Download coreboot

Jump to: navigation, search

Note: These snapshots are for people, who use Linux as operating system and are able to build software from the source code.
There is no easy to install package for people who want to quickly try out a new BIOS on their computer, yet. However, we provide some images for the QEMU emulator to test coreboot (and some payloads) on your Linux, Mac OS X, and Windows computers (without having to do any hardware changes). But please note that these images can not be used on any mainboard, they will only work in QEMU!

Snapshots

There is an archive of coreboot snapshots available at qa.coreboot.org. A new tar.bz2 file is created whenever the repository changes.

Git

coreboot has switched to using Git for version control. Please see the Git page for much useful information on how to work with Git and gerrit in coreboot.
Old subversion repository references that still apply will continue to be kept here.

Git clone

Go there...
http://www.coreboot.org/Download_coreboot

QEMU

Jump to: navigation, search

You can easily try out coreboot using QEMU, without having to actually flash the BIOS chip on your real hardware.

Tutorials

QEMU Build Tutorial — Starting a Debian GNU/Linux system via coreboot + a Linux kernel, or via coreboot + FILO.
Booting FreeBSD using coreboot — Booting FreeBSD via coreboot + ADLO.

Ready-made QEMU images

Below is a list of various downloadable QEMU images you can use to try out coreboot.
You need a patched version of vgabios-cirrus.zip for these images to work fine, the version in QEMU's CVS repository does not yet work. The image from Debian's QEMU package (/usr/share/qemu/vgabios-cirrus.bin) is already patched and works, too.

coreboot v2 + SeaBIOS

SeaBIOS payload.

SeaBIOS is an open-source legacy BIOS implementation which can be used as a coreboot payload. It implements the standard BIOS calling interfaces that a typical x86 proprietary BIOS implements.
The QEMU image uses coreboot v2 (r4917) and SeaBIOS (9eebe66a9978165cfa91f2266c97fa5d0aa6ef2e, 2009-11-04) with the following changes to the default src/config.h:

Go there...
http://www.coreboot.org/QEMU

Build HOWTO

Jump to: navigation, search

make menuconfig in coreboot

This page describes how you can build a coreboot image for your specific mainboard.

Requirements

gcc / g++
make
ncurses-dev (for make menuconfig)

Optional:

doxygen (for generating/viewing documentation)
iasl (for targets with ACPI support)
gdb (for better debugging facilities on some targets)
flex and bison (for regenerating parsers)

Building a payload

First you need to download the source code for the payload of your choice and build it.
Instructions for building the various payloads are not covered on this page, please see Payloads and the wiki page for the respective payload for details.
The result of this step should be an ELF file (e.g. filo.elf, or coreinfo.elf) which you can use with coreboot (see below).

Building coreboot

Read More...
http://www.coreboot.org/Build_HOWTO

I tried out a build for Qemu, to see how it would go. Everything went perfectly, in the Command Line. And my build was done rather quickly. I just followed the instructions, one by one. But, when I tried to run my resulting "coreboot.rom" file in Qemu. Nothing happened. It didn't boot up. But, I have had problems with allot of ISO and IMG files too, in Qemu lately. So, the problem is probably with my Qemu install. I'm running Fedora 14 and Qemu use to work just fine on many ISO's. But, it has not been working on very many lately. So, I don't know for sure, what's going on here. No errors, no nothing. Just nothing happening, when I click Start in Qemu. I don't have a new Motherboard that actually needs Coreboot. So, I guess I'll try it again later...

Don


CoreBoot - Linux Boot for Windows 8 UEFI Secure Boot "BIOS": TLWIR 51: Coreboot: the Solution to the Secure Boot Fiasco; coreboot (aka LinuxBIOS): The Free/Open-Source x86 Firmware - YouTube; Download coreboot - coreboot; QEMU - coreboot; Build HOWTO - coreboot; Download Coreboot - Google Search; status:open project:coreboot | review.coreboot Code Review; Build HOWTO - coreboot; flashrom; Payloads - coreboot; SeaBIOS - coreboot; Build HOWTO - coreboot; Downloads - flashrom; flashrom

Windows 8 UEFI Secure Boot "BIOS": Microsoft: Don't blame us if Windows 8's secure boot requirement blocks Linux dual-boot | ZDNet; Stand up for your freedom to install free software — Free Software Foundation — working together for free software; Will your computer's "Secure Boot" turn out to be "Restricted Boot"? — Free Software Foundation — working together for free software; Linux Top 5: Microsoft's Secure Boot Gambit; Red Hat Engineer Calls out Windows 8 Secure Boot as a Linux Risk; Red Hat Engineer Calls out Windows 8 Secure Boot as a Linux Risk - InternetNews.; Red Hat engineer renews attack on Windows 8-certified secure boot • The Register; Linux Today - Windows 8 Secure Boot: Two Linux Distros Respond; Windows 8 Secure Boot: Two Linux Distros Respond | PCWorld Business Center; Worried About Win 8 Secure Boot? So Is the Free Software Foundation | PCWorld Business Center; Linux Foundation: Secure Boot Need Not Be a Problem | PCWorld Business Center; mjg59 | Implementing UEFI Secure Boot in Fedora; mjg59 | Ubuntu ODM UEFI requirements for secure boot; Linux Today - Canonical, the FSF and the Ongoing Secure Boot Saga; Linux News: Community: Canonical, the FSF and the Ongoing Secure Boot Saga; Linux Today - Fedora Linux Moves Forward with UEFI Secure Boot Plans; Fedora Linux Moves Forward with UEFI Secure Boot Plans | PCWorld Business Center; Microsoft confirms UEFI fears, locks down ARM devices; mjg59 | Handling UEFI Secure Boot in smaller distributions; ubuntu-bios-uefi-requirements.pdf (application/pdf Object); Free Software Foundation urges OEMs to say no to mandatory Windows 8 UEFI cage » OnlySoftwareBlog; PCH Search & Win: Unified Extensible Firmware Interface...; free software foundation urges oems to say no to mandatory windows 8 uefi cage - Google Search; Extensible Firmware Interface (EFI) and Unified EFI (UEFI); Linux Today - Linux Foundation proposes to use UEFI to make PCs secure and free; R.I.P. BIOS: A UEFI Primer | PCWorld Business Center; Hardware neutrality: UEFI strikes again and again | TechRepublic; Red Hat Linux paying to get past UEFI restrictions on Windows 8 | TechRepublic; UEFI - Home; Free Software Foundation urges OEMs to say no to mandatory Windows 8 UEFI cage | ZDNet; Linux Foundation proposes to use UEFI to make PCs secure and free | ZDNet; Any comment on the Ubuntu UEFI ruckus?; Unified Extensible Firmware Interface - ArchWiki; Matthew Garrett provided an overview of his UEFI Secure Boot "shim" workaround - Google Search; Linux Today - Microsoft mum on reasons for secure boot; Microsoft mum on reasons for secure boot; Linux Today - Linux Foundation Steps Into Windows 8 Secure Boot Flap; Technology News: Community: Linux Foundation Steps Into Windows 8 Secure Boot Flap; Linux Today - Delays beset the Linux Foundation's Secure Boot workaround; Delays beset the Linux Foundation's Secure Boot workaround | PCWorld; Linux Today - ITwire: Secure Boot Microsoft Shows Up Linux; Secure boot: Microsoft shows up Linux; mjg59 | Secure Boot bootloader for distributions available now; Linux Today - Coreboot: the Solution to the Secure Boot Fiasco; TLWIR 51: Coreboot: the Solution to the Secure Boot Fiasco; Linux Today - Free Software Foundation vs Microsoft Windows 8 Secure Boot; Free Software Foundation vs Microsoft Windows 8 "Secure Boot" | The VAR Guy; Linux Today - Linux Foundation releases Windows Secure Boot fix; Linux Foundation releases Windows Secure Boot fix | ZDNet

Posted in | No comments

Wednesday, 2 January 2013

Rescatux and Super Grub Disk

Posted on 11:31 by Unknown

Rescatux & SG2D

Rescatux

Includes Super Grub2 Disk
Fixes GRUB / GRUB2
Check and fix filesystems
Blank Windows password
Change Gnu/Linux password
Regenerate sudoers file
And much more features…
~ 367 MB Size

Super Grub2 Disk

Boots into many systems and GRUB2 ones!
Loads Grub legacy confs (menu.lst)
Optional LVM / RAID support
~ 7.00 MB Size

Rescatux 0.30.2 released

Rescatux 0.30.2 has been released.
A major bug concerning the Kernel selection on boot (64bit or 32bit) has been fixed in this release. If you have Rescatux 0.30 or Rescatux 0.30rc1 please check Rescatux 0.30 64bit kernel not being select ok Bug for a way of workarounding the bug without having to download again the iso.

Downloads:

Go there...
http://www.supergrubdisk.org/

Super Grub2 Disk

The primary purpose of Super GRUB2 Disk is to help you boot into an OS whose bootloader is broken. Second, and almost as important, is to be a tool to learn more about GRUB2 and the booting process.

Difference between Super GRUB Disk and Super GRUB2 Disk

GRUB2 is a complete rewrite of GRUB, and Super GRUB2 Disk is a complete rewrite as well. As Super GRUB2 Disk uses GRUB2, the differences between GRUB Legacy and GRUB2 also apply to the different versions of Super GRUB Disk.

Perhaps the most notable difference between Super GRUB Disk based on grub legacy and Super GRUB2 Disk is that Super GRUB2 Disk does not write to the disk at all, and so cannot rewrite the MBR. Super GRUB2 Disk can only be used to boot a broken system, it cannot fix it directly. Though once a system is booted, re-installing grub is usually just a matter of running “grub-install /dev/sda”.

While there are some features of Super GRUB Disk based on GRUB legacy that will never be included in Super GRUB2 Disk, the opposite is also true. For instance, Super GRUB2 Disk supports booting OSX, loop booting from iso files, booting an OS from USB without USB support in the BIOS, and other features that are not possible with GRUB legacy.

Go there...
http://www.supergrubdisk.org/super-grub2-disk/

Rescatux

Rescatux is a GNU/Linux rescue cd (and eventually also Windows) but it is not like other rescue disks. Rescatux comes with Rescapp. Rescapp is a nice wizard that will guide you through your rescue tasks.

VIDEOS – Boot Info Script, Change Gnu/Linux password, Filesystem check (Fix forced), Generate sudoers, Reset Windows password, Restore grub, Restore Windows MBR, Share Log, Update Grub, Share log on forum videos – VIDEOS

Rescatux features:

Fixes GRUB and GRUB2
Regenerates Debian/Ubuntu grub menues
Check and fix filesystems
Fixes Windows MBR
Blank Windows passwords
Boot Info Script
Change Gnu/Linux password
Regenerate sudoers file

Extra tools:

Synaptic
Gparted 0.7

Resources:

About Rescatux and Super Grub(2) Disk

Super Grub Disk was a tool for fixing GRUB1 (version 0.9X) or booting into your system and it’s deprecated. You can still find its downloads although they are a bit hidden in Super Grub Disk page.

Super Grub2 Disk, contrary to Super Grub Disk, is not able to fix neither GRUB1 (version 0.9X) or GRUB2 (version 1.XX or 2.XX). However you can use it to boot into many systems including Windows, GRUB1 and GRUB2 based ones.

Rescatux is a Debian based live cd that lets you fix your GRUB1 and GRUB2 installations (as per Super Grub2 Disk lacks) but does much more. Here the are some of its features that will be explained in detail in the rest of the article:

Finally there’s the Super Grub Disk’s Halloween edition which it was not a Super Grub Disk formally but a Super Grub2 Disk with some scary messages about your computer being erased. What it’s funny is that as today a major Spanish downloads site offers the 0.9800 version for download. If you think it more carefully you will see that it’s kind of a benevolent trojan so that Super Grub Disk newcomers find that Super Grub2 Disk is the right choice (even if they are scared a bit;)).

A new stable release

More than a year since the latest Rescatux stable release (Rescatux 0.29 at 11 Jul 2011 according to Freecode (former freshmeat).

Rescatux 0.30 has been released as many beta versions that fixed minor problems, updated documentation to the current options and also tried to workaround some usability issues.

Helping newbies

The different approach of Rescatux is found in its main program: Rescapp. Rescapp is a nice wizard that will guide you through your rescue tasks.

At the first glance Rescapp seems to be just a launcher for Rescue tools:

. However it has some Support features that make it unique:

Chat: Open the chat for asking help directly in Rescatux channel.
Share log: After running an option you can share its log (the action registry that it has done) so that in the chat they can help you better. O better, even, you can help debug and fix Rescatux bugs on the fly.
Share log on forum: Prepares a forum post alike text so that you can just copy and paste it in your favourite forum. Logs are nicely inserted into it with [CODE] symbols.
Boot Info Script: Run Boot Info Script option to share your computer configuration (specially boot one).

More than this the non-support features such as:

are being driven with nice wizards :

Features explained

Check and fix filesystems

When a filesystem has some errors in it some bad things might happen. Maybe GRUB1 or GRUB2 cannot find its own files (Grub errors) or the kernels (cannot find file error). Maybe the kernel can be loaded but its initrd stage isn’t able to find the final device root filesystem (Kernel panic – not syncing: VFS: Unable to mount root fs. (initramfs))

This option tries to fix this filesystem errors even if the filesystem seems to be clean and ok.

Blank Windows passwords

The old chntpasswd program has been hacked so that you can use it from a GUI. You can just select your Windows drive and the user you want its password to be reset.

Change Gnu/Linux password

Have you ever forgotten your Gnu/Linux password? Now you can change it from this nice wizard. As always you’re prompted to choose your Gnu/Linux installation and then the user which you want to change its password.

Regenerate sudoers file

Have you ever tried to run an special program as a normal user… but by doing it you have somehow borked your /etc/sudoers file? Don’t panic! Now after baking up your previous sudoers file a new one is generated on the fly. You just have to select which it’s your user.

Restore Grub

Not sure what’s the current situation with Windows 8 and Windows 7 but in previous versions once you reinstalled Windows (because of a virus or whatever reason) you lost your Grub menu. That meant that you couldn’t boot anymore into your Gnu/Linux system. The truth is that you can download the light-weight Super Grub2 Disk and boot into your system in a temporal way.

But how to fix it permanently? If you’re not good at the Gnu/Linux command line you can just use Rescatux’s Restore Grub option.

Update Grub Configuration

Sometimes the Grub configuration is no longer valid. Either your hard disks order at boot have changed (It should only affect to GRUB1) or you have added a new Windows installation and it’s not detected.

Update Grub option let’s you rebuild your Grub configuration files. This option will only work in Debian based distros like Ubuntu.

Restore Windows MBR (BETA)

This option tries to restore Windows MBR but it’s kind of buggy because some users report that it’s not working for them. It probably works with no problem on Windows XP (without dynamic disks) and previous Windows versions. This is the reason why it’s a BETA option.

Super Grub2 Disk

You shouldn’t forget that Super Grub2 Disk is also included in Rescatux.

Architecture detection

Either you have an old 32bit system or a new 64bit system Grub2 integrated into Rescatux will detect it and load the corresponding kernel.

About Rescatux future

There’s so many things to be enhaced in Rescatux that it’s hard to categorize them.

I18N for options (Documentation is already translated)
Document Resclib API
Open development of new options to new developers
Drop zenity menues and focus on pyqt ones
Add extra tools like Parted Magic or System Rescue cd programs even if they don’t have a nice wizard option in Rescapp.
Make Rescapp a Debian Package
Add loopback.cfg file to Rescatux (and any Debian live cd)
Improve option: Restore Grub: Being able to restore non-distribution based GRUB1 installations.
Improve option: Update Grub: Being able to use it in non-Debian based systems. Probably using grub-mkconfig from the live cd.
Fix known bug: Filesystem Check does not prompt Failure when it fails.
Add more translations
Partition assistant for new Gnu/Linux installations where you have to shrink Windows partition
Try to force the installation of packages when an apt-get upgrade or similar has failed
Wipe a filesystem, partition or disk
Recover lost files
Save your non accesible files from Windows even if you cannot boot into it driven by Rescapp wizard.

Where to Download

Just check the Rescatux Download stable section.

How to burn it into a cdrom or put it in a USB

Please check the Rescatux wiki for USB instructions. For the cdrom you can just burn it like any other live cd. Imgburn for Windows and Brasero for Gnu/Linux should help you. Make sure you burn it as an image not as a file.

Go there...
http://www.supergrubdisk.org/rescatux/

Super Grub Disk: DonsDeals: AutoSuperGrubDisk - Super Grub Disk Wiki; DonsDeals: Super Grub Disk 2 Updates; : Super Grub2 Disk: Project Filelist; : Super Grub2 Disk: Project Filelist; Boot Problems Open Source Tools | Super Grub Disk, Super Grub2 Disk and Rescatux; supergrub disk 2 - Google Search; super grub disk - Google Search; Super Grub Disk Webpage; Super Grub Disk Webpage; Rescatux 0.30b6 released - Super Grub Disk; Rescatux 0.30b6 released - Super Grub Disk; Rescatux | Boot Problems Open Source Tools; Super Grub Disk; Super Grub Disk; Super Grub Disk; Rescatux | Boot Problems Open Source Tools; Rescatux | Boot Problems Open Source Tools; Super Grub(2) Disk (English); Super Grub Disk Homepage; Super Grub Disk Homepage; Super Grub Disk Webpage - Download ALL; Rescatux - Super Grub Disk; Super Grub2 Disk - Super Grub Disk; Super Grub2 Disk - Super Grub Disk; AutoSuperGrubDisk - Super Grub Disk Wiki; AutoSuperGrubDisk - Super Grub Disk Wiki; AutoSuperGrubDisk - Super Grub Disk Wiki; Main Page - Super Grub Disk Wiki; SGD Howto make - Super Grub Disk Wiki; SuperGrubDisk - Super Grub Disk Wiki; Super Grub2 Disk

Rescatux and Super Grub2 Disk: Rescatux; Rescatux display - Google Search; BerliOS Developer: Project Summary - Rescatux; Super Grub Disk Homepage; [all variants] Rescatux 0.01 PRE-ALPHA released (Grub rescue disk) Please test [Archive] - Ubuntu Forums; Re: Grub disk: something automatic? - msg#02704 - ubuntu-users; Super Grub2 Disk - Super Grub Disk; Super Grub Disk Webpage; : Super Grub2 Disk: Project Filelist; Rescatux - Super Grub Disk; Rescatux | Boot Problems Open Source Tools; Super Grub Disk; AutoSuperGrubDisk - Super Grub Disk Wiki; Rescatux 0.30b6 released - Super Grub Disk; Rescatux - Super Grub Disk; RescatuxCannotDo - Rescatux

Super Grub Disk 2 and Rescatux

Rescatux

Rescatux display - Google Search

BerliOS Developer: Project Summary - Rescatux

Super Grub Disk Homepage

[all variants] Rescatux 0.01 PRE-ALPHA released (Grub rescue disk) Please test [Archive] - Ubuntu Forums

Re: Grub disk: something automatic? - msg#02704 - ubuntu-users

Super Grub2 Disk - Super Grub Disk

Super Grub Disk Webpage

: Super Grub2 Disk: Project Filelist

Rescatux - Super Grub Disk

Rescatux | Boot Problems Open Source Tools

Super Grub Disk

AutoSuperGrubDisk - Super Grub Disk Wiki

Rescatux 0.30b6 released - Super Grub Disk

Super-boot-manager 0.6.1-4 released: SOURCES.LIST » Blog Archive » Super-boot-manager 0.6.1-4 released; YouTube - SUPER-BOOT-MANAGER by www.sourceslist.eu team; SOURCES.LIST » Blog Archive » Super-boot-manager buc version: Download & Installation; Burg-manager- Install and configure Burg the easy way| Ubuntu Maverick Meerkat PPA | Unixmen

Super Boot Manager - The easy way to change Plymouth & GRUB screens

SUPER-BOOT-MANAGER by www.sourceslist.eu team - YouTube

super-boot-manager - Google Search

Super Boot Manager - The easy way to change Plymouth & GRUB screens - YouTube

‘Super Boot Manager’ eases BURG, GRUB, Plymouth tweaking pains

Super boot manager - Great tool to Manage Burg, Grub2 and Plymouth in Ubuntu | Unixmen

Ultimate Boot CD - Overview

SOURCES.LIST

SOURCES.LIST » Risultati della ricerca » english

Posted in | No comments

Monday, 31 December 2012

Secure Boot Bootloader for Linux Distributions Available Now

Posted on 08:26 by Unknown

I've been waiting and hoping for this to happen for about a year now. So, this is very good news to me. I've been running Fedora and Debian Linux as my main OS's since 2005. As well as many other Rescue Linux Distros. When I work on Restoring broken Windows Systems and Data Recovery, etc. And I sure didn't want to be stuck using Old Hardware, Forever! Or have to change to a Linux Distro, that I rally don't care for (Ubuntu etc). Fedora has decided to buy keys from Microsoft. So, I'm good there, for now. But, what about all of the other, smaller Linux Distros, that I use??? So, indeed... This is very good news to me!:) I'm a bit behind in finding out. About a month or so. But, that's ok. I'm not quite ready to by that New Hardware yet anyway. Check out and download, mjg59's, Secure Boot bootloader for distributions available now...

Don

mjg59The plan for supporting UEFI Secure Boot in Fedora is still pretty much as originally planned, but it's dependent upon building a binary which has the Fedora key embedded, and then getting that binary signed by Microsoft. Easy enough for us to do, but not necessarily practical for smaller distributions. There's a few possible solutions for them.

Require that Secure Boot be disabled

Not ideal. The UI for doing this is going to vary significantly between machines, making it difficult to document. It also means that the security benefits of Secure Boot are lost.
Require that the machine be placed in Setup Mode

Clearing the enrolled Platform Key results in the system transitioning into Setup Mode, and from then on new keys can be enrolled into the key database until a new Platform Key is enrolled. Distributions could ship an unsigned bootloader that then writes the distribution keys into the database - James Bottomley has an example here. This means that the distribution can still benefit from Secure Boot, but otherwise has the same downside that the UI for doing this will vary between machines.
Ship with a signed bootloader that can add keys to its own database

This is more interesting. Suse's bootloader design involves the bootloader having its own key database, distinct from those provided by the UEFI specification. The bootloader will execute any second stage bootloaders signed with a key in that database. Since the bootloader is in charge of its own key enrolment, the bootloader is free to impose its own policy - including enrolling new keys off a filesystem.

I've taken Suse's code for key management and merged it into my own shim tree with a few changes. The significant difference is a second stage bootloader signed with an untrusted key will cause a UI to appear, rather than simply refusing to boot. This will permit the user to then navigate the available filesystems, choose a key and indicate that they want to enrol it. From then on, the bootloader will trust binaries signed with that key.

Read More...
http://mjg59.dreamwidth.org/17542.html

mjg59I'm pleased to say that a usable version of shim is now available for download. As I discussed here, this is intended for distributions that want to support secure boot but don't want to deal with Microsoft. To use it, rename shim.efi to bootx64.efi and put it in /EFI/BOOT on your UEFI install media. Drop MokManager.efi in there as well. Finally, make sure your bootloader binary is called grubx64.efi and put it in the same directory.

Now generate a certificate and put the public half as a binary DER file somewhere on your install media. On boot, the end-user will be prompted with a 10-second countdown and a menu. Choose "Enroll key from disk" and then browse the filesystem to select the key and follow the enrolment prompts. Any bootloader signed with that key will then be trusted by shim, so you probably want to make sure that your grubx64.efi image is signed with it.

If you want, you're then free to impose any level of additional signing restrictions - it's entirely possible to use this signing as the basis of a complete chain of trust, including kernel lockdowns and signed module loading. However, since the end-user has explicitly indicated that they trust your code, you're under no obligation to do so. You should make it clear to your users what level of trust they'll be able to place in their system after installing your key, if only to allow them to make an informed decision about whether they want to or not.

Read More...
http://mjg59.dreamwidth.org/20303.html

Secure Boot bootloader for distributions available now

: Matthew Garrett provided an overview of his UEFI Secure Boot "shim" workaround - Google Search; mjg59 | Secure Boot bootloader for distributions available now; Shimming your way to Linux on Windows 8 PCs | ZDNet; Index of /~mjg59/shim-signed; mjg59 | Handling UEFI Secure Boot in smaller distributions

Posted in | No comments

Vulnerability Note VU#625617

Java 7 fails to restrict access to privileged code

Overview

Description

Impact

Solution

References

Credit

Other Information

Report a Vulnerability

TLWIR 51: Coreboot: the Solution to the Secure Boot Fiasco

Download coreboot

Snapshots

Git

Git clone

QEMU

Contents

Tutorials

Ready-made QEMU images

coreboot v2 + SeaBIOS

Build HOWTO

Contents

Requirements

Building a payload

Building coreboot

Recent Posts on http://beginlinux.com

Super Grub2 Disk

Difference between Super GRUB Disk and Super GRUB2 Disk

Rescatux

About Rescatux and Super Grub(2) Disk

A new stable release

Helping newbies

Features explained

Architecture detection

About Rescatux future

Where to Download

How to burn it into a cdrom or put it in a USB

Secure Boot bootloader for distributions available now