Easy. If you reboot right after installing an update - you know that this time the secrets changes are legit. (remember we are still using the context of AEM). At any other time it’s a huge warning sign.
No, you don’t. Not all dom0 updates are kernel and xen updates. You need to actually check which packages are updated, every single time.
Oh, sorry, I thought we were talking about secure hardware here, not “easy to use”. The two goals are rarely compatible.
No, and that is the point. It’s not going to be read anyways. There are only 2 choices:
- Automatically applying the signed binary and getting the fix ASAP.
- Sit on it, delay updates, and then not fully reading or understanding everything. Suffer from the vulnerabilities that you wouldn’t have otherwise while you are sitting on it.
Huh? I am not sure what it has to do with anything on hand? Do you read binary firmwares before applying those updates?
Secure hardware have blown fuses and Bootguard properly setup. Sitting on updates and not fully reading the code (exactly what’s going to happen if you are not working this piece of software as a job) is hardly a good security practice. You are not going to read every single line every update anyways, so might as well take the signed timely automatic updates.
Well, the situation is very different here. While OEM has some control, it’s much less. For example if OEM is coerced into making changes, you are under no obligation to sign and install them when YOU hold the signing keys.
This is all hopes and dreams. Say tomorrow an update is released with critical fixes. Are you going to sit on it for months/years partially reading it or would you apply it immediately? This is just an illusion of control.
The way it happens on Intel platforms is a special file is placed onto the boot filesystem, the early bootloader notices the file, verifies its integrity and then applies, before any of the less trusted later components get into the picture.
What?
wait a minute, why do you need a flashing after every compromise? If the flash is not writeable from your compromised OS, there’s no need to rewrite it, right?
Also if you get this deeply compromised very often, what is even the point of storing any sort of important data on such systems? Every compromise would exfiltrate it all anyway I imagine.
What are you even saying? There are only 2 possible scenarios here:
- The flash is writable, in which case you need to manually flash it to fix after a compromise.
- The flash is “readonly” (as in just not allowing write but having no real verification whether it has somehow been tampered with because of not having BootGuard), then I have to manually flash every update, which is even worse.
IF there are unblown fuses - you are in GREAT luck I would say. You can actually blow them the way YOU want, you can put in your own keys and have a much more secure system in the end.
Again, security theatre for the reasons I explained above. Unless you are working on this software full time and actually audits everything every time there is a new release, and do it in a timely manner - this is a meaningless excercise.