On Tuesday, July 06, 2021 07:07:29 PM Jeremy Nicoll wrote: > On Tue, 6 Jul 2021, at 23:37, rhkra...@gmail.com wrote: > > I've seen warnings (against hacks) that say (among other things) to > > enable "secure flash". I've been googling to learn more about that, but > > I haven't found any good explanation. > > > > I'm beginning to get hints that it is not so much a thing (to be > > enabled), but more the (a) process to update the computer's BIOS. > > (e.g., "'Unable to start a Secure flash session' error message.") > > It might be a suggestion that you use your BIOS or UEFI to disable the > machine's ability to boot off a USB stick ... because that - if it's on - > allows anyone to reboot your machine with the OS and tools of their > choice.
Thanks to all who replied! I found some more information. It seems that SecureFlash might be an American Megatrends (AMI) thing related to SecureBoot and UEFI. It is a apparently a means to flash a BIOS and make sure that the new image is "secure" (for some definition of secure). The word that I could not remember exactly was rollback (not rollover) and "anti-rollback" is apparently intended to prevent a hacker from rolling back the BIOS to an earlier less secure version. The following is a link to an old (20120220) presentation on the subject, with some quotes captured from the slides. I don't know if Secure Flash is still a thing or has been replaced by something else. (Try to ignore the markup -- it is what I use in what I sometimes call my offline TWiki.) * [[https://members.uefi.org/learning_center/UEFI_Plugfest_2012Q1_v3_AMI.pdf] [Secure Firmware Update]]: "UEFI Winter Plugfest – February 20-23, 2012: Presented by Zachary Bobroff(AMI)" `= Why Secure Flash Update? •••Platform security is a broad topic... – Many overlapping technologies (TPM, secure boot, secure flash update, etc) – System complexity is increasing with new technologies (Execute Disable, virtualization, etc) – No one specification ties all security technologies together Firmware modification/tinkering by the hobbyist is becoming more commonplace The UEFI specification completely documents all interfaces – Malicious software can attack the firmware ... Connection with Secure Boot ••••Secure boot dictates that all external images must be authenticated prior to execution Secure boot ensures the system booted in a trusted state Secure boot prevents attacks targeting the firmware to OS handoff Secure boot does not prevent any direct attacks on the firmware itself, and the UEFI specification has no provisioning for firmware protection ... Secure Flash Demonstration • The following will be demonstrated: – The capsule update method using AMI ASFU (AMI Secure Flash Update) Utility – Anti-Rollback will be tested by trying to flash original image – A modified binary will be used to simulate a malicious BIOS update • A binary modified after signing will have an invalid signature ='
