On 2015-08-23 19:07, Lew Wolfgang wrote:
How about hardware vendors? I heard that Lenovo motherboards have a BIOS that detects a Windows install and if found, replaces a key Windows binary with one of it's own. It's basically a BIOS-resident root-kit that is completely invisible to the operating system.
No, not exactly. The code is triggered by the Windows operating system, which can run certain code in the UEFI memory. It is documented by Microsoft. This is (guessing) intended so that you can install a vanilla copy of Windows (≥8, I think), Windows will run this code in the hardware, and this will run things that installs customizations for that hardware. It could be drivers specific for it, thus safe. Or "safe". Linux would not trigger this, but it might if wanted. Not this particular code which is designed for Windows. Some other code in the bios (not bios, but UEFI) designed for Linux. Given that there is no such thing as a single "Linux", it can't be done. I think. The problem is that the Lenovo code does not check that the site that it connects to for downloading pieces is not verified. It could be hijacked, and install something else very different than what was intended. That was the security risk found. Of course, there is the issue that your installation is modified without your explicit permission. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)