High Availability Boot processes and only using code-signing certificates

High Availability Boot (HAB) is a technique described here in an NxP application note. This is best summarised as:

HAB authentication is based on public key cryptography using the RSA algorithm in which image data is signed offline using a series of private keys. The resulting signed image data is then verified on the i.MX processor using the corresponding public keys. This key structure is known as a PKI tree. Super Root Keys, or SRK, are components of the PKI tree. HAB relies on a table of the public SRKs to be hashed and placed in fuses on the target.

The procedure burns Super Root Key (SRK) fuses using a software tool called srktool. In it’s proper use, I would use an SSL certificate with the OID set for code-signing. This would have an oid of 1.3.6.1.5.5.7.3.3.

However, there doesn’t appear to be anything that stops me from using a certificate that is created for other purposes, e.g. for client authentication with the OID of 1.3.6.1.5.5.7.3.2.

The problem is that if I have two certificates from the same CA:

  1. Code-signing certificate
  2. Client certificate

I could sign the image with the code-signing certificate. If I could update the public key on the target device, then it would be possible to sign it with the client certificate and it would be accepted as valid.

The only option is use different CAs for both code-signing and client certs. I’m wondering if there’s some way to check the OIDs?

How can BitLocker be considered safer, if it doesn’t asks for a key during boot

This is most likely a naive question, but I failed finding proper answer to it, so I dared to ask here.

When I was using TrueCrypt / VeraCrypt, my key / hash / password was never stored anywhere and I was forced to provide it upon each boot. When I have now enabled BitLocker in my Windows 10 Pro, my key / hash is stored inside TPM (?) and I am never asked for it. My system disk is being decrypted on-the-fly as system boots.

Now, if I don’t have to provide this key during boot then my disk is completely unsafe, if someone would stolen it toghether with my computer (very likely, most often scenario?). I am only safe, if an attacker will get the disk, but not the computer, and will install it in its own computer.

When I was using TrueCrypt / VeraCrypt, I always safe, now matter whether unauthorized person got access to my disk in mine or in any other computer. Without key / hash, my disk was garbage.

Please, explain what am I missing? How can BitLocker be considered safer than TrueCrypt / VeraCrypt give above two scenarios.

dual booting an HP laptop,4gb ram,intel i3 6006.Windows 10 and ubuntu dual boot, each time i install ubuntu “something else” option in installation

I am installing ubuntu on HP laptop with windows 10 preinstalled . Each time i install ubuntu on a partition the grub is not installing i386 file in /boot/grub folder which causes error as grub searches for that file and run into grub rescue at each boot , hence i cannot boot into ubuntu nor windows , i manually added the file by live usb but failed to make grub config for such changes . My partition show (hd,msdos6) as root . grub is installed on root partition. Grub never installs the i386 file and this file can be found in /usr/lib/grub .

Can’t boot windows after deleting Ubuntu partition?

Linux newb.
A while ago I ran Ubuntu from a usb to test out some stuff. I now need Ubuntu so wanted to install it properly.
On windows 7 I deleted the partition that would’ve contained Ubuntu (only one without nstf) and then tried resizing my C: drive to make space for Ubunutu.
I then had to restart my pc. When I did it loaded to grub rescue. I haven’t been able to figure this out from here.
I got Ubuntu running on the usb again but can’t get the partitioning to work right (I think)
I can’t lose my windows data and want dual boot.
Help please. 🙂

Grub repaired after W10 update, but now W10 won’t boot

I have W10/Ubuntu 18 dual boot, both systems on one SSD (booting BIOS, not UEFI) Recent W10 update messed up my partitions and I got grub rescue screen. I was able to fix it with recovering linux partition using parted rescue. After that I was able to boot, selected W10 and it successfully finished the update process. After that I was able to boot int Ubuntu, but with a slight issue – “No symbol table”

I run

sudo grub-install /dev/sda sudo update-grub 

It fixed the linux boot, but now when I select my W10 from grub menu it just reboots and back to the grub menu.

Here is my disk partitions:

~$   sudo parted /dev/sda print Model: ATA Samsung SSD 850 (scsi) Disk /dev/sda: 256GB Sector size (logical/physical): 512B/512B Partition Table: msdos Disk Flags:   Number  Start   End    Size    Type      File system     Flags  1      1049kB  106MB  105MB   primary   ntfs  2      106MB   144GB  144GB   primary   ntfs            boot  3      144GB   144GB  543MB   primary   ntfs            diag  4      144GB   256GB  112GB   extended  6      144GB   248GB  104GB   logical   ext4  5      248GB   256GB  8210MB  logical   linux-swap(v1) 

My W10 is number 3, which I confirm by ls (hd0,msdos2)/ in grub

What I see in the grub.cfg for W10 section:

menuentry 'Windows 10 (on /dev/sda1)' --class windows --class os $  menuentry_id_option 'osprober-chain-68349BA7349B7732' {         savedefault         insmod part_msdos         insmod ntfs         set root='hd0,msdos1'         if [ x$  feature_platform_search_hint = xy ]; then           search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1  68349BA7349B7732         else           search --no-floppy --fs-uuid --set=root 68349BA7349B7732         fi         parttool $  {root} hidden-         drivemap -s (hd0) $  {root}         chainloader +1 } 

That seems to be wrong as it points to hd0,msdos1 the small reserved partition, the UUID of W10 partition is 86CA9C8FCA9C7CDD and it is hd0,msdos2 (/dev/sda2)

I tried to re-run os-prober and update-grub, but nothing changes. Please help me to recover my W10 booting from grub menu, thanks in advance.

Not able to boot into windows

I installed ubuntu along side my windows 10, and it is booting directly to windows. So i ran bcdedit /set {bootmgr} path \EFI\ubuntu\grubx64.efi. Then grub menu showed up with 3 options

  1. ubuntu
  2. ubuntu advanced options
  3. Windows Boot manager

Now I’m able to select ubuntu but selecting windows boot manager is bringing me back to the grub menu itself. I am not able to goto windows.

I ran boot repair in ubuntu and same problems persists and here is the link to its report https://paste.ubuntu.com/p/SPJZrDFkJS/.