Mastodawn

@jik @zackwhittaker
Weeeelll, that's a bit too much panic!
Yes, the machines might not boot anymore, but the data is still there.
It can still be read on a normal Linux Live-ISO just fine.

Andrew Zonenberg 3d ago

@manawyrm @jik @zackwhittaker wait, so if the certificate expires *existing signed binaries* will no longer run? Does this mean any signed bootloader has an inherent shelf life and will need to be re-signed every so many years even if no changes are being made to it?

Graham Sutherland / Polynomial

@azonenberg @manawyrm @jik @zackwhittaker afaik no. the expiry usually isn't enforced.

Andrew Zonenberg 3d ago

@gsuberland @manawyrm @jik @zackwhittaker Usually the way cert expiration for signing works is signatures are timestamped by a third party and any signature *made* post expiry is not trusted, but old ones are valid in perpetuity as long as the cert had been valid when the signature was created

@azonenberg @manawyrm @jik @zackwhittaker yes, precisely

@gsuberland @azonenberg @jik @zackwhittaker that's what I would've expected as well, but I'm not 100% sure about how Windows driver signing works.

Either way, the data is perfectly fine :)

@manawyrm @azonenberg @jik @zackwhittaker fairly sure driver signatures don't have an expiry at all; it's only the CA that has an expiry and an expired CA doesn't invalidate an existing valid signature, as long as that signature's date was within the valid time range of the CA.

@manawyrm @azonenberg @jik @zackwhittaker (yes just checked and this is exactly how it works)

Antony 3d ago

@gsuberland @manawyrm @azonenberg @jik @zackwhittaker the certificates used to sign them do have an expiry but timestamps solve both expired cert and expired CA. The only way to revoke it is to add that cert to a CRL and leave it there permanently. I've no idea if the windows kernel checks crls or just maintains a list of blocked certs but I'd expect it to share the logic with windows and keep a cached crl (could be wrong, a long time since I cared much about windows drivers).

UEFI I don't think checks either expiry or timestamps at all. Instead it has the dbx which can contain blocked certificates or hashes of binaries that should not load.

Antony 3d ago

@gsuberland @manawyrm @azonenberg @jik @zackwhittaker they're blocked on signing new builds.

@diagprov @manawyrm @azonenberg @jik @zackwhittaker yup that tracks with my understanding of it. Windows does have a driver cert revocation mechanism and a more general blocklist to prevent loading known-vulnerable drivers, but I haven't studied it in detail.

Antony 3d ago

@gsuberland @manawyrm @azonenberg @jik @zackwhittaker me neither but given how closely uefi code looks to Microsoft C code I bet the mechanism of dbx is very similar to the kernel.

@gsuberland @diagprov @manawyrm @azonenberg @jik @zackwhittaker there are two types of revocation lists, the old one that can revoke certs and binaries by hash (two different lists for boot and drivers), and the new one that's just a CiPolicy and can therefore revoke by anything that a CiPolicy supports.

gkrnours 3d ago

@gsuberland @manawyrm @azonenberg @jik @zackwhittaker in an ideal world, the boot payload is checked by a secure enclave of your motherboard and if it doesn't look legit, it's refused, device doesn't boot and the secure enclave doesn't provide it's part of the decryption, meaning the data stay locked.

Also, all data on disk would be backed up somewhere safe so it would be simply a matter of wiping the device clean and reinstalling.

@manawyrm @gsuberland @azonenberg @jik @zackwhittaker

Jeff Codes 3d ago

The data may be fine; however, not everyone who may use VeraCrypt has the same knowledge and skill base to know to pull up a Linux Live USB and go get their data back. I've encouraged non-technical users to use easy breakthroughs to add encryption to their Windows Home environments. They definitely will not have the knowledge do just go do this. Many may not have another device to create the Linux Live USB either.
This is still a problem, whether or not the data is still available through other means.

@jeffcodes @gsuberland @azonenberg @jik @zackwhittaker I'm very sorry, but users that aren't capable of getting help with recovering such data from someone that can handle a Linux Live ISO shouldn't be using VeraCrypt to begin with.
It's extremely likely to just cause your system to stop booting (and that has happened to me 5+ times in the years I was using it) -- it's just a regular occurance and you'll need to deal with these things as a user.

@manawyrm @gsuberland @azonenberg @jik @zackwhittaker

Jeff Codes 3d ago

IMO, it is not acceptable to simply overlook these hurdles and say, "this is not available to you because you're not technical like me." These tools are necessary against the mass surveillance of the companies like Microsoft, Google, etc. and governments alike.
We, as technologist, should be working to make these more accessible to those who are not technologists too. Those folks deserve the right and privacy and security like the rest of us.

@jeffcodes @gsuberland @azonenberg @jik @zackwhittaker You're absolutely right and will get no argument from me there. I have always supported people encrypting their drives and will give support to people trying to do that.

Still, VeraCrypt is just a very fragile piece of kit and users need to know that and be able to either fix it themselves or know someone who can do it.

Telling just random people on the streets to install it will indeed just block access to their data -- even without MS.

@manawyrm @gsuberland @azonenberg @jik @zackwhittaker

Jeff Codes 3d ago

Fair enough. I don't encourage just anyone either. Those who I have encouraged also know to call me if something blows up! 😂

mossman 3d ago

@manawyrm @jeffcodes @gsuberland @azonenberg @jik @zackwhittaker I used VeraCrypt (and before that TrueCrypt) on the main home desktop for over a decade (and used it on a couple of other machines) yet never once had a problem with it. I had problems with stupid Windows Update not updating because it didn't like the encrypted volume being there, but that was a different thing.

That ancient machine is now using Linux (and is actually running better than ever, fit as a fiddle) *precisely* because of MS pulling stunts like this, otherwise I'd be cursing them yet again now. I'm still using VeraCrypt volumes on an external disk for backup since that allows secure access with both OSes. Assuming MS doesn't screw that up on our windows laptops as well...

@gsuberland @azonenberg @manawyrm @jik @zackwhittaker certificate expiry won't be enforced, however if outright revocation of binaries happen, that will be

@gsuberland @azonenberg @jik @manawyrm @zackwhittaker (talking about at executable load time here)

@Rairii @manawyrm @jik @azonenberg @zackwhittaker yup exactly the way I thought it worked