When boot security goes wrong: the story of the IGNOREME GPT
Main Track,
This talk is going to tell the tale of a critical security vulnerability that was found a year after launch on the RK3288 ("veyron") family of Chromebooks and allowed bypassing the entire secure boot stack. It will explain the technical details of this vulnerability, why it was overlooked in the first place, the tricky process to mitigate it, and finally give a real answer to this guy's stack overflow question: https://superuser.com/questions/1399681/what-is-the-gpt-header-signature-for
This talk is going to tell the tale of a critical security vulnerability that was found a year after launch on the RK3288 ("veyron") family of Chromebooks and allowed bypassing the entire secure boot stack. It will explain the technical details of this vulnerability, why it was overlooked in the first place, the tricky process to mitigate it, and finally give a real answer to this guy's stack overflow question: https://superuser.com/questions/1399681/what-is-the-gpt-header-signature-for
This is not really supposed to be an educational talk that teaches new concepts or presents new work. It's more of a "story time" talk that provides a cautionary tale about how even the slightest misunderstandings about hardware behavior and insufficient testing for new changes late in the product development cycle can have catastrophic effects on security guarantees. I hope attendees just might find it interesting to hear examples of how even at companies like Google we can make really bad mistakes from time to time and then have to scramble to deal with them with millions of users on the line.