Can we please get firmware to disable Secure Boot on DeepLens?

3

This is unfortunately directed mostly at AWS employees as none of the rest of use can do anything about it.

My issue is that the DeepLens device is so locked down that it's impossible to run anything other than a release of a distro from 6 years ago. I've dug into this at length and discovered the following:

  • It's possible to enter the firmware, but there's no way to disable Secure Boot (at least on my v1.0).
  • The EFI executable signed by AWS and booted by the firmware is actually a unified kernel image; it has the Linux kernel, initrd, and command line all built into it. This means no possibility of altering the arguments used to boot the kernel.
  • You also can't use kexec to warm-boot another kernel as a chain-load workaround. Again, Secure Boot.
  • It's not possible to use the various /sys/firmware/efi drivers to register new Secure Boot keys. I have nothing against Secure Boot, but generally it's implemented to allow end-users to set up their own keys or disable it entirely. The DeepLens obviously isn't a Windows-certified device, but it's interesting to note that for all the hate Secure Boot received the Windows certification process actually requires these features to be present.
  • As far as I can tell the kernel doesn't ever actually get updated by apt because the contents of /boot aren't actually booted. Doing so would require that AWS is distributing the signing key to devices to sign locally-built bundles. Linux 4.13.0 is from November 2018...

In short, it's kind of disingenuous to claim that

To protect the AWS DeepLens device from malicious attacks, it is configured to boot securely. 

I guess technically it boots only the intended kernel, but that kernel is open to any exploits found since its release.

To that end, can we please get unlocked firmware? I don't care about warranty; I want to be able to use the device that I supposedly own in the way I see fit. It seems that AWS isn't interested in keeping the device current, so please allow us to take that on ourselves.

asked 3 years ago642 views
2 Answers
0

Did you ever find an exploit to gain access without AWS's help?

answered 7 months ago
-1

Hi,

I hope that you are doing well. I reached out to the Deeplens service team regarding your query and I have been informed that secure boot is a requirement by AWS security and cannot be disabled for these hardware devices. Therefore, I regret to inform that the request here is not possible.

I hope this information helps. Please let us know if you may have any other queries.

AWS
SUPPORT ENGINEER
Ryan_A
answered 3 years ago
  • since it has been 2 years and deeplens is now being sunset, is it possible to revisit this?

  • agree with James. would like to upgrade the OS now that deeplens is retired by amazon

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions