UEFI secure boot
Rashkae
ubuntu at tigershaunt.com
Mon Sep 26 23:14:36 UTC 2011
On 09/26/2011 06:53 PM, compdoc wrote:
> http://www.theregister.co.uk/2011/09/23/ms_denies_uefi_lock_in/
>
Am I the only one who thinks this is actually a good idea from MS?
A few items to note:
1. Secure boot should be optional. There is some concern that an OEM
might choose to remove the option. I don't really see that happening
unless the device in question is supposed to be locked device in the
first place (like smartphones). If PC makers wanted to lock pc's they
could have done long before now.
2. Boot sector viruses, which I haven't seen in over 12 years, are now
making a comback. I guess with all the security conciousness lately,
Visual basic scripts aren't the path of least resistance anymore, so
back to classics.
3. Secure boot is not going to be required for Windows to boot.
Rather, it will be required for the Windows 8 sticker on the box.
Effectively, that means all OEM's will include the secure boot option.
4. What I would like to see is OEM's making BIOS that can sign their
own boot sectors. I can see no reason why this wouldn't be
implemented. Basically, if a Boot sector/MBR gets changed in a system
with Secure boot enabled, the modified code will not boot until someone
with the BIOS password goes in and specifically tells the bios to sign
code. The flaw with this idea, I suppose, it might be possible for an
attacker to read the private key from the BIOS, and sign itself when
installing. But if this were implemented, not only would final control
of the system be in the owner's hands, as it should be, but secure boot
could then protect *all* operating systems from unauthorized modification.
More information about the ubuntu-users
mailing list