UEFI secure boot

Rashkae ubuntu at tigershaunt.com
Mon Sep 26 23:14:36 UTC 2011


On 09/26/2011 06:53 PM, compdoc wrote:
> http://www.theregister.co.uk/2011/09/23/ms_denies_uefi_lock_in/
>

Am I the only one who thinks this is actually a good idea from MS?

A few items to note:

1. Secure boot should be optional.  There is some concern that an OEM 
might choose to remove the option.  I don't really see that happening 
unless the device in question is supposed to be locked device in the 
first place (like smartphones).  If PC makers wanted to lock pc's they 
could have done long before now.

2. Boot sector viruses, which I haven't seen in over 12 years, are now 
making a comback.  I guess with all the security conciousness lately, 
Visual basic scripts aren't the path of least resistance anymore, so 
back to classics.

3.  Secure boot is not going to be required for Windows to boot.  
Rather, it will be required for the Windows 8 sticker on the box.  
Effectively, that means all OEM's will include the secure boot option.

4.  What I would like to see is OEM's making BIOS that can sign their 
own boot sectors.  I can see no reason why this wouldn't be 
implemented.  Basically, if a Boot sector/MBR gets changed in a system 
with Secure boot enabled, the modified code will not boot until someone 
with the BIOS password goes in and specifically tells the bios to sign 
code.  The flaw with this idea, I suppose, it might be possible for an 
attacker to read the private key from the BIOS, and sign itself when 
installing.  But if this were implemented, not only would final control 
of the system be in the owner's hands, as it should be, but secure boot 
could then protect *all* operating systems from unauthorized modification.




More information about the ubuntu-users mailing list