UEFI secure boot

[Avi Greenbury]

Rashkae wrote:

> On 09/26/2011 06:53 PM, compdoc wrote:
> > http://www.theregister.co.uk/2011/09/23/ms_denies_uefi_lock_in/
> >
> 
> Am I the only one who thinks this is actually a good idea from MS?

I'd not seen it attributed to MS before, but no, it makes sense to me.
It'd be nice to avoid the trust issues that have befallen SSL on the
web, though I do see that extending the trust in the manufacturer to
make good hardware as far as entrusting them to certify only good
software is much more logical than deciding that arbitrary companies
capable of generating random numbers are to be trusted on no prior
grounds.

> If PC makers wanted to lock pc's they could have done long before now.

I don't think they do directly, but they want Windows cheap and I don't
really see why they'd necessarily not remove some toggle control in
order to carry on paying £5 for their Windows licenses.

> 4.  What I would like to see is OEM's making BIOS that can sign their 
> own boot sectors.  I can see no reason why this wouldn't be 
> implemented.  Basically, if a Boot sector/MBR gets changed in a
> system with Secure boot enabled, the modified code will not boot
> until someone with the BIOS password goes in and specifically tells
> the bios to sign code The flaw with this idea, I suppose, it might be
> possible for an attacker to read the private key from the BIOS, and
> sign itself when installing.  

The bigger flaw is that you're assuming the user is in a position to
make that judgement as to whether to allow the code to run, and in a
position where they actually care. Neither of these are generally true,
as we can see with attitudes towards current, conventional, malware.

-- 
Avi