Windows 8's use of the UEFI Secure Boot

Tue Sep 27 10:25:47 UTC 2011

On 09/27/2011 04:41 PM, Colin Watson wrote:

>> "That would be far too easy a workaround ..."
>> By this, do you mean that it would be easy to workaround such that
>> grub2 can still boot Windows 8?
>>
>> OR
>> That it will be easy for Microsoft to workaround the UEFI
>> 'architecture' such that it is impossible for grub2 to boot Windows
>> 8 if Microsoft choose to do so?
>
> I mean that Microsoft consider it to be part of their security
> architecture that it will only be possible to boot Windows 8 using a
> bootloader signed with a key trusted by the UEFI firmware, at least once
> one is using firmware with the "secure boot" capability.  It would be
> far too easy a workaround if one could avoid that simply by using an
> unsigned boot loader.
>
> Of course, if the firmware doesn't require a signature, that's a
> different matter.  But you won't be able to work around firmware
> requirements using an unsigned boot loader.
>
> (Do not take from this that I agree with this position; I'm just telling
> you how I understand it's likely to be.)

Okay, understood. Thanks. Good to hear this from you.

>
>>>> If another article claims that the security feature is a UEFI
>>>> feature and not Microsoft related, note that grub2 is CA-certified
>>>> and this implies grub2 can boot Windows 8. (grub-legacy is not
>>>> CA-certified)
>>
>> Perhaps this would explain better...
>> http://www.winrumors.com/microsoft-clears-up-linux-confusion-over-windows-8-secure-boot-feature/
>>
>> but granted, it may be interpreted that Microsoft uses
>> CA-certification to block other boot-loaders booting it.
>
> Nothing in that article supports the position that GRUB 2 is
> CA-certified.  I can tell you with considerable confidence that it is
> not at this time, and that it is not at all clear what we would need to
> do in order to do so -

I stand corrected. Appreciate the correction.

  would GRUB have to be modified to only boot
> signed kernels if we were to avoid our key being immediately revoked?
> That wouldn't be pretty.

Right, we'll be acting like Microsoft then, we are not that evil.  :)

>
> (Anyway, Matthew Garrett has responded to Microsoft's response ...)
>
>> Still, it is inconceivable that Microsoft would want to 'lock
>> itself' out of the substantive and lucrative upgrade market.
>
> It may well be that it behaves differently on prior firmware versions,
> but as Matthew Garrett has pointed out, any new system that wants to get
> Windows 8 certification must ship with "secure boot" enabled and is not
> required to provide an option to disable it.
>

I somehow like to see them try...
and watch the fireworks fly...
we here don't need windows to get by...
no need to push others to say goodbye...
(hey, it rhymes)

Good of you Colin, to drop by here once in a while
And have a virtual beer, coffee or water with us.

Take care - Goh Lip

-- 
Life is a sexually transmitted disease with a 100% mortality rate.