Linked by Thom Holwerda on Wed 21st Sep 2011 22:06 UTC, submitted by kragil
Windows After the walled garden coming to the desktop operating system world, we're currently witnessing another potential nail in the coffin of the relatively open world of desktop and laptop computing. Microsoft has revealed [.pptx] that as part of its Windows 8 logo program, OEMs must implement UEFI secure boot. This could potentially complicate the installation of other operating systems, like Windows 7, XP, and Linux.
Permalink for comment 490313
To read all comments associated with this story, please click here.
RE[4]: Comment by ronaldst
by lemur2 on Thu 22nd Sep 2011 05:53 UTC in reply to "RE[3]: Comment by ronaldst"
Member since:

Brenden, "Whether or not it's anti-user depends on who has the keys." Precisely. Some people here are assuming that the keys must be hard coded into the bios such that only operating systems approved by the vendors can be run. I really don't know if that is the intentions of UEFI secure boot or not...if it is, well users are screwed. Not only won't we have control, but now the security of our own computers becomes dependent upon third parties who control the master keys. Ideally this feature should be designed to work for users rather than against us. All keys could be manageable through the bios on powerup, and then remain locked after boot so they cannot be tampered with later on. Then we could use our own individual/corporate key to sign the keys of whichever OS vendors we want to trust on our computers or lans. Of course, for normal users, this would all be setup at the factory...but at least the control over which operating systems are allowed to run lies with us as users rather than the manufacturer or microsoft. Also there is another risk, that even if users can manage their own keys, a powerful vendor might coerce users to delete keys of it's competitors in order to load itself. Therefor I'd hope that this feature is designed in such a way that the list of approved keys can be kept secret from discriminatory operating systems.

According to Red Hat's Matthew Garret, the keys are stored as part of the system firmware.

"if we self-sign, it's still necessary to get our keys included by every OEM."

This says that user's don't have the ability to say what OSes they wish to boot, but rather the OEMs determine which vendor's OS the hardware can boot by including the OS vendor's key in the system firmware.

If OEM's historical record of lack of supporting Linux via ACPI is any indication, this isn't going to happen. Linux simply won't be bootable by any hardware with UEFI Secure boot enabled.

Edited 2011-09-22 05:59 UTC

Reply Parent Score: 3