Linked by Thom Holwerda on Wed 21st Sep 2011 22:06 UTC, submitted by kragil

Permalink for comment 490323
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Member since:
2011-01-28
WorknMan,
"From my point of view, it's a good safety measure on PCs, since 99% of people would never try to boot another OS anyway."
Can you explain why you think it's a good safety measure? Unless I've missed something, there would only be two ways to boot a malicious bootloader/OS:
1. The system is already compromised and rooted such that the attacker was able to overwrite the bootloader/OS. In this case, chances are very high that the attacker can do whatever he pleases already with or without secure boot.
2. The user boots from external bootable media like a cd/thumbdrive.
If secure boot is going to prevent 99% of bootable media from booting anyways (seeing as most of us won't be able to get them signed), then I question the need for disabling external booting via secure boot instead of simply disabling external booting outright by default?
"Just give people an option to unlock if they want, and make it so that you need physical access to the PC, and make it just hard enough to find so nobody could/would do it on accident."
I agree that the ability to disable secure boot would be one option. Better yet would be to allow owners to control the keys on their own systems such that they could actually use secureboot with alternative operating systems. There is no reason for this feature to be hard coded for use by microsoft/manufacturers (other than to shift control to them).
Edited 2011-09-22 07:31 UTC