Linked by Thom Holwerda on Wed 21st Sep 2011 22:06 UTC, submitted by kragil
Windows After the walled garden coming to the desktop operating system world, we're currently witnessing another potential nail in the coffin of the relatively open world of desktop and laptop computing. Microsoft has revealed [.pptx] that as part of its Windows 8 logo program, OEMs must implement UEFI secure boot. This could potentially complicate the installation of other operating systems, like Windows 7, XP, and Linux.
Permalink for comment 490346
To read all comments associated with this story, please click here.
RE[2]: Comment from a dumb user
by bert64 on Thu 22nd Sep 2011 10:45 UTC in reply to "RE: Comment from a dumb user"
bert64
Member since:
2007-04-23

This should not be something that is configured by the manufacturer or software vendor...
It should be up to the purchaser of the hardware, be it an end user or a corporation, to load their trusted keys into the firmware.

If the keys are provided by someone else then it does little to help corporate security, as an attacker could just boot their own copy of a signed OS.

Similarly, using CAs is not a good idea, look at the recent hacks against various CAs...

Corporations should maintain their own internal CA, and keep the private key secure, that way their workstations would only be able to load software signed by the corporate key. Remember any given corporation will decide what software it wants to run, and won't be happy having that dictated by a third party who holds the signing keys.

Changing the key should require the setting of a hardware jumper, and the execution of an EFI based key management tool signed by one of the currently trusted keys.

Yes this would provide a method to brick hardware if you lose the keys or load an invalid one, and since the devices are under user control there would always be a way round it even if that required hardware mods.

Reply Parent Score: 4