Linked by Thom Holwerda on Fri 23rd Sep 2011 22:22 UTC, submitted by kragil
Windows The story about how secure boot for Windows 8, part of UEFI, will hinder the use of non-signed binaries and operating systems, like Linux, has registered at Redmond as well. The company posted about it on the Building Windows 8 blog - but didn't take any of the worries away. In fact, Red Hat's Matthew Garrett, who originally broke this story, has some more information - worst of which is that Red Hat has received confirmation from hardware vendors that some of them will not allow you to disable secure boot.
Permalink for comment 490738
To read all comments associated with this story, please click here.
nonoitall
Member since:
2011-09-22

Incorrect signature has to be embed in the loader so the only way you can have UEFI try multi signatures is install multi copies of the loader yes waste of space.

I was referring to space taken up on the installation medium. ;-)

What world have you been on. McAfee and and other anti-virus vendors have been trying to solve this exact problem. The number of worms/bots that exploit at boot loader level to render anti-virus software and other malware scanning software worthless is increasing.

I'm sure it is, though I think the pace has been exaggerated. In addition, any malware with that gains sufficient access to [attempt to] modify the boot loader basically owns your computer anyway.

Most of the boot loader level infections are going unnoticed by everyone other than honey pot runners and banks where they have customers being repeated breached so leading to the discovery of the boot loader level breach in their system. Even that they have current anti-virus software run malware bytes and every other detection method. Reason some are even deeper than bootloader. Some are bios. Because the bios was not protected by a signing key in lots of motherboards either.

If a bank server's security is lax enough to allow attackers to overwrite its boot loader, this technology is not going to save them. They need to fire their security administrator and hire a competent/trustworthy one.

You need to read the the full extent of the protection. Boot loader validates everything else above it. Mandatory secure boot would not be a major annoyance as long as you can add the keys for your recovery LiveCD so yes just a minor annoyance.

There's that big "if" again. :-D

Problem is the low number of current generation worms out there are using the boot loader to disable the anti-virus and any other malware scanning from being able to find their existence in the machine.

But we know with all virus tech this will increase in numbers. So as the numbers grow your anti-virus software will just become more and more a joke unless something like secure boot is done.

Yes anti-virus software needs attackers prevented from being able to get between it and the real hardware.

Like I said, if the malware can already attempt to overwrite the boot loader (only to be stopped by secure boot), then you're already screwed. There are any number of other places the malware could impregnate itself with that level of access.

Secure boot is not an effective defense against malware. It's like sealing the king inside his throne room in order to protect the whole kingdom from attack.

I do run honey pots I have seen the most nasty of current generation worms/bots.

That being the case, don't you think you might have a warped view of a typical malware infection?

Reply Parent Score: 1