Linked by Thom Holwerda on Mon 31st Oct 2011 12:25 UTC
Linux "Red Hat, Canonical and the Linux Foundation have laid out a set of recommendations for hardware vendors in hopes of preserving the ability to install Linux on Windows 8 machines. Windows 8 machines should ship in a setup mode giving users more control right off the bat, the groups argue." Group hug-cheer combo for Red Hat, Canonical, and the Linux Foundation please.
Permalink for comment 495017
To read all comments associated with this story, please click here.
We'll just hack it
by Alfman on Mon 31st Oct 2011 15:15 UTC
Alfman
Member since:
2011-01-28

The spec doesn't require manufacturers to provide owners with a means to control the keys. What this amounts to is a plea with vendors to give owners control out of the goodness of their hearts. That said it's an excellent read and everyone here should read it.


I just wanted to address a few points with the "We'll just hack it" philosophy, since it's come up surprisingly frequently in previous threads.

First of all, "secure boot" is likely to be far more difficult for an owner to break into than a typical OS because there are fewer attack vectors. Whereas I might be able to run a rooting app to escalate privileges in the OS to bypass it's security, end users generally can't run arbitrary code within the BIOS to launch a privilege escalation attack. Unless manufacturers leave a (public or private) security back door in their implementation, the secure boot spec requires that the owner has access to the previous key in order to set a new key.

Secure boot won't be universally broken. Any exploits would have to be implementation specific. Unlike, say an iphone, any unlocking solutions will be fragmented and dependent on a matrix of factors.

If we do find that there is a software exploit which allows owners to root their own motherboards without using designed security channels, then secure boot becomes totally worthless against the malware it is supposed to keep out. (Although I still suspect that the design was to keep the owners out).

The community is still waiting for answers from microsoft as to how windows will run without secure boot enabled, which would alleviate and/or confirm many of our suspicions.

Reply Score: 7