Linked by Thom Holwerda on Wed 21st Sep 2011 22:06 UTC, submitted by kragil
Windows After the walled garden coming to the desktop operating system world, we're currently witnessing another potential nail in the coffin of the relatively open world of desktop and laptop computing. Microsoft has revealed [.pptx] that as part of its Windows 8 logo program, OEMs must implement UEFI secure boot. This could potentially complicate the installation of other operating systems, like Windows 7, XP, and Linux.
Thread beginning with comment 490294
To read all comments associated with this story, please click here.
Possibly very good
by TheChucklesStart on Thu 22nd Sep 2011 01:58 UTC
TheChucklesStart
Member since:
2009-04-17

If this stays as an option in the bios that we can turn off, or if the linux community get their own software signed in a practical manor, then there is a very, very good side to this.

This good side is SECURITY. If the operating system cannot be modified, then you can't get a root kit, which means that the operating system can, in theory, still stop malware. In the days of large corporations seemingly being hacked into every few weeks... this type of security is bound to become common place for both windows and linux machines, even well controlled servers.

I imagine it will take a while for the kinks to be worked out (they are still working on that with phones), but in the end, I imagine IT support will NEED to have the option to turn off any secure boot options to fix computers efficiently.

Reply Score: 1

RE: Possibly very good
by lemur2 on Thu 22nd Sep 2011 02:07 in reply to "Possibly very good"
lemur2 Member since:
2007-02-17

If this stays as an option in the bios that we can turn off, or if the linux community get their own software signed in a practical manor, then there is a very, very good side to this.


It is not a problem of the linux community, it is a problem that whoever makes the UEFI hardware won't give out signing keys to anybody and everybody. They will put only a certain number of keys in the UEFI ROMs, and the only OSes which will boot will be those signed with a matching key.

If they then give signing keys out to everybody who wanted to compile a new kernel, then root-kit authors could sign their root kits, and we are back to square one. They may as well not have the whole secure boot thing in the first place. It only makes sense if the signing keys are kept as secrets.

Edited 2011-09-22 02:09 UTC

Reply Parent Score: 4

RE[2]: Possibly very good
by TheChucklesStart on Thu 22nd Sep 2011 03:35 in reply to "RE: Possibly very good"
TheChucklesStart Member since:
2009-04-17

Or the UEFI industry could move to using a Certificate Authority like most current code signing systems do.

They could also allow you to load certificates from a USB drive for self signed code, making it harder for a malware author to put their certificate in the UEFI but making it fairly painless for a user to handle.

Reply Parent Score: 1

RE[2]: Possibly very good
by mabhatter on Fri 23rd Sep 2011 01:52 in reply to "RE: Possibly very good"
mabhatter Member since:
2005-07-17

they could always add an option to generate your OWN key or passphrase for signing Open Source software right in the bios. It wouldn't really effect Microsoft because it could be a different format or something and you'd have to generate it so it wouldn't be one of their keys. Then they could have an open source program to sign the stuff to run on it.

I'd be trivial to implement, that is what the Open Source people should be going for.

Reply Parent Score: 2

RE: Possibly very good
by Neolander on Thu 22nd Sep 2011 07:24 in reply to "Possibly very good"
Neolander Member since:
2010-03-08

Except the OS can be modified, at least in its current form. If you can install an antivirus which checks and alters every file you open, you can install a rootkit.

Reply Parent Score: 2

RE: Possibly very good
by Lennie on Thu 22nd Sep 2011 09:15 in reply to "Possibly very good"
Lennie Member since:
2007-09-22

Yes, everyone is convinced about the advantages.

It has actually been possible for years already on many CPUs.

TPM is just a requirement now.

But the downsides could also be great if people are not allowed to control their own computers anymore.

If I'm able to load my own key in the BIOS... euh.. UEFI firmware then that is fine.

But who will garantee that the same thing is true in 5 or 10 years ?

Reply Parent Score: 3

RE: Possibly very good
by judgen on Thu 22nd Sep 2011 18:19 in reply to "Possibly very good"
judgen Member since:
2006-07-12

Of course the OS can be modified. How else would you be able to do a windows update or install a servicepack that fixes kernel problems and exploits? It is just a matter of time before that security layer is broken and windows clients is as infected as they ever were before. The only side to this that makes sense for me is the argument of locking other OS'es out and securing the microsoft monopoly for a while longer.

Once it is backwards engineered (as that is legal in all countries) though it is fair game for all, and considering the number of hackers on x86 compared to code-monkeys that hacks on consoles, i would bet a legal backwards engineering effort would be set up fast and succeed in a rather short time.

In other words, i do not worry too much.

Reply Parent Score: 2