Linked by Thom Holwerda on Wed 21st Sep 2011 22:06 UTC, submitted by kragil
Windows After the walled garden coming to the desktop operating system world, we're currently witnessing another potential nail in the coffin of the relatively open world of desktop and laptop computing. Microsoft has revealed [.pptx] that as part of its Windows 8 logo program, OEMs must implement UEFI secure boot. This could potentially complicate the installation of other operating systems, like Windows 7, XP, and Linux.
Thread beginning with comment 490314
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Comment from a dumb user
by Alfman on Thu 22nd Sep 2011 06:05 UTC in reply to "Comment from a dumb user"
Alfman
Member since:
2011-01-28

"They have locked bootloaders that don't permit any firmware not signed by Motorola to be installed. Is this approximately what Microsoft is looking to do now?"

Microsoft already does this with win vista/7 kernels. The owner is not free to install independent drivers without buying a one or two year signing key. It seems to be a deliberate attack against OSS in the windows kernel. Just after I was beginning to learn how to write kernel drivers, microsoft banned us from installing our own drivers on our own computers. They've hard-coded private keys.

"Looks like this 'walled garden' concept has nothing to OS security, but rather with vendor security."

Technically, it has alot more to do with bootloader security than OS security, windows will have the same flaws as before.

It prevents unauthorized bootloaders from running. However in the context of a real attack, the installation of a malicious bootloader that secure boot would help protect against suggests that the system has already been compromised elsewhere. So secure boot would be of limited security value here.

They actually tried something similar before with TCM/Palladium, which may provide insight into what they are trying to accomplish... DRM.

As much as MS might want to block out linux, I cannot imagine any scenario where microsoft would not face serious legal repercussions if they tried. So, if I may speculate, this is about extending the kernel driver enforcement all the way back to the bootloader so that kernel jailbreaking software like this cannot work:

http://www.softpedia.com/get/Tweak/Video-Tweak/Driver-Signature-Enf...

Reply Parent Score: 3

UglyKidBill Member since:
2005-07-27

>>>"They have locked bootloaders that don't permit any firmware not signed by Motorola to be installed. Is this approximately what Microsoft is looking to do now?"

Microsoft already does this with win vista/7 kernels. The owner is not free to install independent drivers without buying a one or two year signing key. It seems to be a deliberate attack against OSS in the windows kernel. Just after I was beginning to learn how to write kernel drivers, microsoft banned us from installing our own drivers on our own computers. They've hard-coded private keys.

"Looks like this 'walled garden' concept has nothing to OS security, but rather with vendor security."

Technically, it has alot more to do with bootloader security than OS security, windows will have the same flaws as before.

It prevents unauthorized bootloaders from running. [...]
So, if I may speculate, this is about extending the kernel driver enforcement all the way back to the bootloader so that kernel jailbreaking software like this cannot work:

http://www.softpedia.com/get/Tweak/Video-Tweak/Driver-Signature-Enf...


Maybe it will break those loaders used to bypass windows activation schemes? That alone would be of great benefit for microsoft, specially in the bottom server side of the market...

Reply Parent Score: 1

Soulbender Member since:
2005-08-18

The owner is not free to install independent drivers without buying a one or two year signing key


Wait...WHAT? Are you saying that I, the owner of the OS copy and the owner of the physical hardware, can not install whatever drivers I want? On my own hardware? For real? What in the holy hell? Oceania and The Party has nothing on Microsoft....

Reply Parent Score: 2

Alfman Member since:
2011-01-28

Soulbender,

"Wait...WHAT? Are you saying that I, the owner of the OS copy and the owner of the physical hardware, can not install whatever drivers I want? On my own hardware? For real? What in the holy hell? Oceania and The Party has nothing on Microsoft...."

Yep.

http://www.ditii.com/2007/02/10/disabling-mandatory-kernel-mode-and...

I provided this next link earlier, which automatically switches the vista/7 kernels to a test mode that does not enforce software signatures. However this mode forcefully disables all access to DRM restricted APIs/hardware.

http://www.softpedia.com/get/Tweak/Video-Tweak/Driver-Signature-Enf...

There have been other ways to jailbreak the windows vista/7 kernels over the years, some involving privilege escalation, leaked keys, bootloader modifications. None of these were long term solutions, because microsoft continually disabled them (and our drivers cease to load).

Some open source supporters even purchased their own driver signing keys and created a tool that allows OSS users to load drivers as they please, their key was promptly blacklisted by microsoft, despite the fact that the tool was not malware and worked exactly as advertised.

http://www.zdnet.com/blog/security/vista-kernel-tampering-tool-rele...

Reply Parent Score: 3