Linked by Thom Holwerda on Fri 23rd Sep 2011 22:22 UTC, submitted by kragil
Windows The story about how secure boot for Windows 8, part of UEFI, will hinder the use of non-signed binaries and operating systems, like Linux, has registered at Redmond as well. The company posted about it on the Building Windows 8 blog - but didn't take any of the worries away. In fact, Red Hat's Matthew Garrett, who originally broke this story, has some more information - worst of which is that Red Hat has received confirmation from hardware vendors that some of them will not allow you to disable secure boot.
Thread beginning with comment 490681
To read all comments associated with this story, please click here.
question about uefi
by justSomeGuy on Sun 25th Sep 2011 04:08 UTC
Member since:

I've done a little searching but haven't found this.

One of the pictures from the article implies some sort of key revocation scheme.

Anyone know if this is supposed to be over the internet, a la AACS, or if it is done at the time of manufacture, and is then unchangeable?


Reply Score: 1

RE: question about uefi
by oiaohm on Sun 25th Sep 2011 04:31 in reply to "question about uefi"
oiaohm Member since:

Depends on your OEM still providing updates. justSomeGuy.

Its the number 1 step to load the bootloader latter on in the process there are some internet links.

The Platform Key is OEM hardware makers that protects the KEK that contains the OS bootloader and other need firmware parts that are approved.

Key issues here the power of updating the KEK goes to the hands of the Hardware maker.

So yes they can bust things. Allowed in KEK contain approved signing keys for bootloaders.

So yes Microsoft needs to update there signing key Hardware maker decides only to update on todays hardware. People get a service pack update that changes the boot loader their computer dies because UEFI no longer will load the Windows loader.

This is a god darn land mine. Customer needs to have the means to insert and remove allowed keys and see the allowed keys.

Change able as long as hardware maker is supporting the hardware you have. Reason why I said 5 years then screwed.

Other issue is black list. Disallowed malware hashes those should be inspect-able as well.

Reply Parent Score: 2