Linked by Thom Holwerda on Fri 23rd Sep 2011 22:22 UTC, submitted by kragil
Windows The story about how secure boot for Windows 8, part of UEFI, will hinder the use of non-signed binaries and operating systems, like Linux, has registered at Redmond as well. The company posted about it on the Building Windows 8 blog - but didn't take any of the worries away. In fact, Red Hat's Matthew Garrett, who originally broke this story, has some more information - worst of which is that Red Hat has received confirmation from hardware vendors that some of them will not allow you to disable secure boot.
Thread beginning with comment 490698
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[6]: Stop whining!
by Icaria on Sun 25th Sep 2011 09:04 UTC in reply to "RE[5]: Stop whining!"
Icaria
Member since:
2010-06-19

Look, you seem to be under at least a couple of misapprehensions.

- The firmware will only boot code that has been signed using the right keys.
- The private signing keys have (theoretically) not been compromised.
- Unless the malware has those keys, there is simply no way for the malware to write anything to the boot sector that UEFI will boot.
- The malware also cannot write over UEFI, itself (theoretically).

There is merit to the security argument. Of course, to even get to the security argument, you have to grant that Windows is going to be compromised and that a substantial amount of malware is going to target the boot sector.

Also, you're contradicting yourself: either the tech is sufficient to create a walled garden (ie. it's secure), or it's not. If it's not secure, then people can get past the signing mechanisms in exactly the same way that you propose that malware could.

Edited 2011-09-25 09:07 UTC

Reply Parent Score: 3

RE[7]: Stop whining!
by gilboa on Mon 26th Sep 2011 06:41 in reply to "RE[6]: Stop whining!"
gilboa Member since:
2005-07-06

Also, you're contradicting yourself: either the tech is sufficient to create a walled garden (ie. it's secure), or it's not. If it's not secure, then people can get past the signing mechanisms in exactly the same way that you propose that malware could.


OK.
For the 15'th time, I not claiming that it's impossible to secure the boot environment - I am saying that securing the boot environment has zero, 0, NULL effect on the security of the system as it cannot prevent a *OS* or *USER* level vulnerability (or plain stupidity) from compromising the OS and/or the user file.
How could I possibly make my point clearer?

- Gilboa

Reply Parent Score: 3

RE[8]: Stop whining!
by Icaria on Mon 26th Sep 2011 08:04 in reply to "RE[7]: Stop whining!"
Icaria Member since:
2010-06-19

OK.
For the 15'th time, I not claiming that it's impossible to secure the boot environment - I am saying that securing the boot environment has zero, 0, NULL effect on the security of the system as it cannot prevent a *OS* or *USER* level vulnerability (or plain stupidity) from compromising the OS and/or the user file.

You started out saying:
OK, you do realize that once the OS is compromised, nothing stops the malware from deactivating the signature check mechanism and installing a key logger as a signed update or even throw in a modified kernel image while they are at it, right?
Which is what I addressed.

How could I possibly make my point clearer?
Perhaps by not changing your 'point' once it proves fallacious? I've been perfectly civil and patient with you throughout this exchange, so I feel justified when I say don't be a douchebag.

Reply Parent Score: 2