Linked by Thom Holwerda on Fri 23rd Sep 2011 22:22 UTC, submitted by kragil
Windows The story about how secure boot for Windows 8, part of UEFI, will hinder the use of non-signed binaries and operating systems, like Linux, has registered at Redmond as well. The company posted about it on the Building Windows 8 blog - but didn't take any of the worries away. In fact, Red Hat's Matthew Garrett, who originally broke this story, has some more information - worst of which is that Red Hat has received confirmation from hardware vendors that some of them will not allow you to disable secure boot.
Thread beginning with comment 490724
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Bootloader anyone ?
by Alfman on Sun 25th Sep 2011 18:01 UTC in reply to "Bootloader anyone ?"
Alfman
Member since:
2011-01-28

benayed,

"Grub or LILO bases boot loaders would allow regular non signed kernels to boot. This is after getting the keys through reverse engineering and all more or less in a similar fashion like the DVD scene played out through DeCSS."


This is a misunderstanding of the public key cryptography involved. Reverse engineering may reveal bugs in the bios which might be exploited, however all the keys present in the firmware are public knowledge. Even if the firmware is completely open source, it would not help break the private keys.

DVDs on the other hand are not cryptographically sound because the encryption keys used must be accessible on the end user device (otherwise the DVD would not play).


"2) legally through the anti-trust process."

Maybe someone with a legal background can provide some legal insight?


"On my side, personally, I would refrain from purchasing any PC motherboard or laptop that does not allow disabling this feature."

Same here, but we'd be such a minority that the large OEMs may not take notice. The key is to get the major media to pick it up.

Reply Parent Score: 3

RE[2]: Bootloader anyone ?
by matthewp131 on Sun 25th Sep 2011 18:58 in reply to "RE: Bootloader anyone ?"
matthewp131 Member since:
2011-09-21

uhh, anyone here know a reporter with significant clout, we gotta get the word out hard and fast

Reply Parent Score: 1

RE[2]: Bootloader anyone ?
by lemur2 on Sun 25th Sep 2011 23:51 in reply to "RE: Bootloader anyone ?"
lemur2 Member since:
2007-02-17

DVDs on the other hand are not cryptographically sound because the encryption keys used must be accessible on the end user device (otherwise the DVD would not play).


Correct. Linux, for example, does not use DeCSS software to play DVDs, it uses libdvdcss.

DeCSS used a "stolen" player key, it was stolen from the Xing software player I believe. This strategy is arguably illegal.

libdvdcss does not use a stolen player key, but rather it reads information from the DVD it is attempting to play, and from that data it calculates a list of possible keys. All of the possible keys are tried until one which works for that DVD is found.

The situation with UEFI secure boot is that the keys will be stored in secure storage on the motherboard, and they will not be accessible to the boot loader.

In order to boot the boot loader must in effect know one of the signing keys, because no method similar to that used by libdvdcss will be possible. Any work-around will have to be similar to DeCSS, which is to say it must use "stolen" keys. This will probably be in violation of the DMCA, and therefore illegal.

Reply Parent Score: 2

RE[3]: Bootloader anyone ?
by Alfman on Mon 26th Sep 2011 03:22 in reply to "RE[2]: Bootloader anyone ?"
Alfman Member since:
2011-01-28

lemur2,


"The situation with UEFI secure boot is that the keys will be stored in secure storage on the motherboard, and they will not be accessible to the boot loader."

One slight clarification here. Only the *public key* will be on the motherboard, the private key will be with MS/OEM and cannot be leaked/cracked by analyzing the motherboard.


"In order to boot the boot loader must in effect know one of the signing keys, because no method similar to that used by libdvdcss will be possible."

I don't think the DVD analogy fits very well, though I know you were just continuing with benayed's example.

Edited 2011-09-26 03:40 UTC

Reply Parent Score: 2