Linked by Thom Holwerda on Fri 23rd Sep 2011 22:22 UTC, submitted by kragil
Windows The story about how secure boot for Windows 8, part of UEFI, will hinder the use of non-signed binaries and operating systems, like Linux, has registered at Redmond as well. The company posted about it on the Building Windows 8 blog - but didn't take any of the worries away. In fact, Red Hat's Matthew Garrett, who originally broke this story, has some more information - worst of which is that Red Hat has received confirmation from hardware vendors that some of them will not allow you to disable secure boot.
Thread beginning with comment 490749
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: Bootloader anyone ?
by Alfman on Mon 26th Sep 2011 03:22 UTC in reply to "RE[2]: Bootloader anyone ?"
Alfman
Member since:
2011-01-28

lemur2,


"The situation with UEFI secure boot is that the keys will be stored in secure storage on the motherboard, and they will not be accessible to the boot loader."

One slight clarification here. Only the *public key* will be on the motherboard, the private key will be with MS/OEM and cannot be leaked/cracked by analyzing the motherboard.


"In order to boot the boot loader must in effect know one of the signing keys, because no method similar to that used by libdvdcss will be possible."

I don't think the DVD analogy fits very well, though I know you were just continuing with benayed's example.

Edited 2011-09-26 03:40 UTC

Reply Parent Score: 2

RE[4]: Bootloader anyone ?
by lemur2 on Mon 26th Sep 2011 10:11 in reply to "RE[3]: Bootloader anyone ?"
lemur2 Member since:
2007-02-17

lemur2,


"The situation with UEFI secure boot is that the keys will be stored in secure storage on the motherboard, and they will not be accessible to the boot loader."

One slight clarification here. Only the *public key* will be on the motherboard, the private key will be with MS/OEM and cannot be leaked/cracked by analyzing the motherboard.


Correct. Public keys are public, everyone has a copy. Private keys are private, only one party has a copy, and it must be kept secret. Each public key has a corresponding private key, together they are known as a key pair.

In the case of UEFI secure boot, the boot loader software on disk will presumably be signed with a private key of an OS vendor. UEFI will only run the software if it has a matching public key in its ROM.

The reason why I said that "that the keys will be stored in secure storage on the motherboard", plural of keys, is that as far as I know UEFI Secure boot can handle multiple different keys. Only the various public keys will be held by UEFI, not the corresponding private keys. Each different private key will be held by, and kept secret by, each software vendor.

Reply Parent Score: 2

RE[5]: Bootloader anyone ?
by Alfman on Mon 26th Sep 2011 15:59 in reply to "RE[4]: Bootloader anyone ?"
Alfman Member since:
2011-01-28

lemur2,

"The reason why I said that 'that the keys will be stored in secure storage on the motherboard', plural of keys, is that as far as I know UEFI Secure boot can handle multiple different keys."

Where did you learn this? I can't find any information saying that multiple keys (hardcoded or not) will be supported?

Reply Parent Score: 2