Linked by Thom Holwerda on Fri 23rd Sep 2011 22:22 UTC, submitted by kragil
Windows The story about how secure boot for Windows 8, part of UEFI, will hinder the use of non-signed binaries and operating systems, like Linux, has registered at Redmond as well. The company posted about it on the Building Windows 8 blog - but didn't take any of the worries away. In fact, Red Hat's Matthew Garrett, who originally broke this story, has some more information - worst of which is that Red Hat has received confirmation from hardware vendors that some of them will not allow you to disable secure boot.
Thread beginning with comment 490807
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[7]: Bootloader anyone ?
by Alfman on Mon 26th Sep 2011 17:32 UTC in reply to "RE[6]: Bootloader anyone ?"
Member since:


Thank you for the info. From what I understand though, the KEKs are just intermediate keys for use by the operating system (for example, to maintain blacklists which cannot be tampered with by the user). In particular, the KEKs need to be signed by the PK and are merely extending it's chain of trust rather than establishing an alternate chain of trust.

"Before a PK is loaded into the firmware, UEFI is considered to be in setup mode, which allows anyone to write a PK to the firmware. Writing the PK switches the firmware into user mode. Once in user mode, PKs and KEKs can only be written if they are signed using the private portion of the PK, though KEKs can be freely written during setup mode. Essentially, the PK is meant to authenticate the platform owner, while the KEKs are used to authenticate other components, like operating systems."

So I guess the answer to my stated question is yes, there are multiple keys. But the answer to what I was actually thinking is no, there will be no support for multiple authorities.

Reply Parent Score: 2

RE[8]: Bootloader anyone ?
by Alfman on Mon 26th Sep 2011 17:38 in reply to "RE[7]: Bootloader anyone ?"
Alfman Member since:

This design makes me wonder if the PK will be user settable again after a new bios flash? Or if the PK is truly permanently recorded in some chip and can never be reset again by anybody?

Reply Parent Score: 2