Linked by Thom Holwerda on Tue 18th Oct 2011 21:03 UTC, submitted by Dirge
GNU, GPL, Open Source "The Free Software Foundation released a statement open for public signing, titled 'Stand up for your freedom to install free software'. The statement is a response to Microsoft's announcement that if computer makers wish to distribute machines with the Windows 8 compatibility logo, they must implement a system called 'Secure Boot'. The FSF statement warns against the danger that, if done wrong, this system would have to be called Restricted Boot, because it could make computers incapable of running anything but Windows." Signed.
Thread beginning with comment 493395
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Security isn't a dirty word
by f0dder on Wed 19th Oct 2011 00:09 UTC in reply to "RE: Security isn't a dirty word"
f0dder
Member since:
2009-08-05

After a long hiatus, MBR based rootkits are semi-slowly starting to appear again. And the MBR is not the only time you can attack the boot sequence if BIOS-based operating systems. x64 versions of Windows have enforced driver signing, but there's plenty of time during the boot sequence before those checks are being done.

Reply Parent Score: 1

Alfman Member since:
2011-01-28

f0dder,

"After a long hiatus, MBR based rootkits are semi-slowly starting to appear again."

Your missing the key piece though, the system will have been infected through another vulnerability in the first place - secure boot does NOT fix that!!!

And in any case, we're not arguing against secure booting, that's a total red herring. We're arguing against a security feature a 3rd party holds the keys to. I don't mind that a 3rd party holds the keys by default - but to be a legitimate security feature the spec would have to provide an explicit method for the owner to take control and stop trusting microsoft/vendor.

Reply Parent Score: 4

f0dder Member since:
2009-08-05

Your missing the key piece though, the system will have been infected through another vulnerability in the first place - secure boot does NOT fix that!!!
It doesn't stop the "buggy OS" attack vector - that much I agree on. But it can plug the "hotel cleaning maid installs industrial spionage rootkit on laptop with bootcd" attack vector. Or the "disgruntled employee exfiltrates corporate data from otherwise locked-down system" attack vector.

We're arguing against a security feature a 3rd party holds the keys to. I don't mind that a 3rd party holds the keys by default - but to be a legitimate security feature the spec would have to provide an explicit method for the owner to take control and stop trusting microsoft/vendor.
Agree 100% - the UEFI key management needs to remain under our control.

Reply Parent Score: 1

Soulbender Member since:
2005-08-18

Interesting, I can remember back ion the day when MBR viruses was all the rage but that was like 20 years ago.
An interesting question is what happens if the verification fail. Is your PC effectively bricked? Can you still boot from other media? If yes, What if you don't have any install/recovery media (increasingly common today)?

Reply Parent Score: 2

f0dder Member since:
2009-08-05

Interesting, I can remember back ion the day when MBR viruses was all the rage but that was like 20 years ago.
Yeah - it takes quite more sophisticated code to infect via this vector than it did back in the DOS days ;)

An interesting question is what happens if the verification fail. Is your PC effectively bricked? Can you still boot from other media? If yes, What if you don't have any install/recovery media (increasingly common today)?
All very good questions!

It partly depends on how the Secure Boot feature is implemented by the UEFI vendor - whether you're allowed to add your own signing keys, and whether you are allowed to boot unsigned OS loaders.

Microsoft states[1] that "Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows." - let's hope they don't backtrack on that one.

[1] http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os...

Reply Parent Score: 2