Linked by Thom Holwerda on Fri 13th Jan 2012 16:20 UTC, submitted by moondevil
Windows And so the war on general computing continues. Were you looking forward to ARM laptops and maybe even desktops now that Windows 8 will also be released for ARM? I personally was, because I'd much rather have a thin, but fast and economical machine than a beastly Intel PC. Sadly, it turns out that all our fears regarding UEFI's Secure Boot feature were justified: Microsoft prohibits OEMs from allowing you to install anything other than Windows 8 on ARM devices (the Software Freedom Law Center has more).
Thread beginning with comment 503232
To read all comments associated with this story, please click here.
A little over the top...
by saynte on Fri 13th Jan 2012 17:44 UTC
saynte
Member since:
2007-12-10

Thom's blurb is a little over the top.

Doesn't the same Microsoft document set to rest the fears that new x86 PCs would all be locked-out from booting Linux? It does say that x86 systems must be capable of disabling the secure boot, or am I reading it wrong? Isn't it better that they only require this on the devices that don't even exist yet, for an operating system that isn't even released? As opposed to a huge market (x86 PCs)...

Even with the Secure Boot, can't Fedora or Ubuntu just get a grub-key included on the devices so they can boot in secure mode?

Reply Score: 1

RE: A little over the top...
by Alfman on Fri 13th Jan 2012 18:38 in reply to "A little over the top..."
Alfman Member since:
2011-01-28

saynte,

"Even with the Secure Boot, can't Fedora or Ubuntu just get a grub-key included on the devices so they can boot in secure mode?"

Even if the vendor is well intentioned and wants to sign loaders for it's users, secure boot becomes insecure when used in this manor. Consider that if a grub-like loader were signed, then malware would trivially install grub to load itself at boot.

It's problems like this that make "secure boot" look like it was designed to take users out of control rather than improve system security - a more apt name would be "restricted boot".

Also, keep in mind that overwriting boot loaders already implies a system-wide compromise, so it is fair to question whether "secure boot" is a security mechanism at all instead of being a user restriction mechanism.

Edit: All of my concerns would be ameliorated if the keys would always be under the control of system owners. It is my main objection to the whole scheme. There's no technical reason for security features to be under third party control, other than DRM.

Edited 2012-01-13 18:49 UTC

Reply Parent Score: 5

RE[2]: A little over the top...
by saynte on Fri 13th Jan 2012 19:35 in reply to "RE: A little over the top..."
saynte Member since:
2007-12-10

What you say is all true, thank you for bringing up these points in such an easy to read and, more importantly, reasoned argument.

My beef (and the reason for my post) is the tone of Thom's post.

The shrill, wailing, tone of Thom's post distracts from the issues; I was merely trying to extract some of the other (what I feel) relevant questions and facts of interest in this story.

Reply Parent Score: 1