Linked by Elv13 on Sun 17th Jun 2012 10:35 UTC
Hardware, Embedded Systems "The UEFI secure boot mechanism has been the source of a great deal of concern in the free software community, and for good reason: it could easily be a mechanism by which we lose control over our own systems. Recently, Red Hat's Matthew Garrett described how the Fedora distribution planned to handle secure boot in the Fedora 18 release. That posting has inspired a great deal of concern and criticism, though, arguably, about the wrong things."
Thread beginning with comment 522505
To read all comments associated with this story, please click here.
Just wondering
by acobar on Sun 17th Jun 2012 19:46 UTC
acobar
Member since:
2005-11-15

To fix computers I have been using boot CDs, DVDs and pen drives for years. They are very practical and get the job done. I wonder what will happen then if the secure boot Microsoft designed start to refuse such tools. Microsoft own solution was never ever on par with hand crafted 3rd parties ones.

I believe that all this will make hard to me to clean the mess that enter the "Microsoft Windows opened" and also will make it more expensive, time and money wise.

My bet is the MS wants to fight the piracy more effectively, that the system would be strengthened against attacks is probably a side effect. Many exploits exist that work around MS registration/validation by interfering exactly on this stage of OS loading to be able to deliver their payload.

Reply Score: 4

RE: Just wondering
by pgeorgi on Sun 17th Jun 2012 20:27 in reply to "Just wondering"
pgeorgi Member since:
2010-02-18

I believe that all this will make hard to me to clean the mess that enter the "Microsoft Windows opened" and also will make it more expensive, time and money wise.

For the time being, you will be able to disable secureboot in the UEFI menu somewhere. Fedora's issue with that solution is that UEFI isn't standardized, so they can't tell their customers 3 simple steps to unlock the device.

My bet is the MS wants to fight the piracy more effectively, that the system would be strengthened against attacks is probably a side effect.

There's a NIST paper on securing systems which also includes firmware level attacks. I'd expect that secureboot has something to do with that rather than licensing concerns - they might need to lock that area down to be able to pass the next level Common Criteria certification.

The issue is also more pressing with UEFI than with BIOS since UEFI is so much more powerful than BIOS - you can load rather arbitrarily sized 32bit modules (built by a modern C compiler), which have access to everything a modern OS provides (threads, networking, plenty of memory). With "UEFI Shell" they basically admitted that UEFI _is_ an Operating System (whose main purpose - for now - is to load another OS).

This cozy environment simplifies attacks somewhat compared with the old BIOS situation.

Reply Parent Score: 2

RE[2]: Just wondering
by Soulbender on Mon 18th Jun 2012 04:01 in reply to "RE: Just wondering"
Soulbender Member since:
2005-08-18

they might need to lock that area down to be able to pass the next level Common Criteria certification.


Security designed by bean-counters, is there anything better?

Reply Parent Score: 1