Linked by Elv13 on Sun 17th Jun 2012 10:35 UTC
Hardware, Embedded Systems "The UEFI secure boot mechanism has been the source of a great deal of concern in the free software community, and for good reason: it could easily be a mechanism by which we lose control over our own systems. Recently, Red Hat's Matthew Garrett described how the Fedora distribution planned to handle secure boot in the Fedora 18 release. That posting has inspired a great deal of concern and criticism, though, arguably, about the wrong things."
Thread beginning with comment 522509
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Just wondering
by pgeorgi on Sun 17th Jun 2012 20:27 UTC in reply to "Just wondering"
pgeorgi
Member since:
2010-02-18

I believe that all this will make hard to me to clean the mess that enter the "Microsoft Windows opened" and also will make it more expensive, time and money wise.

For the time being, you will be able to disable secureboot in the UEFI menu somewhere. Fedora's issue with that solution is that UEFI isn't standardized, so they can't tell their customers 3 simple steps to unlock the device.

My bet is the MS wants to fight the piracy more effectively, that the system would be strengthened against attacks is probably a side effect.

There's a NIST paper on securing systems which also includes firmware level attacks. I'd expect that secureboot has something to do with that rather than licensing concerns - they might need to lock that area down to be able to pass the next level Common Criteria certification.

The issue is also more pressing with UEFI than with BIOS since UEFI is so much more powerful than BIOS - you can load rather arbitrarily sized 32bit modules (built by a modern C compiler), which have access to everything a modern OS provides (threads, networking, plenty of memory). With "UEFI Shell" they basically admitted that UEFI _is_ an Operating System (whose main purpose - for now - is to load another OS).

This cozy environment simplifies attacks somewhat compared with the old BIOS situation.

Reply Parent Score: 2

RE[2]: Just wondering
by Soulbender on Mon 18th Jun 2012 04:01 in reply to "RE: Just wondering"
Soulbender Member since:
2005-08-18

they might need to lock that area down to be able to pass the next level Common Criteria certification.


Security designed by bean-counters, is there anything better?

Reply Parent Score: 1

RE[3]: Just wondering
by pgeorgi on Mon 18th Jun 2012 08:56 in reply to "RE[2]: Just wondering"
pgeorgi Member since:
2010-02-18

Security designed by bean-counters, is there anything better?

The design isn't common criteria. Only the requirements as to what the system is supposed to withstand - and those are quite sound.

Reply Parent Score: 3