Linked by Thom Holwerda on Fri 22nd Jun 2012 23:17 UTC
Ubuntu, Kubuntu, Xubuntu After Fedora, Ubuntu has now also announced how it's going to handle the nonsense called "Secure" Boot. The gist: they'll use the same key as Fedora, but they claim they can't use GRUB2. "In the event that a manufacturer makes a mistake and delivers a locked-down system with a GRUB 2 image signed by the Ubuntu key, we have not been able to find legal guidance that we wouldn't then be required by the terms of the GPLv3 to disclose our private key in order that users can install a modified boot loader. At that point our certificates would of course be revoked and everyone would end up worse off." So, they're going to use the more liberally licensed efilinux loader from Intel. Only the bootloader will be signed; the kernel will not.
Thread beginning with comment 523411
To read all comments associated with this story, please click here.
Comment by NuxRo
by NuxRo on Sat 23rd Jun 2012 01:46 UTC
NuxRo
Member since:
2010-09-25

I can't remember when was the last time I heard about a "boot" infection (I'm not saying it doesn't happen). It's just crap designed to make life difficult for competitors; classic Microsoft move. All this with the excuse of more security; their own personal "think of the children".

I can't believe this goes without a antitrust trial or something, at least in Europe.

And another thing, they chose to go with the CA system? Really? After all the Comodo, Diginotar, secretly issued wildcard certs and so on? What kind of integrity does this system still pretend to have? It should be made illegal.

Right now I feel like this guy:
http://www.youtube.com/watch?v=QRO3RJ9cYSo

Edited 2012-06-23 01:49 UTC

Reply Score: 2

RE: Comment by NuxRo
by Doc Pain on Sat 23rd Jun 2012 04:50 in reply to "Comment by NuxRo"
Doc Pain Member since:
2006-10-08

I can't remember when was the last time I heard about a "boot" infection (I'm not saying it doesn't happen).


Just a sidenote: Maybe you're intrested in reading this article regarding boot infections:

Marco Giuliani:
Mebromi: the first BIOS rootkit in the wild
http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-i...

But even with SecureBoot seen in all its glory and wonderfulness, there are many other attack vectors remaining. Security theatre as usual.

Reply Parent Score: 4

RE[2]: Comment by NuxRo
by Alfman on Sat 23rd Jun 2012 05:55 in reply to "RE: Comment by NuxRo"
Alfman Member since:
2011-01-28

Doc Pain,

"But even with SecureBoot seen in all its glory and wonderfulness, there are many other attack vectors remaining. Security theatre as usual."

Well, the trouble is, even when secure boot is functioning properly, boot malware will slip right by unnoticed if it's signed by someone who's purchased a microsoft code signing cert. That's not going to stop a determined attacker. In my opinion secure boot ought to have been designed to alert the owner to system alterations such that even signed malware would raise flags if the user didn't make those changes.

Reply Parent Score: 4

RE[2]: Comment by NuxRo
by NuxRo on Sat 23rd Jun 2012 11:32 in reply to "RE: Comment by NuxRo"
NuxRo Member since:
2010-09-25

"I can't remember when was the last time I heard about a "boot" infection (I'm not saying it doesn't happen).


Just a sidenote: Maybe you're intrested in reading this article regarding boot infections:

Marco Giuliani:
Mebromi: the first BIOS rootkit in the wild
http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-i...

But even with SecureBoot seen in all its glory and wonderfulness, there are many other attack vectors remaining. Security theatre as usual.
"

Thanks for the link. As I said I'm aware this kind of threats exist, but as someone said earlier, it's just like killing a mosquito with a pick-hammer. It is unreasonable.
http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/stateme... sign it people!

It's the Nth time recently that this quote comes to mind:
"He who sacrifices freedom for security deserves neither."

Reply Parent Score: 3

RE: Comment by NuxRo
by benjymouse on Sat 23rd Jun 2012 08:13 in reply to "Comment by NuxRo"
benjymouse Member since:
2011-08-06

I can't remember when was the last time I heard about a "boot" infection (I'm not saying it doesn't happen).


http://en.wikipedia.org/wiki/Alureon

The problem solved by Secure Boot is real. The solution may make it harder to keep hardware "open" - but secure boot will definitely address TDL-4 / Alureon and the likes which infects the MBR.



It's just crap designed to make life difficult for competitors; classic Microsoft move. All this with the excuse of more security; their own personal "think of the children".


BS

I can't believe this goes without a antitrust trial or something, at least in Europe.


Microsoft does not control UEFI. Indeed, Red Hat and others sat in at the table when UEFI Secure Boot was spec'ed. It will be very hard to claim this is an anti-competitive move when MS has clearly allowed (not taken a position) on an off-switch.

As for ARM - MS doesn't hold a monopoly there - so no basis for anti-trust. And in any case this is just what Apple and Android OEMs does for practically all ARM devices: Locks them down to ensure that only the supplied OS can be booted.

Reply Parent Score: 2