[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

Hello Roger,

Roger Leigh <rleigh@codelibre.net> wrote:
> This depends upon the hardware.  You might not be able to disable it.
> In fact, Microsoft *require* that it can't be disabled on ARM hardware
> carrying a "certified for Windows 8" (or whatever) badge.  This
> hardware will only be capable of booting signed code.  No way of
> disabling it or changing the key.
I doubt that Microsoft has any effect on the ARM market at the
moment, since it appears to be dominated by Android and iOS?

> One could argue that "it's only ARM hardware, who cares", but ARM is
> quite likely to displace intel as the common denominator in hardware.
> I for one am looking forward to 64-bit ARM hardware, and it'll be
> replacing my noisy and power hungry PC PDQ!

Of course, we don’t know what the future brings, but I think it will
take a few more years until ARM has replaced x86/amd64, if that ever

> This *is* a problem--
> Microsoft have de-facto complete control over the hardware by requiring
> signed code.  Even on the PC, where it's "optional", you are entirely
> at the mercy of the motherboard vendor regarding the ability to disable
> or replace keys.

We shall see how this works out with regard to anti-trust laws.

> > However, I welcome the fact that attacks on Windows will be made more
> > difficult, since that also means smaller botnets, fewer vulnerable
> > computers etc.
> It will have zero effect.  Not only was the certificate effectively
> compromised by allowing arbitrary code to be signed apparently by
> Microsoft (see recent news)

Of course, this incident is not nice at all - but then again, it only
became public now and I imagine Microsoft to having reacted quickly.
Additionally, I doubt that any other major institution signing such
software will only sign non-malware/bug-free software. Given that
Microsoft has been in the field for a few years, their count is not
too bad.

> how effective is the security when you
> have the ability to chainload GRUB?  Once you can do that, you can
> load any arbitrary code of your choice.  Any malware worth its salt
> will just co-opt the Linux bootloader and continue on its way.
> Effective security gained: none.

Isn’t that the reason the small boot loader signed by MS for Fedora
(according to their plans) will only load a signed Grub which will
only load signed kernels etc.?

I agree that there are problems with secure boot, mainly because
mainboard manufacturers might block users from managing the keys on
their computers. However, I think that – provided that users are free
to change these keys or disable secure boot – this will help computer

Best regards,

Real programmers can write assembly code in any language.   :-)
		-- Larry Wall in  <8571@jpl-devvax.JPL.NASA.GOV>
http://chubig.net                          telnet nightfall.org 4242

Attachment: signature.asc
Description: PGP signature

Reply to: