Re: [OT] Re: the ghost of UEFI and Micr0$0ft

To: debian-user@lists.debian.org
Subject: Re: [OT] Re: the ghost of UEFI and Micr0$0ft
From: Roger Leigh <rleigh@codelibre.net>
Date: Tue, 5 Jun 2012 19:38:59 +0100
Message-id: <[🔎] 20120605183859.GV779@codelibre.net>
In-reply-to: <[🔎] 20120605192655.7e8f078c@ares.home.chubig.net>
References: <[🔎] CAO4+coYHYAghvJ=DtQXzSyLRX7KkRDWEy6p4ktZtoZR=Nf4mUg@mail.gmail.com> <[🔎] jql2q6$60h$4@dough.gmane.org> <[🔎] 20120605183101.17f411cc@ares.home.chubig.net> <[🔎] jqlddc$60h$15@dough.gmane.org> <[🔎] 20120605190354.5fe2442a@ares.home.chubig.net> <[🔎] jqlf8n$60h$16@dough.gmane.org> <[🔎] 20120605192655.7e8f078c@ares.home.chubig.net>

On Tue, Jun 05, 2012 at 07:26:55PM +0200, Claudius Hubig wrote:
> Hello Camaleón,
> 
> Camaleón <noelamac@gmail.com> wrote:
> > Microsoft (I can't tell for the rest of the hardware manufacturers 
> > because their position is not mentioned in detail in the blog post) is 
> > forcing a needing for something I (and I guess others) _don't need_, like 
> > TPM modules, using a password in GRUB2, using encryption nor signing for 
> > safe code. 
> 
> If you don’t need that, you can disable secure boot and be happy.

This depends upon the hardware.  You might not be able to disable it.
In fact, Microsoft *require* that it can't be disabled on ARM hardware
carrying a "certified for Windows 8" (or whatever) badge.  This
hardware will only be capable of booting signed code.  No way of
disabling it or changing the key.

One could argue that "it's only ARM hardware, who cares", but ARM is
quite likely to displace intel as the common denominator in hardware.
I for one am looking forward to 64-bit ARM hardware, and it'll be
replacing my noisy and power hungry PC PDQ!  This *is* a problem--
Microsoft have de-facto complete control over the hardware by requiring
signed code.  Even on the PC, where it's "optional", you are entirely
at the mercy of the motherboard vendor regarding the ability to disable
or replace keys.

> However, I welcome the fact that attacks on Windows will be made more
> difficult, since that also means smaller botnets, fewer vulnerable
> computers etc.

It will have zero effect.  Not only was the certificate effectively
compromised by allowing arbitrary code to be signed apparently by
Microsoft (see recent news), how effective is the security when you
have the ability to chainload GRUB?  Once you can do that, you can
load any arbitrary code of your choice.  Any malware worth its salt
will just co-opt the Linux bootloader and continue on its way.
Effective security gained: none.

Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux    http://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-    GPG Public Key      F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800

Reply to:

Follow-Ups:
- Re: [OT] Re: the ghost of UEFI and Micr0$0ft
  - From: Claudius Hubig <debian_1206@chubig.net>
- Re: [OT] Re: the ghost of UEFI and Micr0$0ft
  - From: Tom H <tomh0665@gmail.com>

References:
- the ghost of UEFI and Micr0$0ft
  - From: Harshad Joshi <firewalrus@gmail.com>
- [OT] Re: the ghost of UEFI and Micr0$0ft
  - From: Camaleón <noelamac@gmail.com>
- Re: [OT] Re: the ghost of UEFI and Micr0$0ft
  - From: Claudius Hubig <debian_1206@chubig.net>
- Re: [OT] Re: the ghost of UEFI and Micr0$0ft
  - From: Camaleón <noelamac@gmail.com>
- Re: [OT] Re: the ghost of UEFI and Micr0$0ft
  - From: Claudius Hubig <debian_1206@chubig.net>
- Re: [OT] Re: the ghost of UEFI and Micr0$0ft
  - From: Camaleón <noelamac@gmail.com>
- Re: [OT] Re: the ghost of UEFI and Micr0$0ft
  - From: Claudius Hubig <debian_1206@chubig.net>

Prev by Date: Archiver supporting POSIX ACLs, file caps and xattrs?
Next by Date: Re: [OT] Re: the ghost of UEFI and Micr0$0ft
Previous by thread: Re: [OT] Re: the ghost of UEFI and Micr0$0ft
Next by thread: Re: [OT] Re: the ghost of UEFI and Micr0$0ft
Index(es):
- Date
- Thread