PDA

View Full Version : Secure boot



johnd
30-07-2012, 11:23 PM
I am puzzelled - if UEFI (Unified Extensible Firmware Interface) is not owned or run by Microsoft (ref. http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx) then why are some distributions of Linux planning to pay MS for a key to allow secure booting on PCs that are delivered with W8??

8ftmetalhaed
30-07-2012, 11:35 PM
Maybe it's for dual booting? I haven't been paying too much attention to it myself.

johnd
30-07-2012, 11:36 PM
Yes - it is for dual booting but if MS do not own the firmware, why do distributions have to pay MS?

Speedy Gonzales
31-07-2012, 07:46 AM
It maybe because of the following, why Linux have to pay for it (http://www.osnews.com/comments/26106). It looks like Fedora may make their own key. Others have said why not use theirs. But,as it says in that link <-

If they shared the same key, then a security flaw with "Bozo" Linux would mean revoking Debian's key as well. (I'm expecting key revocations could become a common occurrence).

Longer answer: There's no way under secure boot for the owner to tell his computer to trust Debian & Windows but not "Bozo" Linux. The privilege of choosing what can run is left to microsoft & friends since they hold the master keys to our hardware and they're running the certification program. Microsoft's bootloader will hand off to 3rd party bootloaders that are authenticated with a valid certificate.

An unfortunate side effect of this security model is that a vulnerability in ANY approved operating system opens up ALL operating systems to trojans. Bootloader trojans can hook into the system using a BozoLinux flaw and then continue to boot another OS such as windows.

Ideally the owner would be given explicit control over secure boot keys, then they'd just trust Debian's key and that'd be the end of it, no need to trust anyone other than Debian to boot my machine. Not only would it give owners more freedom, it'd be more secure too. It's a real shame secure boot was designed as it was.

There's some more info about it here (http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx)

johnd
31-07-2012, 10:42 PM
It seems crazy and unreasonable that the keys are not handled by an independant group (e.g. IEEE).

Speedy Gonzales
31-07-2012, 11:08 PM
Its because MS own the certificates, and windows (they need to be signed and valid). I suppose its like drivers for windows 7 x64. Unless they're digitally signed, there's no way windows 7 will let you install them. Unlesss you disable the option (I think its under the menu, when you press F8 after rebooting)

Agent_24
01-08-2012, 01:02 AM
"Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision."

Bull.

Bootloader attacks = the Windows Vista \ Windows 7 loader crack.

It's just Microsoft trying to stop piracy. They don't give a **** about the customer's experience.

kingdragonfly
01-08-2012, 04:02 PM
If you not a major OEM like Dell or Toshiba, and you see "Trusted Platform Module" mentioned anywhere, it means us mere mortals

- cannot purchase the components

- and have no say in how the components interact

It's about as close as you can get to a black box solution.

So don't worry, be happy.

mikebartnz
01-08-2012, 08:38 PM
Bull.

Bootloader attacks = the Windows Vista \ Windows 7 loader crack.

It's just Microsoft trying to stop piracy. They don't give a **** about the customer's experience.
I wouldn't have such a problem with it if MS weren't in control of it .
They say Win RT is going to be locked down but Win 8 will allow a bios option to disable. Just sounds too much like MS up to its dirty tricks again.
They must be worried that Windows on Arm is going to be such a dog that people will want to install Linux on it.

fred_fish
01-08-2012, 08:54 PM
The Europeans might be able to put a dent in their debts when they start handing out the fines for anti-competitive behaviour.

nmercer
02-08-2012, 07:06 AM
I wouldn't have such a problem with it if MS weren't in control of it .
They say Win RT is going to be locked down but Win 8 will allow a bios option to disable. Just sounds too much like MS up to its dirty tricks again.
They must be worried that Windows on Arm is going to be such a dog that people will want to install Linux on it.

so much negativity in this thread

Windows RT is a integrated software/hardware stack like an iPad is. Can you load Android onto an iPad? No. Can you load iOS onto a Android tablet? No.

UEFI is an Industry standard, not a Microsoft one. Intel was the driving force in creating EFI, and then later UEFI. http://www.uefi.org/home/

Secure Boot is simply part of that standard, and was put there to increase end-to-end security by closing one vector of attack used by malware.

Windows 8 doesn't requires it, just that an OEM who wishes to put a “Made for Windows 8” logo on their new computer must use it, and it must be enabled by default.

There are no restrictions on what OEM’s can do with their UEFI implementation, or what OS’s can sign their boot loaders or kernels. Again, this is a published industry standard, one that Apple is already using on their hardware, for example. Microsoft is just laying out the requirements for the Windows 8 logo program.

mikebartnz
02-08-2012, 09:32 PM
Windows RT is a integrated software/hardware stack like an iPad is. Can you load Android onto an iPad? No. Can you load iOS onto a Android tablet? No.
You don't know what you are talking about as it is nothing like the iPad, apart from the Surface which is going to be made by MS anyone else (OEM's) using Win RT are restricted.


UEFI is an Industry standard, not a Microsoft one. Intel was the driving force in creating EFI, and then later UEFI. http://www.uefi.org/home/
Secure Boot is simply part of that standard, and was put there to increase end-to-end security by closing one vector of attack used by malware.
Tell me why MS are holding the keys for it then.


Windows 8 doesn't requires it, just that an OEM who wishes to put a “Made for Windows 8” logo on their new computer must use it, and it must be enabled by default.

There are no restrictions on what OEM’s can do with their UEFI implementation, or what OS’s can sign their boot loaders or kernels. Again, this is a published industry standard, one that Apple is already using on their hardware, for example. Microsoft is just laying out the requirements for the Windows 8 logo program.
Win 8 yes but Win RT no.

nmercer
03-08-2012, 05:54 AM
You don't know what you are talking about as it is nothing like the iPad, apart from the Surface which is going to be made by MS anyone else (OEM's) using Win RT are restricted.


Tell me why MS are holding the keys for it then.


Win 8 yes but Win RT no.

Yes I do know what I'm talking about :)

firstly Win RT and Windows RT are 2 completely different things

Windows RT is exactly like an iPad. Can you download and install iOS on an existing tablet? iPad no, Windows RT no. Can I buy an iPad / Windows RT device without an OS? iPad No, Windows RT, No.

re the logo I clearly stated Windows 8 not Windows RT (again Win RT is something completely different)

nmercer
03-08-2012, 08:31 AM
You don't know what you are talking about as it is nothing like the iPad, apart from the Surface which is going to be made by MS anyone else (OEM's) using Win RT are restricted.


Tell me why MS are holding the keys for it then.


Win 8 yes but Win RT no.

also if you don't want Secure Boot, disable it, or build your own system or just buy a PC without it

No one is forcing you to buy or use a PC with Secure Boot

mikebartnz
03-08-2012, 08:06 PM
Windows RT is exactly like an iPad. No it is not.
The Surface with Windows RT is exactly the same but any OEM tablet running Windows RT is nothing like the iPad.
I stand corrected on the difference between Win RT & Windows RT.

mikebartnz
03-08-2012, 08:09 PM
also if you don't want Secure Boot, disable it, or build your own system or just buy a PC without it

No one is forcing you to buy or use a PC with Secure Boot
You can't disable it with Windows RT which is what I don't like. Why are they treating Windows 8 and Windows RT differently.
You are right no one is forcing me to buy any PC with Secure boot and if I have no way of disabling it I won't be.

fred_fish
03-08-2012, 11:58 PM
Windows RT is exactly like an iPad. Can you download and install iOS on an existing tablet? iPad no, Windows RT no. Can I buy an iPad / Windows RT device without an OS? iPad No, Windows RT, No.
Why not?
Open hardware drove the PC revolution and it will do the same for tablets.


Why are they treating Windows 8 and Windows RT differently.Because they are going to have a hard enough time selling Win8 as it is :)

You are right no one is forcing me to buy any PC with Secure boot and if I have no way of disabling it I won't be. +1

nmercer
04-08-2012, 07:15 AM
No it is not.
The Surface with Windows RT is exactly the same but any OEM tablet running Windows RT is nothing like the iPad.
I stand corrected on the difference between Win RT & Windows RT.

yes it is like an iPad


Windows RT software will not be sold or distributed independently. Rather you will get integrated, end-to-end products, just as you would expect from a consumer electronics device that integrates hardware and software.

I'm not sure what you mean by "any OEM tablet running Windows RT is nothing like the iPad"



Whether that is a Surface device from Microsoft or from another OEM, its an integrated product containing the hardware and software combo, just like an iPad.

nmercer
04-08-2012, 07:18 AM
You can't disable it with Windows RT which is what I don't like. Why are they treating Windows 8 and Windows RT differently.
You are right no one is forcing me to buy any PC with Secure boot and if I have no way of disabling it I won't be.

Windows RT is not a PC, is a consumer electronics device that integrates hardware and software together

If you want a PC buy a Windows 8 PC not a Windows RT device

Why would you want to disable Secure Boot on Windows RT? I've never heard people complain that they can't load Android onto an iPad or iOS onto an Android device

nmercer
04-08-2012, 07:21 AM
Why not?
Open hardware drove the PC revolution and it will do the same for tablets.

Because they are going to have a hard enough time selling Win8 as it is :)+1

What OS is it that you want to load onto your Windows RT hardware device

Windows 8 sales we will have to wait and see, personally I'm quietly confident on Windows 8 sales :)

Chilling_Silence
04-08-2012, 08:44 AM
Never seen this I presume? ;)
http://www.idroidproject.org/

mikebartnz
05-08-2012, 01:03 AM
I'm not sure what you mean by "any OEM tablet running Windows RT is nothing like the iPad"
That just proves my point that you don't know what you are talking about then.

Chilling_Silence
05-08-2012, 01:33 AM
Actually, Nathan is quite credible I would say... One of the few who would be uniquely qualified to comment on the matter to be honest :)

mikebartnz
05-08-2012, 09:41 AM
Actually, Nathan is quite credible I would say... One of the few who would be uniquely qualified to comment on the matter to be honest :)
While that may be so how is an OEM tablet running Windows RT anything like the iPad.

Nick G
05-08-2012, 02:57 PM
While that may be so how is an OEM tablet running Windows RT anything like the iPad.
Simply becasue the OS is locked down. Able to install linux? Nope. Able to upgrade the OS? Nope. Software is only sold preloaded on the hardware? Yup.
That's why.

mikebartnz
05-08-2012, 05:03 PM
Simply becasue the OS is locked down. Able to install linux? Nope. Able to upgrade the OS? Nope. Software is only sold preloaded on the hardware? Yup.
That's why.
Well give me a good reason as to why MS are treating their Arm OS differently.

Chilling_Silence
05-08-2012, 05:28 PM
In what way?

mikebartnz
05-08-2012, 05:33 PM
In what way?
With the Arm version MS are not allowing the disabling of secure boot but with Windows 8 they are.

Chilling_Silence
05-08-2012, 10:05 PM
They've wanted to do it with the Desktop version for ages too IIRC.

On top of that, it's the whole "We're doing the hardware AND we're doing the software" motto...

I dunno, don't really care too much either. I'm not going to be buying one of their tablets, but the likes of corporations (Who my money says will be large adopters of them) will see that and go "Ah OK cool, one more 'security' measure up their sleeve, awesome!".

I'm not saying I agree with the whole ordeal, just saying it's their call.

mikebartnz
05-08-2012, 10:44 PM
They've wanted to do it with the Desktop version for ages too IIRC.

On top of that, it's the whole "We're doing the hardware AND we're doing the software" motto...

I dunno, don't really care too much either. I'm not going to be buying one of their tablets, but the likes of corporations (Who my money says will be large adopters of them) will see that and go "Ah OK cool, one more 'security' measure up their sleeve, awesome!".

I'm not saying I agree with the whole ordeal, just saying it's their call.
I don't have a problem with them doing it with the Surface which they are producing but I do have a problem with OEM's being forced to when the same isn't applying to Windows 8.

Chilling_Silence
05-08-2012, 11:04 PM
True, but at least there are other options, Android / WebOS if OEM's don't wanna go along with it ;)

mikebartnz
05-08-2012, 11:36 PM
True, but at least there are other options, Android / WebOS if OEM's don't wanna go along with it ;)
True.

dugimodo
06-08-2012, 09:52 AM
I think it's completely unimportant, You will still be able to install whatever OS you want (well current OS designed for the platform at least) on your own PC and the finer details of what the boot loader is doing won't concern most of us one little bit. As for the surface and other such devices it won't be secure boot that determines if they do well or not, purely the user experience and functionality of the device. On top of that there will always be those people out there who will find a way to hack the device and do things the manufaturer didn't intend.

chrisjay
07-08-2012, 08:46 PM
I really don't know about this, but i want to know from you guys