OS and Software > All Things Unix > Windows 8 Secure Boot Would 'Exclude' Linux

Linus: I actually think secure boot makes a lot of sense. I think we should sign our modules. I think we should use the technology to do cryptographic signatures to add security; and at the same time inside the open source community this is so unpopular that people haven't really worked on it.

It's true that secure boot can be used for horribly, horribly bad things but using that as an argument against its existence at all is I think a bit naive and not necessarily right. Because if you do things right then it's a really good thing. I would like my own machine to have the option to not boot any kernel, or boot loader, that is not signed by this signature.

I want to have the option to also realize that OK now I am going to boot another operating system or do something else and I want to undo that. But I want that to be a BIOS set-up screen where you have to be at the machine physically and then it is a great thing. And I think that's actually how most secure boots would be set up. The fact that then you could possibly set it up so that the user at the BIOS screen can't even change it, makes it problematic. Maybe some people would use that and that is really scary. But at the same time that doesn't invalidate the technology as a very powerful and useful tool.

So, I am in a situation where I disagree with a lot of people about DRM and signatures and things where I think signatures are a good thing that can be misused. At the same time in the open source community there are a lot of people that think about it the other way and say it can be misused, so it can't be a good thing. They come at the whole problem from a different direction. I kind of understand why they do that, but at the same time, maybe because I refuse to be a pessimist, I refuse to take the approach that because something can be misused it's bad.

And maybe I am wrong, maybe secure boot will be used in horribly, horribly bad things. People will say you should have listened to me.

CNet's Ed Bott decided to pose the issue to OEMs.

Ed Bott contacted HP and Dell, and while his report is a bit abrasive, the gist of the matter is this. Dell confirmed that they have plans to ship Windows 8 machines with the ability to turn secure boot off in UEFI, while HP had no idea what was going on. BIOS maker AMI, meanwhile, has said it will advise OEMs to not remove the option, but adds that they can't mandate as such.

A Dell spokesperson told Bott that "Dell has plans to make SecureBoot an enable/disable option in BIOS setup". Dell plans to move to UEFI with secure boot in the Windows 8 time frame. Unlike how Bott presents it, 'having plans' is of course far from a definitive promise - but at least it's somewhat reassuring.

HP, sadly, was less clear. "HP will continue to offer its customers a choice of operating systems," HP told Bott, "We are working with industry partners to evaluate the options that will best serve our customers." Nobody at HP was apparently even aware of the issue, which means this is a general PR statement with zero actual value.

Lastly, BIOS maker AMI stated that it "will advise OEMs to provide a default configuration that allows users to enable/disable secure boot, but it remains the choice of the OEM to do (or not do) so". This is entirely reasonable - AMI just provides a software package, it doesn't control what OEMs remove and include.

None of this is the reassuring words Bott makes them out to be. There are no promises, no assurances, nothing.

So, I am in a situation where I disagree with a lot of people about DRM and signatures and things where I think signatures are a good thing that can be misused. At the same time in the open source community there are a lot of people that think about it the other way and say it can be misused, so it can't be a good thing.

quote:

---

However, Kleissner said in a message exchange with Ars Technica that the exploit did not currently target the Unified Extensible Firmware Interface (UEFI), but instead went after legacy BIOS.

---

quote:

---

However, Kleissner said in a message exchange with Ars Technica that the exploit did not currently target the Unified Extensible Firmware Interface (UEFI), but instead went after legacy BIOS.

---

However, Kleissner said in a message exchange with Ars Technica that the exploit did not currently target the Unified Extensible Firmware Interface (UEFI), but instead went after legacy BIOS. Kleissner said he has shared his research and paper and the paper he plans to present, "The Art of Bootkit Development," with Microsoft.

Could it place a little pressure on manufacturers not to include the ability to disable UEFI?

Peter Kleissner was kind enough to clarify a few things, including the fact that Microsoft's Secure Boot feature is not really that bad, but vulnerabilities may still exist.

I'm still waiting for the anti-trust group to move into action. It WILL happen.