dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
12
share rss forum feed


signmeuptoo
Bless you Howie
Premium
join:2001-11-22
NanoParticle
kudos:5
reply to rexbinary

Re: Red Hat users pay up to run Fedora on Windows 8 machines

So, I am confused a little. When you guys say "your own key" do you mean that a person can set the UEFI to any key you want to install? What happens if the UEFI/BIOS borks?

I am not the brightest bulb in the lamp, sorry, but I don't understand clearly.

If I were to build an Ivy Bridge system/Intel chipset w/UEFI, is it guarenteed that I can turn off secure boot? Will I have to shop carefully for a board that will?

What is supposed to be the point of secure boot, is it just a way to drive sales?

It might be a while before I can build a new system, and I DON'T like Windows 8, its interface, but in a year or two when I want to build a system and dual boot with it, where will all of this leave me? I've dual booted for years, I am not a Linux genius and I've only tried SuSE and Mint of late, but if turning off secure boot is all that is needed, could MS retro design Win8 to reject a boot with secure boot turned off?

I am confused.
--
Join Teams Helix and Discovery. Rest in Peace, Leonard David Smith, my best friend, you are missed badly! Rest in peace, Pop, glad our last years were good. Please pray for Colin, he has ependymoma, a brain cancer, donate to a children's Hospital.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

said by signmeuptoo:

SIf I were to build an Ivy Bridge system/Intel chipset w/UEFI, is it guarenteed that I can turn off secure boot? Will I have to shop carefully for a board that will?

Not guaranteed - it's a decision made by the BIOS implementor and the motherboard vendor. The only guarantee is that if you buy a *system* with a Microsoft Windows 8 logo, then you *will* be able to disable secure boot.

I'd guess, but it's only a guess, that major motherboard vendors will also follow suit. Cheapskates, maybe not so much.

What is supposed to be the point of secure boot, is it just a way to drive sales?

Anti-rootkit, basically. It's an assurance that what you're booting is what you think you're booting.


markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5

4 recommendations

reply to signmeuptoo

said by signmeuptoo:

So, I am confused a little. When you guys say "your own key" do you mean that a person can set the UEFI to any key you want to install?

Yes. The "spec" going forward is that Secure Boot will be in "Setup" or "Custom" mode. After completion of "Setup" or "Custom", the owner (who Dell, Lenovo, IBM, and HP consider the final paying customer to be the "owner") will have the ability to white list and black list the PeKs. The KeKs are trusted off of the PeKs. In addition, the "owner" with physical access to the computer can reset the PeK. "How" is not yet known, but "possible" is required under the specification.

said by signmeuptoo:

If I were to build an Ivy Bridge system/Intel chipset w/UEFI, is it guarenteed that I can turn off secure boot? Will I have to shop carefully for a board that will?

Yes. Current Ivy Bridge and Sandy Bridge UEFI motherboards do not have "Secure Boot".

said by signmeuptoo:

What is supposed to be the point of secure boot, is it just a way to drive sales?

said by LXer :

Only because the richest software company on the planet is utterly incompetent, and incapable of building a secure operating system. So instead they bully the rest of the world into trying to mitigate the security disaster that is Microsoft Windows.

said by iTWire :

What better illustration of the way Microsoft does things? It is repeatedly able to persuade seemingly sane companies to join hands with it - and then yanks the equivalent of the ball away at the last minute...

UEFI is replacing BIOS, a much needed step forward. This "replacement" was pretty much completed in 2010, very few Mobo's were shipped without either a UEFI emulator or pure UEFI with a BIOS emulator.

UEFI has many, MANY modules to it. One module is "Secure Boot" which is based off of an Intel initiative started in 1997. When Windows 8 launches later this year, OEM PC's and Mobo's will be required to have the Secure Boot module installed, enabled by default, and have a firmware option to disable it in order to receive the "Made for Windows 8" sticker (certification). Every other OS on the planet can also take part in the newly released UEFI version that includes Secure Boot.

Windows 8 does NOT requires Secure Boot to boot. It would lose "backwards compatibility" with customers, but more importantly, corporations/government. Windows 8 already has problems with corp/gov...

Microsoft is the first to the party for a Secure Boot OS in retail space, they are neither the inventors nor financially lucrative direct benefactors for Secure Boot. Linux and Unix have been at this game longer using closed source kernel modifications and programs in the government/corporate spaces.

AGAIN: Microsoft did not invent Secure Boot; Microsoft does not make money off of Secure Boot.

1. Who "owns" Secure Boot? Intel. US 5937063

2. Is Secure Boot new? The name in retail space: yes; the concept: no. Specific TPM and TXT, to include server and workstation, as well as mobile, have used Intel's EFI trusted boot in different variations since 2006, possibly earlier in government/ultra-cost corporate security. "Private" Linux has made good money off of using these specifications to secure servers and workstations. "Public" Linux has been against any sort of "trusted" or "secure" boot process where signing or BLOB insertion from a for-profit corporation is involved. This ain't new folks. UEFI is NOT-for-profit, so the "Microsoft" name is used as often and incorrectly as possible in reference to "Secure Boot" in order to continue the same argument without having to think too hard. Unfortunately, UEFI and "Secure Boot" isn't all that bad of an idea and direct marketing against it is NOT an option; it does help secure a boot against a rootkit, it can help stop USB sticks from infecting the entire network, it can allow corporations to "remotely kill" their stolen hardware's pre-installed OS. Since it can't be attacked directly, it must be attached to an already hate-inducing name for the mindless zombies to rise up. It is almost as if a double-agent works for Microsoft in their marketing department. They released exactly what was needed to excite the drooling zerg.

Linux options?
a. Shut off the newly implemented security feature.
b. Sign the boot files and process according to the UEFI (Intel's) specifications.

White papers on how to do b. exist from the LinuxFoundation as well as various OpenSource initiative groups. This is where fragmentation hurts. The hope was the kernel itself would step up and globally sign "Linux" for all. Each distro could then piggy back on the PeK for "LINUX".

Other distro's? Silent. Concerned, but silent. "Shut it off, move on" is the consensus in Gentoo, Arch, and even a majority opinion on the Ubuntu forums. RedHat is "for profit", though, and can NOT lose the security perception game.

3. Who implemented it for retail use, was it Microsoft? NO. Intel licensed EFI 1.10 to the UEFI board for use. They then terminated EFI. Future revisions to the spec will be owned, voted, and implemented from the UEFI board. The UEFI board was the one who voted and implemented Secure Boot for retail based off of "trusted computing" within the Intel EFI 1.10 spec; introduced in 2003.

4. Microsoft owns the board then, right? Close, but not really. Too many Apache server money making companies:
Members of UEFI board:
AMD and Intel: hardware manufacturers and HUGE open source contributors.
Insyde, American Megatrends Inc, Phoenix Technologies: the big "3" UEFI/BIOS writers. They sell to hardware only.
Lenovo, Dell, Hewlett Packard, IBM: OEM's... Hewlett Packard, IBM: They are ODM's for Unix/Linux, where most, if not all, of their profit resides.
Apple and Microsoft: The "big 2" closed source OS makers.

5. Microsoft needs "security" more than anyone else, so that is why they are pushing this?

Microsoft is first to the party implementing this tool to help stop rootkits. In the last decade, "security" has been lacking. It is an industry that is worsening, not getting tighter. Many websites get "hacked", passwords are found and spread, government's are committing "Cyber War". Linux is not immune to rootkits and rules the server market share world.

LINUX IS NOT IMMUNE TO ROOTKITS
Verifiable public proof? How about the 2 most well known:
Linux Kernel's Dev Boxes, Servers and Website Rooted in Hack
Rooted Smart phones

To claim Secure Boot is a Microsoft push to "fix their broken OS" is naive, ignorant, or just an awesome spectacular of stupid. Rootkits are affecting everything with "computing power" on the planet. Hardware vendors have a few solutions they want to implement with "service" revenue tied to them (non-retail spaces). Attacks are everywhere, security is needed now:

LARGE MONEY needs security and uses LINUX more than Microsoft. LARGE MONEY has been attacked with their "can't be attacked" Linux servers.
LARGE MONEY demands higher security.

Microsoft is a spec of dirt on planet LARGE MONEY... find a new straw man.
--
Show off that hardware: join Team Discovery and Team Helix