markofmayhemWhy not now?PremiumReviews:
|reply to signmeuptoo |
Re: Red Hat users pay up to run Fedora on Windows 8 machines
said by signmeuptoo:Yes. The "spec" going forward is that Secure Boot will be in "Setup" or "Custom" mode. After completion of "Setup" or "Custom", the owner (who Dell, Lenovo, IBM, and HP consider the final paying customer to be the "owner") will have the ability to white list and black list the PeKs. The KeKs are trusted off of the PeKs. In addition, the "owner" with physical access to the computer can reset the PeK. "How" is not yet known, but "possible" is required under the specification.
So, I am confused a little. When you guys say "your own key" do you mean that a person can set the UEFI to any key you want to install?
said by signmeuptoo:Yes. Current Ivy Bridge and Sandy Bridge UEFI motherboards do not have "Secure Boot".
If I were to build an Ivy Bridge system/Intel chipset w/UEFI, is it guarenteed that I can turn off secure boot? Will I have to shop carefully for a board that will?
said by signmeuptoo:
What is supposed to be the point of secure boot, is it just a way to drive sales?
said by LXer :
Only because the richest software company on the planet is utterly incompetent, and incapable of building a secure operating system. So instead they bully the rest of the world into trying to mitigate the security disaster that is Microsoft Windows.
said by iTWire :UEFI is replacing BIOS, a much needed step forward. This "replacement" was pretty much completed in 2010, very few Mobo's were shipped without either a UEFI emulator or pure UEFI with a BIOS emulator.
What better illustration of the way Microsoft does things? It is repeatedly able to persuade seemingly sane companies to join hands with it - and then yanks the equivalent of the ball away at the last minute...
UEFI has many, MANY modules to it. One module is "Secure Boot" which is based off of an Intel initiative started in 1997. When Windows 8 launches later this year, OEM PC's and Mobo's will be required to have the Secure Boot module installed, enabled by default, and have a firmware option to disable it in order to receive the "Made for Windows 8" sticker (certification). Every other OS on the planet can also take part in the newly released UEFI version that includes Secure Boot.
Windows 8 does NOT requires Secure Boot to boot. It would lose "backwards compatibility" with customers, but more importantly, corporations/government. Windows 8 already has problems with corp/gov...
Microsoft is the first to the party for a Secure Boot OS in retail space, they are neither the inventors nor financially lucrative direct benefactors for Secure Boot. Linux and Unix have been at this game longer using closed source kernel modifications and programs in the government/corporate spaces.
AGAIN: Microsoft did not invent Secure Boot; Microsoft does not make money off of Secure Boot.
1. Who "owns" Secure Boot? Intel. US 5937063
2. Is Secure Boot new? The name in retail space: yes; the concept: no. Specific TPM and TXT, to include server and workstation, as well as mobile, have used Intel's EFI trusted boot in different variations since 2006, possibly earlier in government/ultra-cost corporate security. "Private" Linux has made good money off of using these specifications to secure servers and workstations. "Public" Linux has been against any sort of "trusted" or "secure" boot process where signing or BLOB insertion from a for-profit corporation is involved. This ain't new folks. UEFI is NOT-for-profit, so the "Microsoft" name is used as often and incorrectly as possible in reference to "Secure Boot" in order to continue the same argument without having to think too hard. Unfortunately, UEFI and "Secure Boot" isn't all that bad of an idea and direct marketing against it is NOT an option; it does help secure a boot against a rootkit, it can help stop USB sticks from infecting the entire network, it can allow corporations to "remotely kill" their stolen hardware's pre-installed OS. Since it can't be attacked directly, it must be attached to an already hate-inducing name for the mindless zombies to rise up. It is almost as if a double-agent works for Microsoft in their marketing department. They released exactly what was needed to excite the drooling zerg.
a. Shut off the newly implemented security feature.
b. Sign the boot files and process according to the UEFI (Intel's) specifications.
White papers on how to do b. exist from the LinuxFoundation as well as various OpenSource initiative groups. This is where fragmentation hurts. The hope was the kernel itself would step up and globally sign "Linux" for all. Each distro could then piggy back on the PeK for "LINUX".
Other distro's? Silent. Concerned, but silent. "Shut it off, move on" is the consensus in Gentoo, Arch, and even a majority opinion on the Ubuntu forums. RedHat is "for profit", though, and can NOT lose the security perception game.
3. Who implemented it for retail use, was it Microsoft? NO. Intel licensed EFI 1.10 to the UEFI board for use. They then terminated EFI. Future revisions to the spec will be owned, voted, and implemented from the UEFI board. The UEFI board was the one who voted and implemented Secure Boot for retail based off of "trusted computing" within the Intel EFI 1.10 spec; introduced in 2003.
4. Microsoft owns the board then, right? Close, but not really. Too many Apache server money making companies:
Members of UEFI board:
AMD and Intel: hardware manufacturers and HUGE open source contributors.
Insyde, American Megatrends Inc, Phoenix Technologies: the big "3" UEFI/BIOS writers. They sell to hardware only.
Lenovo, Dell, Hewlett Packard, IBM: OEM's... Hewlett Packard, IBM: They are ODM's for Unix/Linux, where most, if not all, of their profit resides.
Apple and Microsoft: The "big 2" closed source OS makers.
5. Microsoft needs "security" more than anyone else, so that is why they are pushing this?
Microsoft is first to the party implementing this tool to help stop rootkits. In the last decade, "security" has been lacking. It is an industry that is worsening, not getting tighter. Many websites get "hacked", passwords are found and spread, government's are committing "Cyber War". Linux is not immune to rootkits and rules the server market share world.
LINUX IS NOT IMMUNE TO ROOTKITS
Verifiable public proof? How about the 2 most well known:
Linux Kernel's Dev Boxes, Servers and Website Rooted in Hack
Rooted Smart phones
To claim Secure Boot is a Microsoft push to "fix their broken OS" is naive, ignorant, or just an awesome spectacular of stupid. Rootkits are affecting everything with "computing power" on the planet. Hardware vendors have a few solutions they want to implement with "service" revenue tied to them (non-retail spaces). Attacks are everywhere, security is needed now:
LARGE MONEY needs security and uses LINUX more than Microsoft. LARGE MONEY has been attacked with their "can't be attacked" Linux servers.
LARGE MONEY demands higher security.
Microsoft is a spec of dirt on planet LARGE MONEY... find a new straw man.
Show off that hardware: join Team Discovery and Team Helix