dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
30
OZO
Premium Member
join:2003-01-17

1 recommendation

OZO to FF4m3

Premium Member

to FF4m3

Re: Complaint Against MS 'Secure Boot' Filed By EU Linux Group

This is not about security, it's about some company tries to silently grab and own computers, pushing other OS products away from customers.

If it was about security of the boot process, they would offer a vendor neutral solution. For example, 20 years ago I already had computers, that offered secure boot by protecting MBR. If some process was trying to make changes in it - I was asked to allow it or restrict. That was the way to protect from boot viruses and it worked very well.

Now, this "Secure Boot" offer is completely different. It's locks computer to specific OS and doesn't allow to boot any other OS's, unless you go deeply into BIOS settings and find out an option, that may change that (and for how long? the option may silently disappear one day in new computers)...

I'm sick and tired form bricked devices around me (modems, locked to one ISP, cell phones, required to pay third parties to unlock it from specific provider, etc). I realize, that it's all about money, the extra money they want to silently grab from consumers. I just don't like to be that fooled by their marketing consumer...
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

said by OZO:

For example, 20 years ago I already had computers, that offered secure boot by protecting MBR.

Which won't protect at all against something that (unknown to the system owner) overwrites the OS kernel file while running as root.

The only solutions I'm aware of to changing critical system files are:

(a) a return to disk drives with write-protect buttons, which requires an OS file system structure that never mixes writeable files with critical readonly-except-for-sanctioned-updates files.

(b) protecting the chain of control with crypto; which in turn leads to a key-handling problem [the MS solution to which is what I suppose most people are really objecting to]

It's locks computer to specific OS and doesn't allow to boot any other OS's,

You're misrepresenting the true situation here. The mechanism does not distinguish between specific operating systems. It restrict booting to OSes signed with a known key.

You surely know this, so I think this must be FUD.

firephoto
Truth and reality matters
Premium Member
join:2003-03-18
Brewster, WA

2 recommendations

firephoto

Premium Member

said by dave:

You surely know this, so I think this must be FUD.

The results in the real world differ greatly from how this secure boot and UEFI thing is touted in this forum. The hardware that is designed around windows that has no restrictions from disallowing it to work with other operating systems doesn't have any requirement that mandates that it works with other operating systems and I believe you were the one that finely worded your sentence to reflect this fact. MS allows some features with secure boot and UEFI but does not in any way require those features that can assist other operating systems or non-customers and that has left a a wide range of hardware that is microsoft friendly and buggy for other operating systems.

It's a money grab, a control grab, and a corporate ego that uses any method to stay relevant in a market they created through manipulation and deception.
OZO
Premium Member
join:2003-01-17

OZO to dave

Premium Member

to dave
said by dave:

said by OZO:

For example, 20 years ago I already had computers, that offered secure boot by protecting MBR.

Which won't protect at all against something that (unknown to the system owner) overwrites the OS kernel file while running as root.

Well, if some virus / rootkit wants to overwrite OS kernel, it will not be able to do so ... because it's protected by the kernel itself. If, on the other hand, I (and key word here is 'I', the owner) want to overwrite the kernel, I should be able to do so by loading e.g. a different OS, mounting the drive and then overwriting it as I pleased. And that's exactly what I'm going to do when I, for example, want to install any other OS there. I'm in control of the computer (and the OS on in), remember?
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

said by OZO:

Well, if some virus / rootkit wants to overwrite OS kernel, it will not be able to do so ...

Yes, if the user can guarantee that all software he runs as root will do only things he'd willingly agree to being done, then secure boot would not be needed.

Alas, that situation does not uniiversally hold true, and therefore there is protection against some of the effects of malware execution.

(Note it's still not protecting against denial of service: your corrupted kernel won't boot. It's protecting against you unknowingly booting your corrupted kernel and thinking it's just fine).

I'm in control of the computer

Good. It's these people who claim that they're incapable of being in control of the computer -- because they can't manage to operate a BIOS option -- who will have problems.
dave

1 edit

dave to firephoto

Premium Member

to firephoto
I'm not sure what your point is. Microsoft doesn't require independent hardware vendors to assist people who want to install other operating systems? Imagine that! Why would we want to give Microsoft that amount of control over hardware vendors where Windows is not concerned?

The situation is that if someone making hardware wants to display a Windows logo, then the hardware has to satisfy certain minimum requirements - which requirements now include "secure boot, on by default". This seems fair enough. The hardware still can work with Windows without that, the vendor just isn't permitted to display a Microsoft-owned seal of approval.

You're also complaining that this hardware vendor doesn't try very hard to make sure his product works with other operating systems. (And this complaint seems to be general from you, not specific to secure boot). Well, why should he? That's an expense for him. Just because you want him to sell something that meets your needs, it doesn't mean he has to. Don't misunderstand, I think it's sloppy engineering, but apparently there's a market for half-assed jobs.

Back on the secure-boot issue: there's an off switch. Turn it off. People allege that it will be 'difficult to find' but that is a not a discussion you can sensibly have, absent any actual example of such a thing. What's the vendor's motive in making it difficult to find? Under-the-counter influence from Redmond? Incompetence? We know the off switch has to work if the vendor wants logo conformance.