Win2012 wants Secure Boot - damn?
Hi
I just saw here (slide 2 of 4) that Windows 2012 will require a UEFI bios and especially "Secure Boot" to be enabled. I don't want to write right now the exact details - all I want to mention is that when I read that my first thoughts were "aaahhh, not again that s**t". What are your thoughts? |
Quote:
My thought? Lame move on the part of MS. |
Quote:
|
Yes.
http://arstechnica.com/information-t...out-a-reality/ Uhm... that's what you said in the first place... AARRRGGH CORPORATE DOUBLESPEAK MY LOGIC CIRCUITS HURT It will be mandatory to ship with Secure Boot enabled. It will be optional to allow the user to turn it off. |
Quote:
even those many didn't believe me. |
"Secure Boot" translates to "Secure Market Share."
|
Quote:
Quote:
If Microsoft didn't care, they wouldn't do this. |
Secure Boot is designed to prevent pre-boot malware.
It has nothing to do with "locking out" other operating systems -- Ubuntu, Fedora & OpenSUSE will all install a Secure Boot compliant system. It is even possible to create your own keys, enrol them into the firmware (BIOS) and sign the kernel image & boot loader/manager to acheive a Secure Boot set up that is completely independent of the Microsoft licence. http://kroah.com/log/blog/2013/09/02...d-linux-kernel |
Quote:
I am sure some vendors will continue to play fair but some may be paid by M$ to lock down secure boot and some may find it cheaper to do so. So, this isn't "the sky is falling" but it is a slightly worrying move. |
I wonder if secure boot prevents computers to get infected with the Equation Group malware. Something tells me it doesn't :rolleyes:
|
Quote:
|
Well, according to Wikipedia, the Equation Group malware "infects the hard drive firmware, which in turn adds instructions to the disk's master boot record that causes the software to install each time the computer is booted up." So I guess this means secure boot should -- in theory -- prevent the malware from running. In any case, I wouldn't risk my neck for it :)
|
If I bought a system that didn't allow me to disable secure boot, I'll complain to the customer/tech support people and tell them I don't like using windows and I only use linux. If they refuse, I'll just get my refund.
I believe if you plan to use inux only a system from system76 or zareason is best. |
Quote:
|
Quote:
|
Quote:
There is hope though as both Canonical and Red Hat are able to sign their boot loaders, though a google tells me that Canonical's may be signed by the wrong key currently. |
Quote:
|
And what if the next step is to disallow third party signers? or charge an exorbitant fee to have it signed?
|
Quote:
|
Quote:
Thx, now I understood :) @TobiSGD Quote:
Thx |
Quote:
|
Quote:
|
Quote:
|
Quote:
|
Quote:
|
I feel this way and I don't care what others say, if I pay for the computer, I should install whatever I want. I always removed a pee-installed windows OS with linux. These vendors and OEMs think that windows is the only player in town. Not everybody likes to use windows as there are other operating systems out there. It would piss me off if secure boot is grey-out and I can't disable it.
Secure boot sucks, Microsoft sucks and OEMs that prevent us to disable secure secure boot suck even more!!!!!!!!!!!!!!! |
Quote:
|
Quote:
|
Quote:
|
Quote:
What if Microsoft denies giving it or revokes already given one. An anti-trust case may be waiting in future. |
Ah we're having yet another Secure Boot discussion. Well if someone could explain to me how it makes things more secure than a bios password and disabling boot from anything but the hard disk, I would be educated. And if you don't lock the bios, you can disable secure boot, or make an exception.
Mandatory and unable to disable would be a different problem, like on Windows RT on ARM tablets. Signing your own certificates and keeping the Windows certificates seems possible for now, but it seems clear to me that there has always been an agenda here to be anti Linux, and like so many other losses of liberty it is justified by a false claim of increased security. |
Quote:
Quote:
|
Quote:
There are real security reasons fro "secure boot" and the like and these concepts have been thrown around for decades with lots of people suggesting things in this vein. Just because M$ is using this as an excuse to be awkward does not mean the concept is completely without merit. |
I'm not an expert on the matter and I haven't so far had the misfortune of using a computer with secure boot, but as I understand it, this technology protects only against a certain type of malware that composes only a fraction of all the malware found out there (boot malware, or whatever its name is). If the alleged protection it provides is an excuse for hardware manufacturers to prevent Linux and other OSs from running on their systems, then the benefits for us -- the end users -- are of negligible interest.
As for me, I'll try to avoid secure boot, or at least I'll make sure it can be disabled when I have to buy a new computer. If I'm paying for something I must have the right to do whatever I want with it, as other poster here said before. |
Again, thank you all for your inputs :)
So finally, even if I have Secure Boot enabled and a 100 clean kernel, once my OS has booted I'm back in my old world where I just have to hope that my browser or pdf-plugin or any other SW I use for online banking hasn't been corrupted by malware, right? |
Quote:
Sadly M$ can't help using any feature to make things more difficult to avoid their products. This, to my mind at least, is the issue with "secure boot". As a feature it's a potentially decent idea and while it could be switched on, off or have keys added it was potentially a good thing for some Linux users, even. However, when implemented badly and, now, with the threat of being on by default with no facility to add more keys it becomes a real issue. For what it's worth I have two laptops, from different manufacturers, both with Windows 8 installed and both had secure boot enabled. I was able to switch off secure boot and still have Windows 8 boot on both [and Windows 10 on the one I tried] -- I currently have dual-boot just using BIOS switching on one and this one uses GRUB. So, at present at least, manufacturers don't seem to be making things difficult in any way for Linux users. Hopefully I'll have a play in the next few weeks to see whether/how Linux can be installed with "secure boot" enabled. I just mention this since when I first heard of "secure boot" and UEFI I was dreading buying a new machine and now I have no idea what the fuss was about -- thanks to both hard-working Linux developers and sensible hardware manufacturers. |
If it's easy to turn off secure boot, the boot isn't secure. Using hardware jumpers, or in the case of a laptop, a switch that requires a screwdriver to get access to, is *fine*. It's easy enough for anybody who really cares, and hard enough to not do unintentionally while requiring true physical access. Flip those to set the cert store into mutable mode, install keys, flip back, done. Keeps exposure time to a minimum.
Anyhow, the problem in MS's court *at all*. All that's happening is MS is letting OEMs shoot themselves in the foot if they want to by not using a similar scheme as the one I've outlined. I'm not going to take "freedom, freedom" stuff seriously when it's in the same sentence as advocating MS to take away freedom from the OEMs. |
@273 a root exploit is a bad enough problem and hardly needs to modify the kernel or bootloader in order to do just about anything. Seems like a corner case to me and a lot of effort to prevent it. It seems more plausible that the primary reason is anticompetitive, but of course it is difficult to judge motives, isn't it?
@smeezekitty agreed, optional usually turns into usual with no way to turn it off, and in this case Microsoft gets to blame the OEMs. |
Quote:
I have no love at all for M$ and, in fact, wish they would go bankrupt and disappear but I see no problem with the idea of securing bootloaders. |
Quote:
Boot time exploits are not even a big problem in many business and server systems that have very long uptimes thus a running system exploit is the biggest danger. |
@273 Ah, fair point. I suppose if you were sure of the bootloader and kernel, you could always reboot in a restricted mode (eg safe mode in windows) and be sure that nothing unauthorized was still active.
|
Quote:
|
Quote:
|
Quote:
|
Quote:
|
@TobiSGD sorry if I was unclear, I did not mean that root kits were a corner case, but that specifically modifying the kernel or bootloader was. I'd also gotten the impression that denial of booting physical media was a primary object, which also doesn't make sense. However you and 273 have clarified the situation.
|
Is Microsoft the only company that is currently handling the root keys that come preinstalled with the BIOS?
If yes then this is probably 100% not fair, right? Meaning: it's a company that is directly competing with whoever wishes to use those keys to boot some other bootloader (to then probably boot some other OS) => MS can be as nice as possible, but the temptation to favour its own OS or just hinder other OSs will always be present. |
Quote:
|
Quote:
|
Quote:
|
All times are GMT -5. The time now is 03:02 PM. |