Win2012 wants Secure Boot - damn?
 

Hi

I just saw here (slide 2 of 4) that Windows 2012 will require a UEFI bios and especially "Secure Boot" to be enabled.

I don't want to write right now the exact details - all I want to mention is that when I read that my first thoughts were "aaahhh, not again that s**t".

What are your thoughts?

No, it doesn't. It no longer requires Secure Boot to be optional. OEMs will have the option of allowing Secure Boot to be turned off, whereas before they were required to allow it to be turned off.

My thought? Lame move on the part of MS.

Mmmhh, so "Secure Boot" will be mandatory?

Yes.

http://arstechnica.com/information-t...out-a-reality/

Uhm... that's what you said in the first place... AARRRGGH CORPORATE DOUBLESPEAK MY LOGIC CIRCUITS HURT

It will be mandatory to ship with Secure Boot enabled. It will be optional to allow the user to turn it off.

Obviously it has nothing to do with security and everything to do with anti-competitive vendor lock-in. I knew this would happen
even those many didn't believe me.

"Secure Boot" translates to "Secure Market Share."

Quite the refutation of the "companies don't care about the Linux desktop because it has 'only' 2 market share" argument, isn't it.

If Microsoft didn't care, they wouldn't do this.

Secure Boot is designed to prevent pre-boot malware.

It has nothing to do with "locking out" other operating systems -- Ubuntu, Fedora & OpenSUSE will all install a Secure Boot compliant system.

It is even possible to create your own keys, enrol them into the firmware (BIOS) and sign the kernel image & boot loader/manager to acheive a Secure Boot set up that is completely independent of the Microsoft licence.
http://kroah.com/log/blog/2013/09/02...d-linux-kernel

Not when Windows 10 machines are released. Well, to be more precise, it is not guaranteed that it will be possible to create one's own keys on a Windows 10 machine as M$ are removing that requirement for vendors to be able to mark their equipment Windows compatible.
I am sure some vendors will continue to play fair but some may be paid by M$ to lock down secure boot and some may find it cheaper to do so.
So, this isn't "the sky is falling" but it is a slightly worrying move.

I wonder if secure boot prevents computers to get infected with the Equation Group malware. Something tells me it doesn't :rolleyes:

It depends on how that malware works. If it makes changes to the bootloader or kernel then it shouldn't work with Secure Boot enabled.

Well, according to Wikipedia, the Equation Group malware "infects the hard drive firmware, which in turn adds instructions to the disk's master boot record that causes the software to install each time the computer is booted up." So I guess this means secure boot should -- in theory -- prevent the malware from running. In any case, I wouldn't risk my neck for it :)

If I bought a system that didn't allow me to disable secure boot, I'll complain to the customer/tech support people and tell them I don't like using windows and I only use linux. If they refuse, I'll just get my refund.

I believe if you plan to use inux only a system from system76 or zareason is best.

The problem is that it removes the possibility for non highly computer-savvy people to try alt OSes. Not even a live cd.

Apart from Ubuntu, Fedora & OpenSUSE live CDs all of which will boot and install a working system with Secure Boot enabled...

Indeed. For those of us more in the know I'm sure there will be lists of hardware vendors or products where secure boot can be switched off or more keys added. As you note the problem here is there will be people who cannot choose to try Linux due to the restrictions.
There is hope though as both Canonical and Red Hat are able to sign their boot loaders, though a google tells me that Canonical's may be signed by the wrong key currently.

Since I pushed this thread over a page after your post I'll quote it so others can see and thank you for the heads-up of what to try in my "secure boot" experiments when I get my secondary laptop fixed.

And what if the next step is to disallow third party signers? or charge an exorbitant fee to have it signed?

Won't happen. Microsofts biggest fear is another anti-trust lawsuit. That is why they made it mandatory to have an option to disable it for Windows 8. Now that there are competitors that also have the possibility to use Secure Boot they don't have to care for that anymore. But third party signing is wanted by the industry and making signing expensive may open the possibility of another lawsuit.

@Dugan
Thx, now I understood :)

@TobiSGD
So, how does it work? E.g. "Secure Boot" fires up only bootloaders (e.g. Grub, Windows bootloader, etc...) that have been appropriately signed and that one in turn loads only a kernel that has been signed as well appropriately?

Thx

Yes, that is how it works. From that point on the OS is responsible for security.

They have been taking away user freedom one step at a time. Don't underestimate what greedy corporations will do.

So, on:

• Linux
  Do I have to sign the kernel every time I recompile it?
• Windows
  If my father downloads "something" and keeps on clicking on "yes" even when it asks if the kernel or some drivers should be updated he still will end up with a virus/whatever, he will still end up having the system compromised, right?

Thank you

• As I understand it, yes. Keep in mind that Secure Boot is not aimed at kernel developers, but at enterprise and the "common user". In that environments kernels don't change often.
  
  Quote:

  Windows If my father downloads "something" and keeps on clicking on "yes" even when it asks if the kernel or some drivers should be updated he still will end up with a virus/whatever, he will still end up having the system compromised, right?

Yes, the whole purpose of Secure Boot is to be able to have a trusted boot chain.

But it doesn't help at all once the system is booted. What it DOES do is make it harder to install a more secure OS in the first place.

I feel this way and I don't care what others say, if I pay for the computer, I should install whatever I want. I always removed a pee-installed windows OS with linux. These vendors and OEMs think that windows is the only player in town. Not everybody likes to use windows as there are other operating systems out there. It would piss me off if secure boot is grey-out and I can't disable it.

Secure boot sucks, Microsoft sucks and OEMs that prevent us to disable secure secure boot suck even more!!!!!!!!!!!!!!!

Yep. As a tinkerer, being able to boot whatever I want is very important.

Of course it doesn't help after the system is booted. That is not what it was designed for. The point is, your OS can be as secure as you want, it still can't be trusted without having a trusted boot chain. Secure Boot fixes this issue. And of course it does make it harder to install an OS that is not signed, this is also by design. What worth would a trusted boot chain have if you just could pop in a Knoppix or Puppy CD/USB to circumvent all that stuff?

From a security point of view, Secure Boot does not suck. But anyways, it is as it always is in the corporate world: Vote with your money, if an OEM does not allow you to disable Secure Boot then just don't buy their products.

Yes, currently Ubuntu have got their own keys from MS to support Secure Boot and for Fedora it uses shim bootloader from Mathew Garett who got key from MS.

What if Microsoft denies giving it or revokes already given one. An anti-trust case may be waiting in future.

Ah we're having yet another Secure Boot discussion. Well if someone could explain to me how it makes things more secure than a bios password and disabling boot from anything but the hard disk, I would be educated. And if you don't lock the bios, you can disable secure boot, or make an exception.

Mandatory and unable to disable would be a different problem, like on Windows RT on ARM tablets.

Signing your own certificates and keeping the Windows certificates seems possible for now, but it seems clear to me that there has always been an agenda here to be anti Linux, and like so many other losses of liberty it is justified by a false claim of increased security.

But that is what MS is doing. They are making the disable switch optional.
Agreed. The quote in my sig fits well

Simply put if you, for example, executed something with a root-privilege exploit on your system and the bootloader and/or kernel (depending upon implementation) were modified the system would warn you of this and not boot. Without "secure boot" you would boot your system and be none the wiser.
There are real security reasons fro "secure boot" and the like and these concepts have been thrown around for decades with lots of people suggesting things in this vein. Just because M$ is using this as an excuse to be awkward does not mean the concept is completely without merit.

I'm not an expert on the matter and I haven't so far had the misfortune of using a computer with secure boot, but as I understand it, this technology protects only against a certain type of malware that composes only a fraction of all the malware found out there (boot malware, or whatever its name is). If the alleged protection it provides is an excuse for hardware manufacturers to prevent Linux and other OSs from running on their systems, then the benefits for us -- the end users -- are of negligible interest.

As for me, I'll try to avoid secure boot, or at least I'll make sure it can be disabled when I have to buy a new computer. If I'm paying for something I must have the right to do whatever I want with it, as other poster here said before.

Again, thank you all for your inputs :)

So finally, even if I have Secure Boot enabled and a 100 clean kernel, once my OS has booted I'm back in my old world where I just have to hope that my browser or pdf-plugin or any other SW I use for online banking hasn't been corrupted by malware, right?

Indeed, it's just another layer of security. Theoretically, also, since your OS (for example Ubuntu or Red Hat) installer disk was verified with a checksum, your bootloader and kernel are signed and you get all your software from the repositories (again, theoretical world) the attack surface is suddenly much smaller and relies only upon exploits and not somehow tricking you into installing something. Then you have something akin to iOS which, while I don't like using it, is likely a whole lot more secure, when used by a novice, than an average Windows or Linux PC. This, to my mind, is the kind of vision that "secure boot" was designed to move towards. And, as I mentioned, the concept isn't new and certainly isn't an M$ one.
Sadly M$ can't help using any feature to make things more difficult to avoid their products. This, to my mind at least, is the issue with "secure boot". As a feature it's a potentially decent idea and while it could be switched on, off or have keys added it was potentially a good thing for some Linux users, even. However, when implemented badly and, now, with the threat of being on by default with no facility to add more keys it becomes a real issue.
For what it's worth I have two laptops, from different manufacturers, both with Windows 8 installed and both had secure boot enabled. I was able to switch off secure boot and still have Windows 8 boot on both [and Windows 10 on the one I tried] -- I currently have dual-boot just using BIOS switching on one and this one uses GRUB. So, at present at least, manufacturers don't seem to be making things difficult in any way for Linux users. Hopefully I'll have a play in the next few weeks to see whether/how Linux can be installed with "secure boot" enabled. I just mention this since when I first heard of "secure boot" and UEFI I was dreading buying a new machine and now I have no idea what the fuss was about -- thanks to both hard-working Linux developers and sensible hardware manufacturers.

If it's easy to turn off secure boot, the boot isn't secure. Using hardware jumpers, or in the case of a laptop, a switch that requires a screwdriver to get access to, is *fine*. It's easy enough for anybody who really cares, and hard enough to not do unintentionally while requiring true physical access. Flip those to set the cert store into mutable mode, install keys, flip back, done. Keeps exposure time to a minimum.

Anyhow, the problem in MS's court *at all*. All that's happening is MS is letting OEMs shoot themselves in the foot if they want to by not using a similar scheme as the one I've outlined. I'm not going to take "freedom, freedom" stuff seriously when it's in the same sentence as advocating MS to take away freedom from the OEMs.

@273 a root exploit is a bad enough problem and hardly needs to modify the kernel or bootloader in order to do just about anything. Seems like a corner case to me and a lot of effort to prevent it. It seems more plausible that the primary reason is anticompetitive, but of course it is difficult to judge motives, isn't it?

@smeezekitty agreed, optional usually turns into usual with no way to turn it off, and in this case Microsoft gets to blame the OEMs.

No, it's not an "edge case" it's a foundation. If you don't know your boot loader is secure you don't know your kernel is secure and you don't know that anything else is. It's a starting point for a secure system which, as I have mentioned already, is a pretty well-known security principal and nothing new.
I have no love at all for M$ and, in fact, wish they would go bankrupt and disappear but I see no problem with the idea of securing bootloaders.

The OEMs shouldn't be given freedom because if they do, they will just cost cut however they can at the expense of consumers.

Boot time exploits are not even a big problem in many business and server systems that have very long uptimes thus a running system exploit is the biggest danger.

@273 Ah, fair point. I suppose if you were sure of the bootloader and kernel, you could always reboot in a restricted mode (eg safe mode in windows) and be sure that nothing unauthorized was still active.

Secure Boot is not meant to stop attackers with physical access to the machine, there is in fact only one security feature that can help this with this scenario and that is whole-disk-encryption, and even then it prevents only casual attackers, the three letter agencies will still have no problem to press you to give them the password (they call that "enhanced interrogation").

Rootkits are not a corner case problem, they are real and a threat. Secure Boot is designed to prevent those attacks.

A compromised system is a compromised system, no matter how it was compromised. Dismissing a security feature because there are other ways to compromise a systems seems to me to be short sighted.

Sure. I'm more thinking "molly guard" type of security than anything else. The minor inconvenience is not meant to stop it entirely, but simply act as a "really really?" confirmation. When talking physical access, time is still a factor. It's reasonable to want to make sure Secure Boot can't get flipped off with 10 seconds of access, but not protect against 5 minutes.

@TobiSGD sorry if I was unclear, I did not mean that root kits were a corner case, but that specifically modifying the kernel or bootloader was. I'd also gotten the impression that denial of booting physical media was a primary object, which also doesn't make sense. However you and 273 have clarified the situation.

Is Microsoft the only company that is currently handling the root keys that come preinstalled with the BIOS?

If yes then this is probably 100% not fair, right?
Meaning: it's a company that is directly competing with whoever wishes to use those keys to boot some other bootloader (to then probably boot some other OS) => MS can be as nice as possible, but the temptation to favour its own OS or just hinder other OSs will always be present.

Verisign manages the keys, not Microsoft.

Ooohh, that's good, actually great! :D

So, is this information correct and if yes, why was MS involved? Why not getting the keys directly from Verisign?