Quote:
With Secure Boot disabled there is nothing to prevent a hacked system from booting. Quote:
|
Quote:
|
Quote:
The boot sector does not enjoy any special protection under Linux (or Windows, for that matter). If you can write to the boot device, you can modify the boot sector. Assuming the user lacks the necessary privileges to write directly to the device, there are two common attack vectors: 1. Application vulnerability > OS privilege escalation vulnerability > boot sector modification 2. Network-exploitable OS vulnerability [ > OS privilege escalation vulnerability ] > boot sector modification In the first scenario, the user is tricked into opening a specially-crafted file or visiting a compromised website. An application vulnerability causes code in the file/content to be executed. The code exploits an OS vulnerability to gain root privileges and alters the boot sector. In the second scenario the user isn't really involved at all, but this will only work if the attacker can access a service on the computer remotely. A vulnerability in the OS or a remotely accessible service is exploited to inject malicious code, which then proceeds to obtain root privileges (if necessary). It then modifies the boot sector. Quote:
|
Do you need it?
No Is it useful? Yes |
Frankly a motherboard manufacturer would be foolish to NOT have SecureBoot available in their UEFI products. Without it Windows 8 will not run and they will loose out on what is unarguably their largest market segment.
As I understand it SecureBoot is only enabled by default in systems sold with Windows 8 preinstalled, and even then there is a BIOS option to disable it (though Win 8 will refuse to boot if you do). The biggest problem is for those who wish to dual boot Win 8 and Linux. |
Quote:
In order to get the Windows 8 Logo certification, so that you can put a sticker on the box, the mainboard must use UEFI, support Secure Boot (with an option to disable it on non-ARM systems) and has to be shipped with enabled by default Secure Boot (not true for servers, Secure Boot may be disabled). That means that a machine that ships with Windows 8 pre-installed can be shipped without having UEFI or Secure Boot, but can also be shipped with Secure Boot enabled without an option to disable it, as long as it does not have the Windows 8 Logo certification. Sounds counter-intuitive and a little bit ironic, but having a Windows logo is the best way to make sure that you can install Linux. |
You are of course correct regarding older systems, and self-built. I had based it on what seemed to be a discussion of commercially purchased systems with Windows pre-installed. I daresay with the possible exception of smaller makers such as local shops and such, all the major players are going to be certified/logo bearing products.
|
I don't get the impression that Secure Boot / UEFI was designed by seasoned cryptologists. I'm not persuaded that it will prove to be as technically successful as hoped, and I will hereby wager a beer that it will be gone from Windows-8 as a requirement by, say, June of 2013.
|
Quote:
It's not just the bootloader but the entire boot chain that needs to work with it. Handling UEFI Secure Boot in smaller distributions: http://mjg59.dreamwidth.org/17542.html https://www.suse.com/blogs/uefi-secure-boot-details/ https://github.com/mjg59/shim/tree/mok |
Really - depending on Microsoft for the ability to use Linux is, at least for me, NOT an option.
|
Quote:
|
All times are GMT -5. The time now is 08:29 AM. |