Hello Roger, Roger Leigh <[email protected]> wrote: > This depends upon the hardware. You might not be able to disable it. > In fact, Microsoft *require* that it can't be disabled on ARM hardware > carrying a "certified for Windows 8" (or whatever) badge. This > hardware will only be capable of booting signed code. No way of > disabling it or changing the key. I doubt that Microsoft has any effect on the ARM market at the moment, since it appears to be dominated by Android and iOS?
> One could argue that "it's only ARM hardware, who cares", but ARM is
> quite likely to displace intel as the common denominator in hardware.
> I for one am looking forward to 64-bit ARM hardware, and it'll be
> replacing my noisy and power hungry PC PDQ!
Of course, we don’t know what the future brings, but I think it will
take a few more years until ARM has replaced x86/amd64, if that ever
happens.
> This *is* a problem--
> Microsoft have de-facto complete control over the hardware by requiring
> signed code. Even on the PC, where it's "optional", you are entirely
> at the mercy of the motherboard vendor regarding the ability to disable
> or replace keys.
We shall see how this works out with regard to anti-trust laws.
> > However, I welcome the fact that attacks on Windows will be made more
> > difficult, since that also means smaller botnets, fewer vulnerable
> > computers etc.
>
> It will have zero effect. Not only was the certificate effectively
> compromised by allowing arbitrary code to be signed apparently by
> Microsoft (see recent news)
Of course, this incident is not nice at all - but then again, it only
became public now and I imagine Microsoft to having reacted quickly.
Additionally, I doubt that any other major institution signing such
software will only sign non-malware/bug-free software. Given that
Microsoft has been in the field for a few years, their count is not
too bad.
> how effective is the security when you
> have the ability to chainload GRUB? Once you can do that, you can
> load any arbitrary code of your choice. Any malware worth its salt
> will just co-opt the Linux bootloader and continue on its way.
> Effective security gained: none.
Isn’t that the reason the small boot loader signed by MS for Fedora
(according to their plans) will only load a signed Grub which will
only load signed kernels etc.?
I agree that there are problems with secure boot, mainly because
mainboard manufacturers might block users from managing the keys on
their computers. However, I think that – provided that users are free
to change these keys or disable secure boot – this will help computer
security.
Best regards,
Claudius
--
Real programmers can write assembly code in any language. :-)
-- Larry Wall in <[email protected]>
http://chubig.net telnet nightfall.org 4242
signature.asc
Description: PGP signature
