On 2012-06-02 22:10, Michael Mol wrote: > I expect the chief mechanism is at the manufacturer's end; blacklisted > keys get included on shipment.
Makes sense. > It's also probable that the OS kernel can tell the UEFI BIOS about new > keys to blacklist. I expect that'll be a recurring thing in the > Monthly batch of security updates Microsoft puts out. (Makes sense, > really; if malware is using a key, blacklist that key.) Yes, would expect something like this. Secure boot supposedly prevents "unauthorized firmware, operating systems or UEFI drivers" at boot time. So if I interpret this correctly it would mean that if I have, say, an old graphics card with an old firmware (vga bios) I can't use it with "secure boot". More interestingly, how is an "operating system" defined? Does it mean only the kernel itself or does it mean a full-blown OS with init and other supporting software? What does that mean to a source based "distro"? Also, I would assume a legitimate key would be able to sign pretty much any binary so a key that Fedora uses could be used to sign malware for Windows, which then would be blacklisted by Microsoft... and how is malware defined? Anything that would be detrimental to Microsoft? > Someone linked to some absolutely terrible stuff being built into > Intel's Ivy Bridge...it's plausible it will be possible to deploy You mean: https://en.wikipedia.org/wiki/Intel_insider#Intel_Insider_and_remote-control ? > blacklist key updates over the network within a couple years. Well, UEFI already implements remote management: http://www.uefi.org/news/UEFI_Overview.pdf (page 13) ... so implementing an automatic update over the network, preferably via SMM/SMI so that the operating system cannot intervene would be possible already today... and you've lost control of your computer. I'm putting on my tinfoil hat now and I'm going to pretend it's raining... :-/ Best regards Peter K