Announcement

Collapse
No announcement yet.

New SecureBoot Concerns Arise With Windows 10

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #51
    Originally posted by Truth View Post
    Oh quite the opposite dear duby229, I am your superior in every regard. You are a meaningless little worm compared to the glory of Truth, and I can quite understand how you shrink in my shining light.

    Face up to the mortality of your dead ideology, and be useful for once in your life.

    But I think we both know you're just whinge about Microsoft like the little scrub you are. How I look forward for them to extinguish you.
    Wow....

    Dumbass....

    Comment


    • #52
      duby229, don't bother with that troll. He obviously cannot be educated so everything you write to him will be in vain.

      Originally posted by Maxim Levitsky View Post
      Have heard of Intel Boot Guard? Evil laugh..

      I told from day one that this will happen.
      Yes, the combination of Boot Guard and forced Secure Boot is a pretty bad one. Forced secure boot means that an evil Microsoft could blacklist boot loader signatures and render Linux systems unbootable. Boot Guard ensures that defending against this by modifying or replacing UEFI becomes impossible.

      The next steps on that slope are:
      • Hardware vendors must include Secure Boot function.
        Critics are placated with an option to disable it and the possibility for users to install their own keys.
      • Secure Boot must be enabled by default
      • Optional Boot Guard technology is introduced to prevent firmware modification
      • Secure Boot can become mandatory if the hardware vendor chooses so << we are here
      • Ability to install user keys in UEFI becomes optional
      • Hardware vendors must enable Secure Boot permanently
      • Boot Guard becomes mandatory
      • Ability to install user keys in UEFI becomes forbidden


      Originally posted by Maxim Levitsky View Post
      Open source silicon is the only way around this madness but it won't happen soon I afraid.
      In the meantime we can buy computers that have unlockable firmware and don't participate in the UEFI madness (like Chromebooks).

      Comment


      • #53
        But what if the best motherboards are locked and you want to use OS you want? from my point of view only solution would be replace chips that has locked crap inside or steal source/keys/specs from company.

        If hardware becomes like dictatorship then we must fight with ways that makes companies afraid of locking out users. No more some softy internet petitions, physical fight is only viable option.

        Comment


        • #54
          If we do not act now then in future every machine must have "approved" and even connected to internet to work.

          Comment


          • #55
            With the upcoming Windows 10 hardware certification program by Microsoft, they aren't going to enforce that enabling/disabling SecureBoot be an option.
            Which in reality means MS is going to make sure that it's NOT an option.

            Comment


            • #56
              Originally posted by prodigy_ View Post
              Which in reality means MS is going to make sure that it's NOT an option.
              A friend said today that you can anyway reset Secure Boot in UEFI so that you can make it think whatever certs you want are trusted. Turning it off completely is unnecessary

              Comment


              • #57
                Originally posted by Sonadow View Post
                Generally I think business-class notebooks will get the option so that sysadmins can use cloning software to image the machines. I already had problems with cloning Win 8 machines in my company with established software such as Acronis, Commodo and Ghost, all of which were addressed when I disabled SB for the cloning process, then subsequently enabled after the cloning was done.

                On another note, I have a feeling OEMs may remove the option to disable SB, but retain the option to load custom certificates. If that is the case, distributions will need to make sure that they ship the cert together with the image so that it can be enrolled in the SB database.
                I would most likely check on whether a particular mobo supports disabling SB especially for Win10. If not I will look elsewhere.

                Most likely mobo makers will have Win8/10 certified boards so if that's the case I'd make sure I can at least load a custom cert and also make sure a signed kernel is used. Looks like distros will have to soon make sure their live cd's have a signed kernel in order for them to boot.

                Comment


                • #58
                  Originally posted by DeepDayze View Post
                  I would most likely check on whether a particular mobo supports disabling SB especially for Win10. If not I will look elsewhere.

                  Most likely mobo makers will have Win8/10 certified boards so if that's the case I'd make sure I can at least load a custom cert and also make sure a signed kernel is used. Looks like distros will have to soon make sure their live cd's have a signed kernel in order for them to boot.
                  Afaik most major distros already do SB signing. It's these tiny forks and mini projects that may end up taking a hit if SB can't be disabled anymore

                  Comment


                  • #59
                    Originally posted by tuuker View Post
                    If we do not act now then in future every machine must have "approved" and even connected to internet to work.
                    That could well become a scary possibility as the new BIOSes do now have the capability of connecting to the Internet (currently to grab updates right from within the BIOS interface). It could be possible for the BIOS to check for revoked keys right then and there and even for keys to be updated over the Internet. So much for total lockdown!

                    If the x86 PC market were to become a closed ecosystem we all may need to move to ARM or another alternative architecture in order to still have Linux freedom. In any event I am keeping my older systems running as long as they can

                    Originally posted by nanonyme View Post
                    Afaik most major distros already do SB signing. It's these tiny forks and mini projects that may end up taking a hit if SB can't be disabled anymore
                    Agreed, and I currently use Debian so Debian based distros could be allowed to use Debian's signing key. In addition such live cd's will require a signed kernel.

                    Comment


                    • #60
                      Originally posted by chithanh View Post
                      • ...
                      • Boot Guard becomes mandatory
                      • Ability to install user keys in UEFI becomes forbidden
                      Awesome list! And hmm, if someone wants preview: take a look on iPhone and you'll know what Apple attempts to do on desktop. Take a look on windows phone and you'll see what MS attempts to do with PCs.

                      Comment

                      Working...
                      X