-
-
duby229, don't bother with that troll. He obviously cannot be educated so everything you write to him will be in vain.
Yes, the combination of Boot Guard and forced Secure Boot is a pretty bad one. Forced secure boot means that an evil Microsoft could blacklist boot loader signatures and render Linux systems unbootable. Boot Guard ensures that defending against this by modifying or replacing UEFI becomes impossible.Originally posted by Maxim Levitsky View Post
The next steps on that slope are:- Hardware vendors must include Secure Boot function.
Critics are placated with an option to disable it and the possibility for users to install their own keys. ✓ - Secure Boot must be enabled by default ✓
- Optional Boot Guard technology is introduced to prevent firmware modification ✓
- Secure Boot can become mandatory if the hardware vendor chooses so ✓ << we are here
- Ability to install user keys in UEFI becomes optional
- Hardware vendors must enable Secure Boot permanently
- Boot Guard becomes mandatory
- Ability to install user keys in UEFI becomes forbidden
In the meantime we can buy computers that have unlockable firmware and don't participate in the UEFI madness (like Chromebooks).Originally posted by Maxim Levitsky View PostComment
- Hardware vendors must include Secure Boot function.
-
But what if the best motherboards are locked and you want to use OS you want? from my point of view only solution would be replace chips that has locked crap inside or steal source/keys/specs from company.
If hardware becomes like dictatorship then we must fight with ways that makes companies afraid of locking out users. No more some softy internet petitions, physical fight is only viable option.Comment
-
If we do not act now then in future every machine must have "approved" and even connected to internet to work.Comment
-
Which in reality means MS is going to make sure that it's NOT an option.With the upcoming Windows 10 hardware certification program by Microsoft, they aren't going to enforce that enabling/disabling SecureBoot be an option.Comment
-
A friend said today that you can anyway reset Secure Boot in UEFI so that you can make it think whatever certs you want are trusted. Turning it off completely is unnecessaryOriginally posted by prodigy_ View PostComment
-
I would most likely check on whether a particular mobo supports disabling SB especially for Win10. If not I will look elsewhere.Originally posted by Sonadow View Post
Most likely mobo makers will have Win8/10 certified boards so if that's the case I'd make sure I can at least load a custom cert and also make sure a signed kernel is used. Looks like distros will have to soon make sure their live cd's have a signed kernel in order for them to boot.Comment
-
Afaik most major distros already do SB signing. It's these tiny forks and mini projects that may end up taking a hit if SB can't be disabled anymoreOriginally posted by DeepDayze View PostComment
-
That could well become a scary possibility as the new BIOSes do now have the capability of connecting to the Internet (currently to grab updates right from within the BIOS interface). It could be possible for the BIOS to check for revoked keys right then and there and even for keys to be updated over the Internet. So much for total lockdown!Originally posted by tuuker View Post
If the x86 PC market were to become a closed ecosystem we all may need to move to ARM or another alternative architecture in order to still have Linux freedom. In any event I am keeping my older systems running as long as they can
Agreed, and I currently use Debian so Debian based distros could be allowed to use Debian's signing key. In addition such live cd's will require a signed kernel.Originally posted by nanonyme View PostComment
-
Originally posted by chithanh View Post- ...
- Boot Guard becomes mandatory
- Ability to install user keys in UEFI becomes forbidden
Awesome list! And hmm, if someone wants preview: take a look on iPhone and you'll know what Apple attempts to do on desktop. Take a look on windows phone and you'll see what MS attempts to do with PCs.
Comment
Tweet
Comment