Hi, seems to be a classical case of Godwin's law ;). But back to topic: To be honest I don't understand what all the fuzz is about. From a security point of view it makes totally sense to sign/verify every piece of code that gets executed when booting. Otherwise there will always be some sort of gap in the chain of trust you try to achieve. As there is already malware that puts itself into the MBR and gets executed before any security measures of the operating system (and/or anti virus software) kicks in, it is absolutely understandable that Microsoft tries to close this "hole". By the way: This is also the case for Linux (and for that matter any other OS). Probably the only reason why we (running anything other than Windows and/or OS X) don't care about, is that we are not affected by it in this large scale. So, in general, we should appreciate technologies, which basically enable us (for the first time on PCs) to be certain that only code is executed, which we put there in the first place. I understand that given Microsoft's record in the past, some of you are worried, but when looking in the specifications (as Thomas already pointed out) it is quite clear that Microsoft wants to do the right thing here. Personally I couldn't come up with a better way/infrastructure than the one that is going to be implemented. I have only the following criticism: Given the relatively low cost of getting a signed certificate from Microsoft (to my knowledge it will cost about 100 USD), it might fail to achieve what it is proposed to. Obviously Microsoft will try to prevent any sort of abuse, but even if Microsoft only hands out signed certificates after some extensive checks to trustworthy companies/organisations, it can't control it from there on any more. So basically the relative low price of 100 USD will mean that there might be a lot of organizations with a signed certificate. It would only take a breach into one of those organizations to get your code booted on basically every machine. It is something like the current situation with root CAs in SSL/TLS, but at least from my understanding there is not necessarily a way of revoking certificates. Another minor point of criticism from me would be the chosen name. Maybe some none technical people will hesitate to disable something called "Secure boot", while they would disable something called "Signed boot" without putting much thought into it. But probably only time will tell how this turns out. Another interesting question that to my knowledge wasn't yet answered: Is the planned scenario from Red hat even possible with Grub2? As it is published under GPLv3 it might not be the case, because GPLv3 might prevent any secrets in form of private keys. This would basically mean that the proposed scenario is quite useless. Has anyone any insights on that? Best regards, Karol Babioch
Attachment:
signature.asc
Description: OpenPGP digital signature