> I understand that given Microsoft's record in the past, some of you are > worried, but when looking in the specifications (as Thomas already > pointed out) it is quite clear that Microsoft wants to do the right > thing here. > > Personally I couldn't come up with a better way/infrastructure than the > one that is going to be implemented. > http://www.linuxfoundation.org/sites/main/files/lf_uefi_secure_boot_open_platforms.pdf > > So basically the relative low price of 100 USD will mean that there > might be a lot of organizations with a signed certificate. It would only > take a breach into one of those organizations to get your code booted on > basically every machine. It is something like the current situation with > root CAs in SSL/TLS, but at least from my understanding there is not > necessarily a way of revoking certificates. I agree with a lot of what you have said. There is nothing to stop this $100 rising though. The best part is it will likely force Motherboard manufacturers to raise their security game. UEFI is actually originally from Intel I believe but in order to get the Windows 8 badge you need to adhere to Microsofts requirements and so most motherboard/bios manufacturers will probably follow that. There will be better and worse bioses, the question is what can the average user do. I presume some security bioses will hardcode more aspects to mitigate attacks not covered by Microsoft's spec even and not caring about this badge. Really I need to find the time to more than skim through this spec and Intels or others. http://download.microsoft.com/download/A/D/F/ADF5BEDE-C0FB-4CC0-A3E1-B38093F50BA1/windows8-hardware-cert-requirements-system.pdf Which states. MANDATORY. The platform shall ship with an initial, possibly empty, "forbidden" signature database (EFI_IMAGE_SECURITY_DATABASE1) created with the EFI_VARIABLE_TIME_BASED_AUTHENTICATED_ACCESS attribute. When a signature is added to the forbidden signature database, upon reboot, any image certified with that signature must not be allowed to initialize/execute. So revocation is possible likely even through Windows update. AND a) It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. ________________________________________________________________________ !! This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx) which will put the system into setup mode. !! I haven't checked this as apparently the spec is like > 2000 pages. This link says setup mode spec makes no mention of key installation by users being possible. http://mjg59.dreamwidth.org/13713.html?replyto=521361 ________________________________________________________________________ The problem is On/OFF is the only requirement but microsofts keys must be recoverable if removed (even though 'database' suggests a multiple key feature is possible). Chances are many will do the least possible to adhere. There are no setup mode requirements as far as I can tell but maybe they are. It will come down to bios vendors but it would be best to have a USER EDITABLE whitelist option (assuming the bios and password uses decent password encryption and write protection) to prevent things like rogue certs such as the recent windows update patch fixed or perhaps if your security policy banned Windows ;-). I have a few questions I'd investigate. I believe Microsoft could use it as a selling or anti competition point i.e. your company can use secure boot but only if you use Windows on this cheap hardware you desire or bought last year. what's more is there is no technical reason for this situation. Can you sign keys as Tom mentioned? I hope so, the word import or signed keys are not in Microsofts document atleast. As you can disable it completely with a password you should be able to install non OEM firmware such as Openbios. Key import via password or even usb key auth would solve all of these issues. I can't believe that has been overlooked without reason or shall we say preference. It may be the disable option was an afterthought must. It's not Microsoft's job to mandate good bios practice but I'd say the right thing includes thinking about all possible users especially when it will cost little more to be a responsible party. Considering Microsoft have stated they will provide security updates to even pirated copies of Windows and yet require online! validation to download the recent key signing security patch. I still don't trust the vendor that started with stolen code. I can't see the requirment for online validation being simply a mistake when I've also found more than one friends machines seriously out of date without security warning until WGA was installed. -- ________________________________________________________ Why not do something good every day and install BOINC. ________________________________________________________
