[Cialug] Restricted boot a very real possibility

Adam Shannon adam at ashannon.us
Tue Oct 18 13:38:25 CDT 2011


I was talking with a friend about this, and these were his remarks.

This is the problem. It's up to OEMs to make sure that secure boot is
toggle-able and if they choose not to, you can hardly blame MS.
There's no reason any major *nix distro couldn't craft signed
bootloaders and rootkit scanners and use those. In fact, I sincerely
hope Ubuntu, Red Hat, SUSE, and every major distro standardize on a
bootloader that can be cryptographically signed and can verify the
boot path of a *nix install. I hope that Mac OS X adopts the same.

There's really no good reason at all for boot malware to continue to
propagate on consumer devices when we have laid the foundations for us
to stop it once and for all. I would even go so far as to say I think
only enthusiast hardware should contain the toggle to turn it off. The
Linux foundation or another nonprofit entity should work with the OEMs
to provide a secure boot path for open source operating systems that
is a viable alternative.

---

Yes, frankly all of those things are possible. But Microsoft is
intelligently not making this decision. It's up to the individual
OEMs. Microsoft is just saying: "If you want to sell Windows 8 as an
OEM, you need to make sure you have a secure boot implementation, it
is on by default, and it has the keys necessary to make *at least*
Windows 8 work." But note what I didn't say, I didn't say that
Microsoft went to the OEMs requiring that secure boot cannot be turned
off. I didn't say that Microsoft said the only keys could be
Microsoft's.

---

Simple, large datacenters run software other than Windows. They have
and they will continue to do so. Enterprise clients need to secure POS
terminals and workstations that might run all a manner of exotic OS.
Research institutions will want to balance security and academic needs
and will demand toggle-able secure boot and will appreciate OSes that
accommodate their needs.

On Tue, Oct 18, 2011 at 13:00, Jeff Davis <me at digitaljeff.com> wrote:
> Definitely something to watch, but surely IBM, Dell, and HP will be
> smart enough to provide users a method to disable it or allow a
> trustedGrub type of thing.   It would be foolish of them to ignore
> alienate Red Hat, Canonical, and VMware.   Seems like a logistical
> nightmare to ensure all server hardware/chipsets support a linux
> workaround, while not doing so for desktop hardware.
>
> I'd be more concerned if I was into the roll-your-own linux as that
> seems to require OEMs to allow the ability to disable secure boot.
> (I admit that is giving up some amount of freedom with the device, but
> we're already quite far down that path where disassembling or rooting
> your phone/tablet will void the warranty.  I haven't seen any iphone
> or Xoom users picketing.)
>
> -Jeff D
>
>
>
>
> On Tue, Oct 18, 2011 at 11:38 AM, Matthew Nuzum <newz at bearfruit.org> wrote:
>> I often find the FSF to be a bit alarmist, but this is a very real concern:
>> http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/
>>
>> Will your computer's "Secure Boot" turn out to be "Restricted Boot"?
>>
>> by Matt Lee — last modified October 17, 2011 14:54
>>
>> Please sign our statement to show your support!
>>
>> Microsoft has announced that if computer makers wish to distribute machines
>> with the Windows 8 compatibility logo, they will have to implement a measure
>> called "Secure Boot." However, it is currently up for grabs whether this
>> technology will live up to its name, or will instead earn the name
>> Restricted Boot.
>>
>> When done correctly, "Secure Boot" is designed to protect against malware by
>> preventing computers from loading unauthorized binary programs when booting.
>> In practice, this means that computers implementing it won't boot
>> unauthorized operating systems -- including initially authorized systems
>> that have been modified without being re-approved.
>>
>> This could be a feature deserving of the name, as long as the user is able
>> to authorize the programs she wants to use, so she can run free software
>> written and modified by herself or people she trusts. However, we are
>> concerned that Microsoft and hardware manufacturers will implement these
>> boot restrictions in a way that will prevent users from booting anything
>> other than Windows. In this case, a better name for the technology might be
>> Restricted Boot, since such a requirement would be a disastrous restriction
>> on computer users and not a security feature at all.
>>
>> ... read more
>> --
>> Matthew Nuzum
>> newz2000 on freenode, skype, linkedin and twitter
>>
>> ♫ You're never fully dressed without a smile! ♫
>>
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug
>>
>>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>



-- 
Adam Shannon
Web Developer
University of Northern Iowa
Sophomore -- Computer Science B.S. & Mathematics
http://ashannon.us


More information about the Cialug mailing list