1. Post #41
    Gold Member
    gparent's Avatar
    January 2005
    3,949 Posts
    I agree with gparent, regardless of having the ability to turn this off, it shouldn't even exist in the first place.
    Then you don't agree with me. I agree with the whole concept of Secure Boot, it's definitely needed. I disagree with Microsoft's business decisions on how to handle the technology. They should not treat ARM as a special case because of the tablet market. They should not be doing things that make Linux distro developers buy keys off people no matter who they are. It reminds me of the OOXML deal where they fucked things up and played dirty. I don't even want to write more about it. Fuck them.
    I really can't think of what regular computer users gain from secure boot, besides losing the ability to do things with their computer.
    The point is to create a chain of trust from the bootloader to the OS. So if you get a rootkit that starts overwriting your BIOS, well it won't be able to because that rootkit would have to sign its dirty code.

    Thing is, in the certification documents for Windows 8, there is (or used to be) this paragraph:
    MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of Pkpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.

    So basically to certify your tablet for Windows 8, you have to make it impossible to disable secure boot. If a tablet manufacturer wants to lock you out[1], they just remove the interface required to insert new signing keys.

    [1]: to be precise: if Microsoft wants to sign a less-than-legal contract with a manufacturer to lock other OSes out, because let's face it any manufacturer benefits from having additional OSes, it's only MS who benefits from customers having LESS choice
    Reply With Quote Edit / Delete Reply Windows 7 Show Events Winner Winner x 1 (list)

  2. Post #42
    Gold Member
    PvtCupcakes's Avatar
    May 2008
    10,900 Posts
    The point is to create a chain of trust from the bootloader to the OS. So if you get a rootkit that starts overwriting your BIOS, well it won't be able to because that rootkit would have to sign its dirty code.
    Since the whole Flame thing just happened with it jacking the certificate for Windows Update, I wonder how long it will take for their Secure Boot certificate to get jacked too.

  3. Post #43
    Gold Member
    gparent's Avatar
    January 2005
    3,949 Posts
    Since the whole Flame thing just happened with it jacking the certificate for Windows Update, I wonder how long it will take for their Secure Boot certificate to get jacked too.
    I'm not saying it's infallible, but it can be much harder to break than a Terminal Services related chain of trust. Pub/private key pairs are basically unbreakable if you never reveal the key. You'd need to attack the hardware itself.
    Reply With Quote Edit / Delete Reply Windows 7 Show Events Informative Informative x 1 (list)

  4. Post #44
    Gold Member
    Panda X's Avatar
    August 2006
    9,825 Posts
    I'm hoping that Microsoft gets taken to court over some of this nonsense. They had this bright period from 2007-2009 and now it seems like they're going back to the 90's.

  5. Post #45
    Gold Member
    Jookia's Avatar
    July 2007
    6,768 Posts
    Wait, you CAN'T disable it on ARM? Why not? What's so special about ARM?

  6. Post #46
    Gold Member
    Panda X's Avatar
    August 2006
    9,825 Posts
    Wait, you CAN'T disable it on ARM? Why not? What's so special about ARM?
    Microsoft is using "security" as an excuse to block other operating systems from running on their tablets.

    Which honestly I don't see why, even if people bought a Windows tablet to install Linux/*nix in a dual boot or something, they still get the same amount of money.
    Reply With Quote Edit / Delete Reply Windows 8 United States Show Events Agree Agree x 1 (list)

  7. Post #47
    Gold Member
    Jookia's Avatar
    July 2007
    6,768 Posts
    It may be my Microsoft hate, but does anybody else kind of see this as Microsoft monopolizing ARM?

  8. Post #48
    Gold Member
    Panda X's Avatar
    August 2006
    9,825 Posts
    It may be my Microsoft hate, but does anybody else kind of see this as Microsoft monopolizing ARM?
    OEMs could still make ARM tablets that don't have Windows on it.

  9. Post #49
    Gold Member
    Jookia's Avatar
    July 2007
    6,768 Posts
    OEMs could still make ARM tablets that don't have Windows on it.
    Well they could, but nobody would really buy it if they couldn't use fancy Windows and sync it with their desktop easily and phone and all these convenient things.

  10. Post #50
    Gold Member

    May 2008
    1,986 Posts
    Yeah I don't think there have been any legit viruses that screwed around with the bootloader.
    CIH does (it also overwrites the BIOS)

  11. Post #51
    P320's Avatar
    September 2011
    957 Posts

  12. Post #52
    Gold Member
    Jookia's Avatar
    July 2007
    6,768 Posts
    Ahahaha? Oh, that's serious. BAHAHAHAHAHA.

    If you actually read Tim Burke's announcement, you can see that they've managed to work with the secure boot peoples to allow Linux to be on the desktop, because let's face it- OEMs aren't going to drop Windows 8 support.
    Reply With Quote Edit / Delete Reply Linux Australia Show Events Agree Agree x 1 (list)

  13. Post #53
    Gold Member
    PvtCupcakes's Avatar
    May 2008
    10,900 Posts
    It may be my Microsoft hate, but does anybody else kind of see this as Microsoft monopolizing ARM?
    Well they currently have maybe 2% marketshare on ARM, so not really.
    I seriously doubt Windows 8 will change that.

  14. Post #54
    King of the Oil Refinery
    Tobba's Avatar
    December 2008
    6,229 Posts
    Its funny because if Fedora fucks up the signing stuff in their stage-one signed bootloader theres a large chance to make Secure Boot completely useless because you could just install a Fedora bootloader and coax it into running bad code and then load a modified unsigned windows bootloader into memory
    Reply With Quote Edit / Delete Reply Windows 7 Sweden Show Events Agree Agree x 2 (list)

  15. Post #55
    P320's Avatar
    September 2011
    957 Posts
    Its funny because if Fedora fucks up the signing stuff in their stage-one signed bootloader theres a large chance to make Secure Boot completely useless because you could just install a Fedora bootloader and coax it into running bad code and then load a modified unsigned windows bootloader into memory
    Chainloading, essentially.
    Reply With Quote Edit / Delete Reply Windows 7 United States Show Events Agree Agree x 1 (list)

  16. Post #56

    February 2012
    108 Posts
    I really can't think of what regular computer users gain from secure boot, besides losing the ability to do things with their computer.
    Same story with overclock bin multiplier locking though.