locked
Secure Boot feedback

    Question

  • Hi folks,

    Just wanted to register my feelings about the secure boot feature, as it is currently being depicted.

    Basically, I've read that in order to get windows 8 logo approval, the device MUST support secure boot.

    The point has been made by others that dell and all the other big boys will of course add this in.

    My concern is the ability of the hobbyist, developer or whatever, to load a different OS onto that box at some later date.

    I think that as part of the requirement for Logo, not only require Secure Boot ability, but please also REQUIRE a method in the EFI settings where secure boot can be turned off.

    I love Microsoft software, but sometimes I *DO* want to boot into other OSes, if for no reason than to fool around and take a look.  It's also nice to be able to take an older PC and repurpose it.

     

    As an afterthought, perhaps another type of system to protect boot?  Something where during OS install, a signed file containing signed hashes of boot process files is loaded into flash memory in EFI.

    The secure boot could then reference these hashes to see if files had changed.  This could allow for an advanced settings page where someone who wanted to load up windows XP, could actually choose what files to monitor.(Could work for any OS possibly.)

    Update packages would have a new signed file of hashes.  Driver installations, say for graphics cards, could have a signed file of additional hashes to be added.  Build a 4Gb usb stick onto the motherboard for storage of the hashes.

    The last piece of this is to have a public web site where people can submit files and get signed hashes.  Anyone could submit, so malware could be submitted also.  BUT, so long as it's not signed by MS, but just a hash, make Secure Boot NOT auto load hashes unless they are signed by (whatever)  Pop a message saying the item could not be loaded automatically.  "If you wish to add the hash for this piece of software, you must do so manually."

    Whatever.  I think I made my point.


    Thanks, Bob
    Thursday, September 22, 2011 2:33 PM

Answers

All replies

  • There is a blog on this at http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx

    Speculation: The bios is provided by the motherboard. If a motherboard producer want to get market outside of Windows 8 (e.g. Windows 7, Vista, XP, *nix) or sell in countries where this could have regulatory issues (just like WIFI had a hard time in China), the producer would be wise to have an option to turn the feature off.



    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
    Visual C++ MVP


    Thursday, September 22, 2011 11:56 PM
  • Essentially no one is going to willingly "turn security off".  The owner needs to be able to install authorized keys.  Physical access during boot should be enough, maybe with a specially-signed boot partition on a USB key or whatever.
    Saturday, November 5, 2011 11:17 PM