|
Authored by: kawabago on Friday, June 01 2012 @ 11:56 PM EDT |
The key is installed at the time of manufacture, you can't
change it after the fact. It's a wonderful system, for
vendors, it can't be updated. Once the secure boot system has
been bypassed by malware, there will be no way to fix the
problem. Don't want the same malware infecting your computer
again? Buy a new computer.
[ Reply to This | Parent | # ]
|
|
Authored by: tknarr on Saturday, June 02 2012 @ 12:24 AM EDT |
As said, the public key used to sign the boot loader has to be loaded into
the hardware. That leaves two cases:
- The BIOS has a way of adding keys
to the hardware. But then the company doesn't need to go to Verisign, they can
just add their own key to the hardware and sign images without needing to
involve anybody else. And of course hobbyists and distributions can do the same
thing. No problem.
- The BIOS doesn't have a way of adding keys to the
hardware. In that case you can't get a key from Verisign, you have to go to
whoever holds the pre-loaded keys and get them to sign your
image.
The first case pretty much scuttles what Microsoft wants: to
make it impossible to run anything but their software. I doubt any proposal they
put forward will go there willingly. And the second leaves companies with a
problem when they must run versions of Windows that Microsoft wants to
prevent from running (see Microsoft's attempts to get XP
end-of-lifed).
Myself, I'd love to see the first option implemented. That
puts control of the system boot right where it belongs: in my hands. If I
control what keys are in the hardware, I control what can run and what can't.
The problems only come up when someone else wants control over my machine. [ Reply to This | Parent | # ]
|
|
|
|
|