decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.


You won't find me on Facebook


Donate

Donate Paypal


No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
UEFI and Secure Boot - less Freedom is No Freedom | 305 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
UEFI and Secure Boot - less Freedom is No Freedom
Authored by: Anonymous on Monday, June 25 2012 @ 03:44 PM EDT
> If the boot sequence has to signature-check the entire OS,
> running Windows Update might take a wee while...

My understanding of the way MacOS does its signature checking,
is the signature is checked anytime a file is written to. If it fails
that file is flagged as bad, and will throw an error/warning
next time it is read. But, yeah, another layer of bloat that could
be avoided by designing security in from the bottom.

[ Reply to This | Parent | # ]

UEFI and Secure Boot - less Freedom is No Freedom
Authored by: Anonymous on Monday, June 25 2012 @ 11:19 PM EDT
I'm not 100% sure as I haven't done all the research on this but the secure boot
itself just makes sure the bootloader is good. But the trick is that the
Microsoft bootloader which has been signed will have code in it that will check
some core parts of the windows system are signed before booting it. So in this
way the security is carried down. In theory then these known good core parts of
the windows system could then repeat the process on down the chain. For example
it will check all device drivers to make sure they are signed. At this point
virus's and root kits are restricted to only run as user apps and not as part of
the core system. This is one of the reasons for secure boot.

In the scary future world this could be extended to require all applications to
be signed as well (Metro apps might get this requirement!). Eventually we only
run what is safe for us...

The interesting thing I don't understand right now is that many linux developers
are now talking about getting their boot loaders signed as well so they will
work with these new machines easily without going into bios and disabling
secureboot or loading custom keys. Once many boot loaders are out there and
signed what is to stop these loading a small OS that just loads windows with no
more signing checks? Then someone can develop a new root kit that instead of
just adding something to the MBR instead installs a new signed bootloader that
boots the rootkit which then loads your now hacked windows.

Maybe there is a catch for this situation but it will be interesting to see how
things play out.

Michael

[ Reply to This | Parent | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )