|
Authored by: luvr on Tuesday, July 09 2013 @ 12:39 PM EDT |
Amen! These are exactly the questions that were on my mind!
I'm not looking
for any new computer at the moment, but if I were, I would avoid "Securely"
Restricted Microsoft Windows Boot like the plague. Then, since "Securely"
Restricted Microsoft Windows Boot is apparently an integral part of UEFI, it so
follows that I wouldn't want UEFI either.
And now here's PJ explaining that
a device that's cheaper than your common "Securely" Restricted Microsoft Windows
Boot-infested computer works great—infinitely better, for me a least, than
said crap.
Ergo: Why would I pay more for a crippled computer, when I
get can get better value at lower cost? Here's hoping that the Chromebooks show
up sooner rather than later in my country! That's not to say that I will rush
out to get one—like I said, I'm not looking to buy a new computer for
now—but if the Chromebooks can bootstrap a whole new industry of
affordable computers that are helping rather than hinder me as a
user, that would be almost too good to be true! [ Reply to This | Parent | # ]
|
|
Authored by: Anonymous on Tuesday, July 09 2013 @ 04:48 PM EDT |
If the source I select for my Linux Kernel is
compromised, and I sign it
with a UEFI key:
How does UEFI protect me from said malicious code
being
started up when said malicious code is signed?
UEFI
refuses to start it. Altogether.
If the source I select is not
compromised and I only ever
modify the system applications with the Root user -
or
equivalent - and I only ever work in "peon user" mode
otherwise:
In
what way would I even need UEFI?
Someone with network access
could upload malicious binaries
to your system, for instance through some
update mechanism.
Think about someone faking a system update that installs a
malicious kernel module. UEFI Secure Boot combined with
signed kernel modules
would prevent that.
The single point of security failure that
has always
existed for the computer is physical access.
If I have physical
access to the computer:
Can I get around UEFI via a manual method -
for example
using the old fashioned "short the bios battery" to reset
the bios
to factory settings so I can enter it and configure
it as I want?
Not that I know. I believe you cannot reset the key storage,
but my
knowledge about that is limited.
If you had left your UEFI setup
unpassworded, you can
however disable UEFI Secure Boot and/or remove keys, add
new
keys etc.
If there is such a work around:
What value
does UEFI provide that I can't get through other
security mechanisms?
I
own the device! I have total say in what goes on it! If
there is no work around
and UEFI can lock me out of my own
system:
It's not security I
want!
You will never lose the ability to access your own
system,
even if compromised. Simply disable UEFI Secure Boot, and
your system
will boot the compromised OS. Booting from a
rescue system will work, and if
that rescue OS is signed
with the proper keys, you can boot it without
disabling UEFI
Secure Boot.[ Reply to This | Parent | # ]
|
|
|
|
|