On 05/01/13 08:26, Patrick Georgi wrote:
Am 2013-01-05 01:03, schrieb Andrew Goodbody:
coreboot can never be "the Solution to the Secure Boot Fiasco" until it can offer better security than Secure Boot.
We do. Same level of verifiable boot (by doing signature checks on loaded code) without the UEFI complexity.
Ahh, sorry I missed that detail didn't I? That's really good to know.
In fact, even the "Freedom" issues are similar: Google voluntarily did the right thing and added a user override button (hardware) to their chrome devices. Without that, coreboot in those systems wouldn't help a bit, since they'd be just as locked down as a UEFI secure boot device without custom key enrollment.
And here is the crux of the issue. Distribution and management of keys is a major problem be it coreboot or Secure Boot.
The issue with UEFI Secure Boot is the motivation of the guardian of standard and implementation. It's not Intel, it's Microsoft: They worked with (and/or paid) Insyde to do the secure boot implementation. They worked with (and/or paid) Phoenix for the ASLR/NX lock down. And they add a bunch of requirements for hardware implementors that exceed the UEFI spec by way of their Windows Logo initiative.
It definitely matters right now for PC platforms where the Win8 Logo requirements only changed to the current state (so that they _require_ a key enrollment option for the user, and a way to disable secure boot) after public pressure. PC is a market they control, so vendors can't ignore the Win Logo stuff.
Patrick
Agree 100%. I do not understand why people are lumping Intel in with Microsoft on this one. I actually find the fact that Microsoft bowed to the public outcry and added the requirement for key enrolment to be an encouraging thing. If there is a single message that is not fuelled by paranoia and FUD then changes can actually be made.
Just FYI MS have been controlling PC hardware since they released the PC98 specification so this is not a new move on their part but it is an escalation.
Andrew