

Free Software Foundation recommendations for Secure Boot - giZm0
http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/whitepaper-web

======
ithkuil
I always wondered why malware doesn't simply replace the windows loader with a
secure boot signed grub (kindly paid by redhat) and then load an arbitrary
payload.

If microsoft accepts signing a grub bootloader which in turn can load an user
built linux image and initrd, then malware could do the same.

Furthermore, if the concern is to avoid unauthorized modification of the boot
record, why don't create an hardware filter that prevents writes to the boot
sector unless a special hardware key (for example on the laptop case) is
activated.

Or, nstead of preventing the write, this hardware key could sign the boot
record using a key which is recognized by the firmware. Actually vendors could
implement this and get the microsoft windows 8 logo + have a competitive
advantage because they show they care for the freedom of their users. (The
cost is negligible I guess ... with respect the plethora of multimedia keys,
wifi/bluetooth disable toggles etc)

Sorry if it's a stupid question, but the amount of fud around this topic makes
it difficult to quickly find relevant info.

~~~
giZm0
A perfectly legitimate question! This certainly would fix MOST of the malware
problems. It is only when the user can't be trusted to decide this by them
self i.e they are tricked into install something bad.

Or it might be that the security reason, isn't the only reason for Microsoft
to push this?

