
Linux Foundation Secure Boot System Released - onosendai
http://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/
======
kunai
Doesn't matter if it's signed code. I still turned off Secure Boot on my T430.
It is rare that I have ever gotten malware, much less any that execute code at
boot. Boot-sector virii died off in the late 90s.

Make no doubt about it; this is just another monopolistic implementation of
restrictive technology by Microsoft.

~~~
shadowfox
> any that execute code at boot. Boot-sector virii died off in the late 90

Are you sure? It looked like rootkits/bootkits are still pretty rampant?

~~~
kunai
Not on Linux. And in my 10+ years of Windows computing, I have never once
gotten a bootkit. It's simple: install a myriad of security applications, and
don't visit any suspicious websites.

It's common sense, really.

~~~
jiggy2011
How do you know if you have a bootkit? I could have one running on my system
right now syphoning off data, I probably don't but I can't think of any way
that I could _prove_ that I didn't even if I ran every anti-malware program in
the world.

~~~
rjbond3rd
Not proof, I guess, but possible countermeasures:

* run the OS from (known good) media mounted read-only (in the olden days, some websites ran off Knoppix CD's and rebooted often :)

* (Red Hat): rpm -Va to verify the package database, binaries, config files etc. (after verifying the original package database hasn't changed, by checksumming / diffing with an offline copy)

* iptables rules which drop (and log) all traffic on all interfaces (then selectively add minimalist rules)

~~~
DanBC
> in the olden days, some websites ran off Knoppix CD's and rebooted often

That sounds horrific for performance.

~~~
beagle3
Not at all. Once the OS and webserver (and whatever apps you need) are in
memory, it's just as fast as a hard-drive.

Non executable data (the majority of data served by webservers) can still
reside on magnetic media or on a NAS.

------
sergiotapia
I'm not 100% sure what this means. I remember hearing a lot of rabble rabble a
few months back about Microsoft placing some roadblocks on hardware that would
make it more difficult to install Linux on machines.

Does this mean this is now a non-issue?

Thanks in advance.

~~~
mjg59
It's been a non-issue for a couple of months - the Linux Foundation
implementation is an alternative approach, but there's already a freely-
available signed bootloader that distributions can use.

~~~
slug
I disagree that's a non-issue. Recently a relative's 10+ year old computer
broke down. After buying a new one, until I was able to boot from an external
linux usb/CD disk and be able to boot linux from the hard disk after
installation, took several trips to the BIOS to change a myriad of UEFI
settings, which is completely non-trivial to someone that just wants to try a
live CD.

------
xuhu
Meanwhile Ubuntu's Wubi-based installer is rendered useless since the Windows
8 bootloader won't load it (nor will it load anything except Windows
apparently if SecureBoot is enabled).

~~~
mjg59
I don't think Wubi's ever worked with UEFI systems.

------
RexRollman
Great news but this entire situation is still a cluster-fuck.

~~~
Qantourisc
Yep ... and I feel like we are feeding the trolls.

------
erhardm
I don't feel safe at all. The same way goverments could ask Microsoft to have
a builtin backdoor for Windows, they could ask for a signed rootkit.

~~~
keeperofdakeys
Microsoft is actually in quite an interesting situation here. Although they
have a lot of power in deciding what they sign, they also have a large
obligation due to their now monopoly position. It's these situations that
antitrust laws can start applying, but Microsoft would have to abuse their
position for that to happen.

------
patrickaljord
cache:
[http://webcache.googleusercontent.com/search?q=cache:http://...](http://webcache.googleusercontent.com/search?q=cache:http://blog.hansenpartnership.com/linux-
foundation-secure-boot-system-released/&hl=en&tbo=d&strip=1)

------
martinced
Amazing. An article about "Secure Boot" and they transmit...

A MD5 of the file.

The nineties called, they want their MD5 back.

~~~
keeperofdakeys
I'm pretty sure the md5 hash is just to test the integrity, to make sure it
isn't corrupt. Due to all the other trust issues (no HTTPS), the insecure
aspects of md5 don't really matter.

