

Protecting the pre-OS environment with UEFI - wyday
http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx

======
CoffeeDregs

        Microsoft is working with our partners to ensure that 
        secured boot delivers a great security experience for
        our customers. 
    

I'm neither pro- nor con-UEFI (but I run Debian, so keep your fucking hands
off my laptop), but the quoted sentence is awesome, big-company speak. Does
anyone you know want a "great security experience"?

In real life, I came home tonight and my wife had locked the house door on the
way out to a dinner meeting. I unlocked the door and went inside my house... I
felt secure... But it turns out that I was missing something. I could have had
a "great security experience" instead of being merely secure.

Thumbs up to the MS team for taking something that was taken for granted,
diluting it, confusing it, simplifying the resulting abomination and declaring
that they're delivering a "great security experience". I assume that the
writer is a Republican in the Rick Perry mold? (1)

(1) I'm a registered [California] Republican and am mad as hell about the
hijacking of my party, so I can make fun of our idiots without irony.

------
CurtHagenlocher
"For Windows customers, Microsoft is using the Windows Certification program
to ensure that systems shipping with Windows 8 have secure boot enabled by
default, that firmware not allow <b>programmatic control</b> of secure boot
(to prevent malware from disabling security policies in firmware), and that
OEMs prevent unauthorized attempts at updating firmware that could compromise
system integrity."

So an OEM can still be "Windows Certified" if they allow manual disabling of
secure boot.

~~~
mrud
That was never the point. The point is that there will be probably systems
which do not allow a modification at all for controlling secure boot as it
would be another optional feature. In addition you probably won't be able run
Linux without changing the secure boot option for certified systems.

<http://mjg59.dreamwidth.org/5552.html> provides a good overview about the
issue

------
flarg
Snippets from the comments below the article reveal all:

Jose Pedro 22 Sep 2011 4:06 PM # Having in mind that any open source operating
system or bootloader would probably have to provide publicly their keys, thus
making it hard to have these validated, how could secure boot be made to be
compatible with these, or these to be functional with secure boot?

Steven Sinofsky 22 Sep 2011 4:10 PM # How secure boot works with any other
operating systems is obviously a question for those OS products :-) We focus
our boot loader on Windows and there are a number of alternatives for people
who wish to have other sets of functionality.

Drewfus 22 Sep 2011 5:36 PM # @Steven Sinofsky: "How secure boot works with
any other operating systems is obviously a question for those OS products :-)"
Agreed. It is up to other OS vendors to get their acts together regarding
secure boot, and if this causes conflicts with their licensing models, that's
their problem. The onus is _not_ on Microsoft to compromise system security to
be 'fair' to the GPL, or whatever.

etc.

The original revelatory article was not FUD, Microsoft seem to be trying to
'accidently' lock out un-certified OSs. Ubuntu might go for it, Puppy probably
will not. Crap.

------
WalterGR
See also the previous post "Windows 8 OEM specs may block Linux booting" -
<http://news.ycombinator.com/item?id=3020459>

~~~
ryannielsen
From this post, written by Microsoft:

> Microsoft does not mandate or control the settings on PC firmware that
> control or enable secured boot from any operating system other than Windows

~~~
WalterGR
Yes, thanks, that's a good summary.

Since the conversation from yesterday (with 137 comments) was voted pretty
highly, I assumed that this submission was related, and the previous one would
offer interesting additional discussion.

I'm sorry if it was inappropriate to link to. By offering it, I was in no way
advocating a particular point of view, even though I quoted the title of the
HN submission, which does put forth a hypothesis.

If it's appropriate to delete my comment, let me know.

~~~
dorian-graph
Microsoft responded to accusation: [http://www.winrumors.com/microsoft-clears-
up-linux-confusion...](http://www.winrumors.com/microsoft-clears-up-linux-
confusion-over-windows-8-secure-boot-feature/)

I've submitted that link to HN.

~~~
wmf
That's just a summary of the blog post that this thread is about, and IMO it's
inaccurate; to me Sinofsky's post seems to confirm everything Garrett wrote.

------
comex
tldr: it's up to the OEMs whether or not to provide an (ugly and, considering
the implication that other OSes are insecure, scary) option to disable secure
boot.

