> These skeleton keys can be used to install non-Redmond operating systems on locked-down computers. In other words, on devices that do not allow you to disable Secure Boot even if you have administrator rights – such as ARM-based Windows RT tablets – it is now possible to sidestep this block and run, say, GNU/Linux or Android.
What's the point of disabling the ability to install another OS?
I can understand having a bit (that you can flip) in the BIOS that prevents accidentally or maliciously overwriting the boot sector of an OS. But what's the point of completely preventing it? What does it accomplish besides neutering the device and pissing off people that are trying to replace the OS?
> What's the point of disabling the ability to install another OS?
It comes down to the trusted base concept: once the OS is running, it can provide strong assurances to prevent unauthorized code from running but that can't protect against malicious code starting before the OS. An attacker could use the built-in virtualization support on most modern CPUs to load your normal OS and, with care, make it extremely hard to tell that all of your actions are compromised. Some people like that because it could be used to attack DRM schemes but it could also be used to record keystrokes, steal crypto keys, install ransomware which waits for the user to be utterly hosed before triggering the payment prompt, etc.
Having the firmware verify every bit of code before executing it avoids that problem but that poses the problem of having a trusted signing key which needs to be managed – imagine the mess if, say, Dell's key leaked – and poses the problem of getting new keys on the list for legitimate purposes (e.g. booting Linux) but not making it realistic for malware to do the same thing. I'd like to see some sort of government regulation requiring the latter but having some fairly cumbersome process to complicate social engineering attacks (e.g. reboot while holding down a switch, answer a prompt that you understand this will expose all of your personal data to the new OS, etc.).
> * Remains protected even when the BIOS, VMM, OS, and drivers are compromised, implying that an attacker with full execution control over the platform can be kept at bay
> * Benefits from memory protections that thwart memory bus snooping, memory tampering and “cold boot” attacks on images retained in RAM
If disk encryption keys are tied to the secure boot keys then you can maintain security and freedom at the same time. Swapping in user-supplied signing key would render the disk unreadable and thus protect the existing data from being attacked by malware.
Don't drink their coolaid if they're trying to convince you that they're restricting your freedom in the name of security.
Please think things through more before accusing other people of drinking flavor-aid. If you re-read my comment, note that I was describing how it worked and the problem it solved, and the closest I came to endorsing a side was in favor of the government preventing manufacturers from locking users out. What you proposed still depends on something like secure boot but could be a way to satisfy that mandate by preventing manufacturers from arbitrarily restricting the configuration.
I did read it as you saying that vendor-lockin is a necessary component instead of an implementation decision.
To me the lockdown of windows RT devices does not seem like security motivated at all, considering that secure boot and TPMs in PCs share much of the same security architecture but do allow key swapping.
It's more likely motivated by subsidized devices.
That's why your given answer to the question why there is an OS lock-in struck me as coolaid.
The security reasoning is that the device must boot intended operating system, and not just any system that conveniently lies around on drive. This is to prevent attack of switching operating system with look-a-like and stealing sensitive information from unsuspecting user. Also to prevent attacker from booting into another OS and reading disk content.
> The security reasoning is that the device must boot intended operating system, and not just any system that conveniently lies around on drive. This is to prevent attack of switching operating system with look-a-like and stealing sensitive information from unsuspecting user.
I'm not saying being able to have signed OS's is a bad idea. What I'm wondering is why isn't this something that the user can enable/disable? Say secured with a long BIOS password.
I'd wager 99.999% of people don't have to worry about evil maid attacks and those that do aren't going to defer to Microsoft's defaults as counter measures.
> Also to prevent attacker from booting into another OS and reading disk content.
Bullshit. If they really want that they can rip out the hard disk. If you don't want people reading your plaintext then don't store it as plaintext. Encrypted disks unlocked at boot is a solved problem.
Having the device default to not booting other OS's unless you go into an unsecured BIOS and flip a bit would cover the majority of cases. All you need is a secure boot path into the BIOS that malware presumably wouldn't be able to replicate from a booted OS.
Secure boot does not protect against evil maid attacks. (I'm not sure anything really does.) With physical presence, you can still grab the data and run it in a VM managed by your malicious code.
Secure boot protects against BIOS level root kits and similar low-leve but remote exploitation.
No argument it's a bad idea to use MS's key, instead of the computer's owner. The only explanation for why MS made it this way was for DRM - once again weakening end user security to enforce MS's secure against us.
In theory, if your OS isn't evil or easily hacked, it should prevent a class of "evil maid attacks" from attackers who don't have the master key (while facilitating irreparable attacks from those who do).
In practise, MS OSes are evil, easily hacked, and now everyone has the master key.
This is a well written piece that has enough tech mumbo-jumbo to scare the non-tech literate person away. I enjoyed it but are there other, more widely accessible scare pieces out there? It's this kind of thing that needs to reach privacy conscious people so that we can stop governments from mandating stupid stuff like backdoors.
What's the point of disabling the ability to install another OS?
I can understand having a bit (that you can flip) in the BIOS that prevents accidentally or maliciously overwriting the boot sector of an OS. But what's the point of completely preventing it? What does it accomplish besides neutering the device and pissing off people that are trying to replace the OS?