[coreboot] Feedback On Coreboot: the Solution to the Secure Boot Fiasco
Andrew Goodbody
ajg4tadpole at gmail.com
Sat Jan 5 15:03:30 CET 2013
On 05/01/13 08:26, Patrick Georgi wrote:
> Am 2013-01-05 01:03, schrieb Andrew Goodbody:
>> coreboot can never be "the Solution to the Secure
>> Boot Fiasco" until it can offer better security than Secure Boot.
> We do. Same level of verifiable boot (by doing signature checks on
> loaded code) without the UEFI complexity.
Ahh, sorry I missed that detail didn't I? That's really good to know.
> In fact, even the "Freedom" issues are similar: Google voluntarily did
> the right thing and added a user override button (hardware) to their
> chrome devices. Without that, coreboot in those systems wouldn't help a
> bit, since they'd be just as locked down as a UEFI secure boot device
> without custom key enrollment.
And here is the crux of the issue. Distribution and management of keys
is a major problem be it coreboot or Secure Boot.
> The issue with UEFI Secure Boot is the motivation of the guardian of
> standard and implementation. It's not Intel, it's Microsoft: They worked
> with (and/or paid) Insyde to do the secure boot implementation. They
> worked with (and/or paid) Phoenix for the ASLR/NX lock down.
> And they add a bunch of requirements for hardware implementors that
> exceed the UEFI spec by way of their Windows Logo initiative.
>
> It definitely matters right now for PC platforms where the Win8 Logo
> requirements only changed to the current state (so that they _require_ a
> key enrollment option for the user, and a way to disable secure boot)
> after public pressure.
> PC is a market they control, so vendors can't ignore the Win Logo stuff.
>
>
> Patrick
>
Agree 100%. I do not understand why people are lumping Intel in with
Microsoft on this one.
I actually find the fact that Microsoft bowed to the public outcry and
added the requirement for key enrolment to be an encouraging thing. If
there is a single message that is not fuelled by paranoia and FUD then
changes can actually be made.
Just FYI MS have been controlling PC hardware since they released the
PC98 specification so this is not a new move on their part but it is an
escalation.
Andrew
More information about the coreboot
mailing list