2
I heard that new computers will have a "secureboot" feature built in, and that it's supposed to keep "unsigned code" from booting. I haven't seen any issue with a possibility to boot the wrong OS,as the information on it implies. so is it actually to stop rootkits, or to prevent other operating systems to be installed on the PC?
ZCoder
Posted 2014-01-10T19:11:42.960
Reputation: 385
4
The answer depends on how much of a conspiracy nut you are.
The technology is able to stop rootkits taking hold in critical parts of the filesystem, but the same technology can be used to prevent loading an "unapproved" Operating system - where Unapproved is defined by the maker of the system, not the owner of it.
I believe that (at the moment) Secureboot can be disabled in the BIOS and any system can be booted. It is, however, possible that a manufacturer could remove the functionality to disable Secureboot [ Maybe a big OS provider throws money at them ], which could limit what can be done with it.
To have a look at "What is possible", consider Smartphones. Some [ like Google and Samsung branded phones ] can load any version of Android - eg supported by Cyanogenmod, while others are locked into the OS which they came with and can't be upgraded - I believe LG do this, and Motorola used to do this (My wife had a Motorola which can't be upgraded from an ancient 2.x version of Android - forced obsolescence - I do note its possible Motorola have changed as they are now owned by Google). Anyway Locked bootloaders are commonplace in Cellphones, so if you are looking at the impacts, it might be a useful place to draw an analogy from.
davidgo
Posted 2014-01-10T19:11:42.960
Reputation: 49 152
2
The entire point is the "chain of trust" it creates. If I have a piece of software that I need to make sure that nothing malicious can intercept what I am doing and put their own code in I need to trust the program launching my program. To trust that program that launched my program, you need to trust the program that launched the program that launched my program, and so on and so on.
What Secure boot provides is a anchor for that first "trusted program". It allows the hardware on the computer to assert "No one has modified this bootloader and it will behave exactly like the original programmers programed". The boot-loader can then check "No one has modified this OS and it will behave exactly like the original programmers programmed". Then the OS can go "No one has modified this program and it will behave exactly like the original programmers programmed" and now you have a "trusted path" from your program all the way down to the physical hardware running the machine all verifying that nothing got in the way that could intercept or modify the behavior of your code.
Now what the Bootloader, OS, or program itself does with that chain of trust is entirely up to the company. The Bootloader could chose to only boot OS's from a specific vendor and you could not prevent that. The OS could choose to only allow software to run that was authorized to run (this is what Windows 8 RT does via the App Store) and you could not. The program could implement some from of DRM and you would not have a way to bypass it.
It is all up to the vendor of the software on how to use Secure Boot.
Scott Chamberlain
Posted 2014-01-10T19:11:42.960
Reputation: 28 923
0
Secureboot provides a "chain-of-trust" so as to theoretically allow you to run code that has an extremely high confidence of being the exact code that was signed with a trusted key. The firmware that supports this is seeded with an x509 certificate by the manufacturer, which is embedded in the firmware.
It is a somewhat clever platform, that does allow you to manually change the authorised keys: In a nutshell, a PK (Platform Key) shows who controls the machine, KEKs (Key-Exchange keys) shows who can update the machine and the dbx/db (Signature Database keys) identifies boot code that can boot the platform in secure mode. (See: http://blog.hansenpartnership.com/the-meaning-of-all-the-uefi-keys/ and http://kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/)
Just like with the certificates trusted by your browser, anyone with enough money can buy themselves into the pre-installed- (or firmware!) "chain of trust." Thus, practically, Secureboot makes it marginally more expensive to roll out software to mass-market hardware - both to you, and to the bad guys.
Which is a good thing. Off the bat it may seem to simply lift the bar and keep out individuals and petty criminals, but simply put, when it comes to computing, trust means money. Money is the best measure of pseudonymous trust that we have been able to come up with, as a civilisation. Trust is ultimately the most valuable commodity we know, hence money has value.
Dagelf
Posted 2014-01-10T19:11:42.960
Reputation: 585
The only exception to secure boot being disabled is on ARM based devices. In both the case of Android and Windows the boot loader is locked. There are solutions to that problem with android but with Windows RT devices technically you would find it very difficult to load another OS on it because of secure boot. Of course ARM devices don't have BIOS in the traditional sense either – Ramhound – 2014-01-10T19:36:14.243
1hmm....one of the reasons I use desktop boards is because of their flexibility as compared to prepackaged units or Tablets. that's bad news – ZCoder – 2014-01-10T20:26:55.583
Just to be clear for others (I believe I misread your post @Ramhound initially), currently Secureboot can be disabled on x86 based devices, but not all ARM based devices. I agree on this - but in the future I am sure at least some Intel devices will not allow secureboot to be disabled. – davidgo – 2014-01-10T20:27:40.173
AFAIK I've been using and AMD APU in a UEFI-compatible bios, but haven't seen the option; I didn't know if it was there and having effect or if it's simply not present and I wouldn't have to worry for a year or so. – ZCoder – 2014-01-10T20:30:13.597