[arch-general] Campaign against Secure Boot

[Karol Babioch]

Hi,

seems to be a classical case of Godwin's law ;).

But back to topic: To be honest I don't understand what all the fuzz is
about. From a security point of view it makes totally sense to
sign/verify every piece of code that gets executed when booting.
Otherwise there will always be some sort of gap in the chain of trust
you try to achieve.

As there is already malware that puts itself into the MBR and gets
executed before any security measures of the operating system (and/or
anti virus software) kicks in, it is absolutely understandable that
Microsoft tries to close this "hole".

By the way: This is also the case for Linux (and for that matter any
other OS). Probably the only reason why we (running anything other than
Windows and/or OS X) don't care about, is that we are not affected by it
in this large scale.

So, in general, we should appreciate technologies, which basically
enable us (for the first time on PCs) to be certain that only code is
executed, which we put there in the first place.

I understand that given Microsoft's record in the past, some of you are
worried, but when looking in the specifications (as Thomas already
pointed out) it is quite clear that Microsoft wants to do the right
thing here.

Personally I couldn't come up with a better way/infrastructure than the
one that is going to be implemented.

I have only the following criticism: Given the relatively low cost of
getting a signed certificate from Microsoft (to my knowledge it will
cost about 100 USD), it might fail to achieve what it is proposed to.
Obviously Microsoft will try to prevent any sort of abuse, but even if
Microsoft only hands out signed certificates after some extensive checks
to trustworthy companies/organisations, it can't control it from there
on any more.

So basically the relative low price of 100 USD will mean that there
might be a lot of organizations with a signed certificate. It would only
take a breach into one of those organizations to get your code booted on
basically every machine. It is something like the current situation with
root CAs in SSL/TLS, but at least from my understanding there is not
necessarily a way of revoking certificates.

Another minor point of criticism from me would be the chosen name. Maybe
some none technical people will hesitate to disable something called
"Secure boot", while they would disable something called "Signed boot"
without putting much thought into it. But probably only time will tell
how this turns out.

Another interesting question that to my knowledge wasn't yet answered:
Is the planned scenario from Red hat even possible with Grub2? As it is
published under GPLv3 it might not be the case, because GPLv3 might
prevent any secrets in form of private keys. This would basically mean
that the proposed scenario is quite useless. Has anyone any insights on
that?

Best regards,
Karol Babioch

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20120626/aa22096b/attachment.asc>