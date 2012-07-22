https://mjg59.dreamwidth.org/60248.html
After I mentioned that Lenovo are now shipping laptops that only boot Windows by default, a few people pointed to a Lenovo document that says:
"Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party Certificate to be disabled by default."
"Secured-core" is a term used to describe machines that meet a certain set of Microsoft requirements around firmware security, and by and large it's a good thing - devices that meet these requirements are resilient against a whole bunch of potential attacks in the early boot process. But unfortunately the 2022 requirements don't seem to be publicly available, so it's difficult to know what's being asked for and why. But first, some background.
[...] Given the association with the secured-core requirements, this is presumably a security decision of some kind. Unfortunately, we have no real idea what this security decision is intended to protect against. The most likely scenario is concerns about the (in)security of binaries signed with the third-party signing key - there are some legitimate concerns here, but I'm going to cover why I don't think they're terribly realistic.
The first point is that, from a boot security perspective, a signed bootloader that will happily boot unsigned code kind of defeats the point. Kaspersky did it anyway. The second is that even a signed bootloader that is intended to only boot signed code may run into issues in the event of security vulnerabilities - the Boothole vulnerabilities are an example of this, covering multiple issues in GRUB that could allow for arbitrary code execution and potential loading of untrusted code.
(Score: 2) by canopic jug on Wednesday July 13, @02:40PM
Garrett was instrumental in setting up the situation which allows laptop manufacturers to lock out non-Windows operating systems. He has worked hard at it for years, both writing code, blogging, and even trolling.
Now he wants credit for post-11th hour minor grumbling about such lock-in. Sorry, but that's not enough to make good for all the years he has been fighting against general-purpose computing. For years he has been pushing UEFI and restricted boot, making excuses for both when not outright promoting it. Furthermore, he has been active programming in ways which advance both and lead, despite years of warnings, to exactly this scenario with computers that won't boot non-Windows operating systems. There are work-arounds through some of the settings, for now, but as old hardware and old versions of Windoze drop away we get closer to the day those options are removed.
He's been part of the problem and not part of the solution. He's earned the ire of those that know about him and should not be consulted further, at least on this topic.
