Protecting the pre-OS environment with UEFI

[Chiefcrowe]

https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx

Good read here!

 

[lxskllr]

A demonstration of this control is found in the Samsung tablet with Windows 8 Developer Preview that was offered to //BUILD/ participants. In the screenshot below you will notice that we designed the firmware to allow the customer to disable secure boot. However, doing so comes at your own risk. OEMs are free to choose how to enable this support and can further customize the parameters as described above in an effort to deliver unique value propositions to their customers. Windows merely did work to provide great OS support for a scenario we believe many will find valuable across consumers and enterprise customers.

I still don't like it.

 

[ViRGE]

I still don't like it.

It's like a brick: it can be used for good or evil. There's a great deal to gain from hardening computers this way so that malware can't be introduced early in the boot process ahead of the OS's own security systems.

In any case I'm not expecting any problems (certainly not with end-user boards), but we'll see. What will probably end up happening is that business computers won't allow toggling SecureBoot, while consumer computers will.

 

[lxskllr]

It's like a brick: it can be used for good or evil. There's a great deal to gain from hardening computers this way so that malware can't be introduced early in the boot process ahead of the OS's own security systems.

My biggest concern is the appliancifcation(W00T! New word) of computers. It's in everybody's but the consumer's best interest to go that route. That locks you in to specific vendors, and removes choice. I don't have a bit of problem with the technology as long as it can be overridden, but time will tell on that account.