On Thu, Jul 28, 2022 at 07:47:15PM +0200, Vitaly Zaitsev via devel wrote:
On 26/07/2022 20:05, Chris Murphy wrote:
> Summary: Windows 10/11 increasingly enables Bitlocker (full disk encryption) out of
the box with the encryption key sealed in the TPM. Two different issues result:
Microsoft has published a new security bulletin on the current state of
Secure Boot:
https://docs.microsoft.com/en-us/windows/security/information-protection/...
The most important note:
> Secured-core PCs require Secure Boot to be enabled and configured to distrust the
Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most
secure configuration of their PCs possible.
TL;DR. The new certified by Microsoft devices will be able to load only
Microsoft Windows in the UEFI Secure Boot enabled mode.
I read that as meaning there are two different certifications
* "Certified For Windows PCs" - the traditional behaviour we've known,
where the 3rd party UEFI CA is enabled by defualt
* "Secured-core PCs" - a new certification promoted as a more secure
out of the box setup, where 3rd party UEFI CA is disabled by default
This doesn't mean that everything is suddenly going to be 'Secure-cored"
and thus prevent use of shim out of the box.
This other doc gives more details
https://docs.microsoft.com/en-us/windows-hardware/design/device-experienc...
[quote]
Microsoft works closely with OEM partners to help ensure that all certified
Windows systems deliver a secure operating environment. Windows integrates
closely with the hardware to deliver protections that take advantage of
available hardware capabilities:
* Baseline Windows security – recommended baseline for all individual
systems that provides foundational system integrity protections.
Leverages TPM 2.0 for a hardware root of trust, secure boot and
BitLocker drive encryption.
* Virtualization-based security enabled – leverages virtualization
capabilities from hardware and the hypervisor to provide additional
protection for critical subsystems and data.
* Secured-core – recommended for the most sensitive systems and
industries like financial, healthcare, and government agencies.
Builds on the previous layers and leverages advanced processor
capabilities to provide protection from firmware attacks.
[/quote]
An open question is just how widely the OEM hardware vendors will
deploy "Secured core" hardware in practice. If they only do this
for enterprise hardware they sell with Windows pre-installed, then
it might not become a big deal, as those running Linux will typically
opt out of Windows pre-install. If they deploy 'Secured core' across
all hardware, both consumer and enterprise, and/or regardless of OS
preinstall choice, then it will become more of a pain for consumers
wanting to run Linux.
With regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|