Once, long ago--actually, on Sat, Jul 07, 2012 at 03:21:09PM +0200--Reindl Harald
(h.reindl(a)thelounge.net) said:
the whole "secure boot" idea is crap
Hmm...no, it's not. It's crap *as implemented*.
Want a not-crap implementation?
o Firmware ships with a non-MS form of UEFI.
o You install your OS-of-choice; at this point in time, you know it's
clean & safe.
o Run a utility to generate a key that gets installed in the UEFI
firmware. Preferably, this utility would know or be told what
components in the OS, drivers, etc. should be considered when
generating the key.
o Disable the UEFI update. Ideally, this would be an actual hardware
switch--something that CAN'T be suborned in software or firmware.
o Whenever you update your OS, drivers, or other components that are
considered by the UEFI boot, turn off the switch and re-run the keygen
utility.
From this point on, you're running "blessed" software,
so Bad Guys(TM) will
be stopped as for the current UEFI. But the entire dance is in
*your*
control, not any vendor.
But, of course, MS couldn't tolerate this.
--
Dave Ihnat
dihnat(a)dminet.com