UEFI bootkit

[Alan Cox]

> The question I have is, can the buyer simply choose NOT to
> use uefi (i.e. blow it off the system) and boot any OS of choice
> which will not insist on the presence of any UEFI?

No.

> I think the answer to this question is more important as it provides
> an "opt-out" choice to the consumer.

There are two things here

UEFI is a replacement for the BIOS and in fact quite a few modern systems
are UEFI but boot into a "BIOS" compatiblity by default.

'Secure' boot is the signed booting stuff. That is an add on to basic EFI
and on x86 it's required by Microsoft as part of their requirements that
it must be disableable but that disabling it must be done in a secure
("proof of presence" - ie local) manner.

It's also possible in theory to replace/amend the keys although thats a
bit more complicated. The Linux Foundation have been working on tools for
this.

On ARM systems the requirement is the reverse - it must not be possible
to disable it, so those devices will be locked to Windows if shipped that
way.

In theory there is nothing stopping a vendor shipping a system with UEFI
without secure boot, or with UEFI and with secure boot disabled as
supplied or with other keys. I cam imagine for example that folks like
Dell would get asked to ship big blocks of machines to corporates that
alos have an extra company key in them. That makes things like securely
provisioning via PXE much simpler.

Alan