UEFI bootkit

[James Wilkinson]

nomnex wrote:
> I also read that (most?) vendor will allow Secure boot to be switch off
> on the BIOS.
> 
> When I purchase a notebook (Prior to Secure boot), I erase the
> partition. I boot from a Live CD. If everything seems to work, and if I
> like the DE, I install the OS.
> 
> And that's my question with these new UEFI+Secure boot machines: If I
> turn Secure boot OFF, can I install a live CD as I used to do. Or is
> there more?

As I understand it, yes. You should also be able to do that without
turning Secure Boot off (which is the point of the work that Matthew
Garrett has been doing).

As always, though, the proof of the pudding is in the eating, so how
reliable it will be in practice remains to be seen.

As Linus Torvalds wrote (on a different subject) on the linux-kernel
mailing list: “Do you have any reason to expect that all BIOS’es are
bug-free in this area?

That would be a first.”

and

“BIOS writers tend to have been on pain medication for so long that they
can hardly remember their own name, much less actually make sure they
follow all the documentation.”

James.

-- 
E-mail:     james@ | "Security question ... What's your dog's maiden name?"
aprilcottage.co.uk |     -- Peter Gutmann on bad security designs