Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers

Mon, 04 Jun 2012 05:49:05 -0700 

On Saturday 02 Jun 2012 23:50:58 pk wrote:
> On 2012-06-02 22:10, Michael Mol wrote:
> > I expect the chief mechanism is at the manufacturer's end; blacklisted
> > keys get included on shipment.
> 
> Makes sense.
> 
> > It's also probable that the OS kernel can tell the UEFI BIOS about new
> > keys to blacklist. I expect that'll be a recurring thing in the
> > Monthly batch of security updates Microsoft puts out. (Makes sense,
> > really; if malware is using a key, blacklist that key.)
> 
> Yes, would expect something like this. Secure boot supposedly prevents
> "unauthorized firmware, operating systems or UEFI drivers" at boot time.
> So if I interpret this correctly it would mean that if I have, say, an
> old graphics card with an old firmware (vga bios) I can't use it with
> "secure boot". More interestingly, how is an "operating system" defined?
> Does it mean only the kernel itself or does it mean a full-blown OS with
> init and other supporting software? What does that mean to a source
> based "distro"? Also, I would assume a legitimate key would be able to
> sign pretty much any binary so a key that Fedora uses could be used to
> sign malware for Windows, which then would be blacklisted by
> Microsoft... and how is malware defined? Anything that would be
> detrimental to Microsoft?
> 
> > Someone linked to some absolutely terrible stuff being built into
> > Intel's Ivy Bridge...it's plausible it will be possible to deploy
> 
> You mean:
> https://en.wikipedia.org/wiki/Intel_insider#Intel_Insider_and_remote-contro
> l
> 
> ?
> 
> > blacklist key updates over the network within a couple years.
> 
> Well, UEFI already implements remote management:
> http://www.uefi.org/news/UEFI_Overview.pdf (page 13)
> ... so implementing an automatic update over the network, preferably via
> SMM/SMI so that the operating system cannot intervene would be possible
> already today... and you've lost control of your computer.
> 
> I'm putting on my tinfoil hat now and I'm going to pretend it's
> raining... :-/
> 
> Best regards
> 
> Peter K

Can I please join you if you have a spare hat?

On a 3 year old Dell laptop manufactured by the famous and well known Winbond 
Electronics </sarcasm> I see this under lshw:

  *-remoteaccess UNCLAIMED
       vendor: Intel
       physical id: 2
       capabilities: outbound

but have not found a way of interrogating it or in anyway accessing it to 
understand what it is or does ...


Note, this is not a UEFI machine: 

capabilities: smbios-2.6 dmi-2.6 vsyscall32


-- 
Regards,
Mick

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to