Protecting the pre-OS environment with UEFI

<p><pre><code> Microsoft is working with our partners to ensure that secured boot delivers a great security experience for our customers. </code></pre> I'm neither pro- nor con-UEFI (but I run Debian, so keep your fucking hands off my laptop), but the quoted sentence is awesome, big-company speak. Does anyone you know want a "great security experience"?<p>In real life, I came home tonight and my wife had locked the house door on the way out to a dinner meeting. I unlocked the door and went inside my house... I felt secure... But it turns out that I was missing something. I could have had a "great security experience" instead of being merely secure.<p>Thumbs up to the MS team for taking something that was taken for granted, diluting it, confusing it, simplifying the resulting abomination and declaring that they're delivering a "great security experience". I assume that the writer is a Republican in the Rick Perry mold? (1)<p>(1) I'm a registered [California] Republican and am mad as hell about the hijacking of my party, so I can make fun of our idiots without irony.

"For Windows customers, Microsoft is using the Windows Certification program to ensure that systems shipping with Windows 8 have secure boot enabled by default, that firmware not allow &#60;b&#62;programmatic control&#60;/b&#62; of secure boot (to prevent malware from disabling security policies in firmware), and that OEMs prevent unauthorized attempts at updating firmware that could compromise system integrity."<p>So an OEM can still be "Windows Certified" if they allow manual disabling of secure boot.

Snippets from the comments below the article reveal all:<p>Jose Pedro 22 Sep 2011 4:06 PM # Having in mind that any open source operating system or bootloader would probably have to provide publicly their keys, thus making it hard to have these validated, how could secure boot be made to be compatible with these, or these to be functional with secure boot?<p>Steven Sinofsky 22 Sep 2011 4:10 PM # How secure boot works with any other operating systems is obviously a question for those OS products :-) We focus our boot loader on Windows and there are a number of alternatives for people who wish to have other sets of functionality.<p>Drewfus 22 Sep 2011 5:36 PM # @Steven Sinofsky: "How secure boot works with any other operating systems is obviously a question for those OS products :-)" Agreed. It is up to other OS vendors to get their acts together regarding secure boot, and if this causes conflicts with their licensing models, that's their problem. The onus is <i>not</i> on Microsoft to compromise system security to be 'fair' to the GPL, or whatever.<p>etc.<p>The original revelatory article was not FUD, Microsoft seem to be trying to 'accidently' lock out un-certified OSs. Ubuntu might go for it, Puppy probably will not. Crap.

See also the previous post "Windows 8 OEM specs may block Linux booting" - <a href="http://news.ycombinator.com/item?id=3020459" rel="nofollow">http://news.ycombinator.com/item?id=3020459</a>

tldr: it's up to the OEMs whether or not to provide an (ugly and, considering the implication that other OSes are insecure, scary) option to disable secure boot.