> Well, are you sure "UEFI disable button" will turn off ALL of UEFI functions?
Fow windows 8 certed hardware, aka most. http://download.microsoft.com/download/A/D/F/ADF5BEDE-C0FB-4CC0-A3E1-B38093F50BA1/windows8-hardware-cert-requirements-system.pdf Which states. MANDATORY. The platform shall ship with an initial, possibly empty, "forbidden" signature database (EFI_IMAGE_SECURITY_DATABASE1) created with the EFI_VARIABLE_TIME_BASED_AUTHENTICATED_ACCESS attribute. When a signature is added to the forbidden signature database, upon reboot, any image certified with that signature must not be allowed to initialize/execute. So revocation is possible and likely even through Windows update. AND a) It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. ________________________________________________________________________ !! This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx) which will put the system into setup mode. !! I haven't checked this as apparently the spec is like > 2000 pages. This link says the setup mode spec makes no mention of key installation by users being possible. http://mjg59.dreamwidth.org/13713.html?replyto=521361 ________________________________________________________________________ So you will be able to disable signed booting, if you are authorised to disable you certainly should be able to import keys. I believe microsoft see making that mandatory as being against their interests. Potential Problems I see: Price hike of signing by Microsoft. Not being able to revoke Microsoft's keys perhaps with the cover of preventing malware from doing so. No interface to add keys being mandatory and so unlikely. Some will implement as selling feature. Multi-booting (apparently but I'm skeptical, you may be able to sign a key with another) Openbios projects. Hardware manufacturers specifying their windows version. If it happened a few years back, people being stuck with VISTA and not being able to get the shop to install XP. p.s. anyone know if HDD that use so much firmware these days require that it's signed? -- ________________________________________________________ Why not do something good every day and install BOINC. ________________________________________________________
