Microsoft has announced that if computer makers wish to distribute machines with the Windows 8 compatibility logo, they will have to implement a measure called "Secure Boot." However, it is currently up for grabs whether this technology will live up to its name, or will instead earn the name Restricted Boot.
When done correctly, "Secure Boot" is designed to protect against malware by preventing computers from loading unauthorized binary programs when booting. In practice, this means that computers implementing it won't boot unauthorized operating systems -- including initially authorized systems that have been modified without being re-approved.
This could be a feature deserving of the name, as long as the user is able to authorize the programs she wants to use, so she can run free software written and modified by herself or people she trusts. However, we are concerned that Microsoft and hardware manufacturers will implement these boot restrictions in a way that will prevent users from booting anything other than Windows. In this case, we are better off calling the technology Restricted Boot, since such a requirement would be a disastrous restriction on computer users and not a security feature at all.
Please add your name to the following statement, to show computer manufacturers, governments, and Microsoft that you care about this freedom and will work to protect it.
We, the undersigned, urge all computer makers implementing UEFI's so-called "Secure Boot" to do it in a way that allows free software operating systems to be installed. To respect user freedom and truly protect user security, manufacturers must either allow computer owners to disable the boot restrictions, or provide a sure-fire way for them to install and run a free software operating system of their choice. We commit that we will neither purchase nor recommend computers that strip users of this critical freedom, and we will actively urge people in our communities to avoid such jailed systems.
To confront this challenge, the upcoming generation of system firmware, referred to as Unified Extensible Firmware Interface (UEFI) secure boot, has capabilities in the system startup sequence designed to only pass control to operating systemsoftwarethat can be confirmed to be not tampered with. The mechanism used toconfirmthe integrity of operating system software is not novel, rather it uses traditional key signing and variations of checksumming. While these mechanisms have traditionally been used higher up in the software stack and later in the startup sequence - what is new is the fact that these validation checks are expected to now be available at the earliest points in the system startup sequence. Performing the checks early is crucial as it provides a safe, verified starting point.
A major shortcoming of the initial UEFI secure boot implementation was the lack of easy to use accommodations foroperating systemsother than Microsoft Windows, including the many variants of Linux. Red Hat has worked for many months, in conjunction with industry consortium The Linux Foundation, hardware partners, and Microsoft to collaboratively develop a UEFI secure boot mechanism that allows user/customer choice and ease of use. Red Hat’s objective was to provide user freedom - to accommodate not just Red Hat Enterprise Linux and Fedora, but also to enable other Linux distributions, including roll-your-own. This was not an easy process, there were many tradeoffs and challenges. This is typically the case when it comes to security - balancing effectiveness of the defenses vs ease of use.
Content will be erased after question is completed.