Secure Boot News - Future Day 1
Microsoft Windows Secure Boot - Then and Now
by RobertC
The newest version of Microsoft Windows finally provides some long-sought enhancements to the Secure Boot feature launched with Windows 8 a few years ago. No longer do storage devices have to be removed and slaved to another computer in order to regain access after lightning strikes, "key hijacks" or boot image corruption. Users can now login from another registered device to their account at Microsoft, the computer manufacturer or any other entity they have keys registered with, and download a new key.
After a multi-step authentication process that includes an email-reply verification and optional phone callback, a user or System Administrator downloads new keys for one or more of the registered machines and copies it to a storage device, usually a memory card or flashdrive. The downside of having to physically be at the computer remains for large data centers, but life is better than it was. At the computer, Secure Boot looks for new keys on the first boot device during powerup. (Anybody remember floppy drives and serial dongles used like this? No? Never mind...) Since the Unified Extensible Firmware Interface (UEFI) software in conjunction with a Trusted Platform Module (TPM) allows multiple, equally valid keys to exist on a "keyring", the new key can just be added and full access restored.
Microsoft has given in after losing market share to Apple, Google, Ubuntu, RedHat, IBM and other Linux and Unix-like operating systems for several years. The "*nix" common underlying operating system architectures used by those companies made the anticompetitive approach of Windows Secure Boot a non-starter with all but Apple. However, even Apple saw the legal liability dangers of purposely locking companies out of their systems due to common events like upgrades, repairs or natural disasters. The companies and many open-source organizations hammered out procedures that greatly reduce vulnerabilities while giving people a reasonably secure way of getting back into their phones, computers and other devices.
Historical References
by RobertC
The newest version of Microsoft Windows finally provides some long-sought enhancements to the Secure Boot feature launched with Windows 8 a few years ago. No longer do storage devices have to be removed and slaved to another computer in order to regain access after lightning strikes, "key hijacks" or boot image corruption. Users can now login from another registered device to their account at Microsoft, the computer manufacturer or any other entity they have keys registered with, and download a new key.
After a multi-step authentication process that includes an email-reply verification and optional phone callback, a user or System Administrator downloads new keys for one or more of the registered machines and copies it to a storage device, usually a memory card or flashdrive. The downside of having to physically be at the computer remains for large data centers, but life is better than it was. At the computer, Secure Boot looks for new keys on the first boot device during powerup. (Anybody remember floppy drives and serial dongles used like this? No? Never mind...) Since the Unified Extensible Firmware Interface (UEFI) software in conjunction with a Trusted Platform Module (TPM) allows multiple, equally valid keys to exist on a "keyring", the new key can just be added and full access restored.
Microsoft has given in after losing market share to Apple, Google, Ubuntu, RedHat, IBM and other Linux and Unix-like operating systems for several years. The "*nix" common underlying operating system architectures used by those companies made the anticompetitive approach of Windows Secure Boot a non-starter with all but Apple. However, even Apple saw the legal liability dangers of purposely locking companies out of their systems due to common events like upgrades, repairs or natural disasters. The companies and many open-source organizations hammered out procedures that greatly reduce vulnerabilities while giving people a reasonably secure way of getting back into their phones, computers and other devices.
Historical References
- Thanks to Matthew Garrett's blog entries that largely started the whole Windows 8 Secure Boot controversy:
- Thanks to the research of Robert Lemos at InfoWorld for his piece, Windows 8 Security: Stronger but gentler
- ...which contains a link to a 2005 Security Focus article on Microsoft's plans to use TPM technology in Windows Vista (abandoned amid user fears of locking out other software): Microsoft reveals hardware security plans, concerns remain
- ...which contains a link to the Electronic Frontier Foundation's seminal article on PC security issues, these techniques and their repercussions: Trusted Computing: Promise and Risk
- Check out Wikipedia for a more up to date overview of Trusted Computing concepts and technologies.
Labels: future, linux, open source, reliability, secure boot, security, windows
0 Comments:
Post a Comment
<< Home