Garrett: Secure Boot and Restricted Boot

I was just trying to say that the security properties it is trying to achieve are analogous to the properties of booting from read-only media, but with the ability to install updates even when running on Satan's Machine.

> You would need to heavily restrict the ability of the "Secure" software to load or read any external data, as well as restrict the ability of any user to modify any of the existing data. At that point, you no longer have a general purpose system.

There is definitely the possibility of implementation bugs that trigger on the data which is loaded from early boot or by the OS. Filesystem bugs have been demonstrated in practice on USB sticks and are very nasty indeed. The difference is that you still have the ability to reliably patch the system, the fix can't be modified in transit. I should also point out that there is a limited attack surface that can be modified remotely affecting early boot so a greater benefit from auditing the critical code paths that touch untrusted data.

> What is your view on how the benefits to user-owners of "Secure Boot" weigh up against the risks that others use this technology to "Secure" the machine against the user-owner?

I think it has a small but clearly tangible benefit while the risk is nebulous and in-tangible. There is a large installed base of systems such as Win7, Linux, *BSD which don't support a boot-locked, Tivoized system so I don't see the existing hardware getting firmware updates which change this behavior and break those installed systems. All of this is happening out in the open so it is no mystery if, in the future, a vendor tries to ship a boot-locked system or if MS tries to boot lock the next generation of hardware, there will be plenty of warning. That is something we all agree can and should be fought.

> Why will this not happen?

Even in the phone market where boot locking is very common many vendors don't boot lock their devices and some (Google Nexus) explicitly call out the openness as a feature. I don't think it a likely outcome that the general purpose PC market becomes _more_ restrictive and locked down than the smart phone market. If MS and the hardware vendors wanted the machines to be boot locked then there would probably just be different SKUs for Win8 bootlocked machines and general purpose machines, like you see in the smart phone industry, but that's not what happened.

> Can you at least acknowledge this is a risk?

Is there a reasonable risk that some vendor at some time will try an sell a boot locked x86 PC, sure that's possible, don't buy those machines and expect to run Linux on them, but is there a large risk that the vast majority of the market in the future, or the machines already shipped, become boot locked, I don't think that's a foreseeable outcome. I think it would be expensive and difficult to get hardware vendors and customers on that bandwagon for very little benefit as MS already gets a cut of most machine sales. Secure Boot can't even tell if you paid for the bits, only that they are signed, so it's useless against piracy.

Thanks for the lively and civil debate, I think we both understand each other's ideas now and we agree on the core argument that boot locking is bad but I don't see the value in rejecting any boot verification, even an open, user-controlled one, just because it works like boot locking.

Some places might want to supply devices to others and ensure that it is indeed *not* a general purpose system for a legitimate reason. The user is not necessarily the owner in all cases (e.g., schools lending students laptops, employers, etc.). I can imagine schools wanting to make sure that no student can overwrite required software on the machine (possible excuses) and for IT support savings. This is "Restricted Boot" as far as the physical user of the machine is concerned, but "Secure Boot" from the actual owner's point of view. As far as vendors doing "Restricted Boot", yes, that's not good. However, *owners* being able to enforce "Restricted Boot" is not necessarily a bad thing.