But it does cause your system to stop operating in case the system has been found to be compromised (unless, as you point out, the firmware itself, or secure boot is compromised). UEFI Secure Boot will certainly help to protect against boot sector exploits (not to mention that EUFI basically does away with the MBR magic).
MS created the excuse and now it is only a matter of time until secureboot is completely compromised with the largest selection of boot viruses the world has ever seen. It would -not- have happened if secureboot never existed. This means that the next generation of viruses are going to be largely OS agnostic. They wont need an OS to function.
MS is just completely retarded. Everything they do blows up. This isnt going to be any different.
Intel is one of the companies working on UEFI, and therefore UEFI Secure Boot. As I said, ARM Secure Boot is something completely different as far as I know.
I've called "UEFI Secure Boot" by a more descriptive name before: "UEFI Validated Boot". In effect, your system isn't secure at all, but at least parts of the boot sequence were *validated* during the boot process. Consequences are:
- something modifies kernel code during boot? you're pwned
- something runs in unprivileged mode? you're pwned
- something modifies your kernel file? you won't be able to boot
- something attempts to upload a trojan driver? you won't be able to boot or possibly load that driver
Second, NOTHING, absolutely NOTHING prevents a hardware vendor from shipping a system with UEFI Secure Boot enabled with e.g. Linux and NO Microsoft keys, and instead their own keys or someone elses keys. (hell, YOU can even do this).
(again, I'm not talking about ARM here)
UEFI/secureboot is complete vendor lock-in crap.
I've been using computers for decades, and I program for a living. I like to think that I know my way around a computer.
I still had to follow a guide + it took about 2 hours just to get windows 8 off my laptop and linux onto it. I had to actually disable UEFI and fallback to legacy BIOS because I couldn't install anything else.
And to be realistic, surely everybody can be his own key-publisher, but his imposes two fundamental problems:
- No hardware vendor goes Linux only (and I am not talking about sporadic Linux-machines)
- How much sense does this make, when everyone is free to author those keys? The end-users doesn't care and if the system hadn't been broken already, it would still suffer from fundamental problems in regards to actually securing the system.
I might have been not clear enough, but I know of the non-security of SecureBoot. Most attacks don't even focus on modifying the bootloader, and even if you tried, it is very hard to actually achieve something with it. The days are over when you wrote viruses to just break someone's computer by messing up his MBR.
Today, when you write a virus, you want to set up a botnet. And setting up a botnet is easiest by sneaking into a system without changing too much (speaking of boot parameters) and staying in userspace.
Talking of userspace, this is where Microsoft lacks today: Windows didn't change fundamentally in regards to their security: I guess, instead of working on security more thoroughly they rather focus on cementing their monopoly in the interest of a feigned "security" to shut the users up.