2015-03-21

The Brave New World of Boot Guard and Secure Boot

Following the news that PC manufacturers have started to use Intel Boot Guard, a technology designed to prevent the installation of modified or custom firmware like coreboot, we now learn that Microsoft may drop the requirement of Secure Boot deactivatability from the Windows 10 Logo guidelines. This collusion between Microsoft and Intel in allowing only vendor signed code during early boot potentially affects all new computers which come with Windows 10 preinstalled.

It means that in a pessimistic scenario, the only thing that stands between Microsoft (or anybody else with access to the infrastructure) being able to disable millions of Linux computers on a whim by blacklisting their bootloader signatures, may be the ability to install user keys in the UEFI key storage. Computer owners would have no other way to defend against this.

It is probably time to familiarize yourself with the procedure to do Secure Boot with your own keys. At least this remains possible, for now.