Secure Boot might be a useful part, if everybody could add his own keys to his own board, and delete existing keys for Microsoft and others. But one has to pay to get his key signed by Microsoft. This is comparable to install own software on an iPhone, where one has to pay Apple to unlock a devices.
The most dangerous malware is now produced by states.
If RedHat and Ubuntu can pay their us$99, I guess NSA, BND, CIA, Mossad and others can also. So secure boot is not adding any security, imho. There was already the case that Microsoft implemented a backdoor in NT export versions for NSA 13 years ago.
> There was already the case that Microsoft implemented a backdoor in NT export versions for NSA 13 years ago
There was conspiracy theory speculation that they did so, if it is _NSAKEY that you are thinking about, but few competent cryptographers or security researches took that seriously. Typical responses were like this: http://www.schneier.com/crypto-gram-9909.html#NSAKeyinMicros...
Actually, the Logo requirements specify that you must be able to add your own keys:
> It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK.
The former claim is absolutely true, and I'm not happy about it. But that is surely the standard for all ARM devices out today, is it not? Locked bootloaders?
Anyway, the latter claim is purely conjecture. Why would they change convention once everyone has already implemented all this standard/custom mode stuff that they require for 8?
>Secure Boot might be a useful part, if everybody could add his own keys to his own board, and delete existing keys for Microsoft and others. But one has to pay to get his key signed by Microsoft.
That is exactly what Microsoft mandates for secure boot for Windows 8 certification. Please stop spreading misinformation.
The most dangerous malware is now produced by states.
If RedHat and Ubuntu can pay their us$99, I guess NSA, BND, CIA, Mossad and others can also. So secure boot is not adding any security, imho. There was already the case that Microsoft implemented a backdoor in NT export versions for NSA 13 years ago.