But isn't the whole secureboot option a unsafe. The signature is checked by the EUFI firmware, right? And it can also be used by companies other than MS? Well say I'm evil company or organization x and I've written a bootloader. 1) I request a key to sign my bootloader with. 2) I leak the key. 3) Nothing they can do about it cause blacklisting the key would require a EUFI flash. Then the EUFI part is already bypassed.
UEFI spec. 2.3.1. Chapter 27.7.1: The signature databases may be updated by the firmware, by a pre-OS application or by an OS application or driver It simply could happen via windows update. I guess most people are not aware what secure boot means. M$ or the manufacturer of the EFI (OEM) simply could disable a device or a piece of software if they want. We already have whitelists in BIOS to exclude hardware, especially at OEM machines. UEFI makes it possible to CONTROL YOUR PC in a way most of us aren't aware of! UEFI isn't a static BIOS on a EEPROM, it's a pre-OS on a flash device! UEFI can control hardware IDs, drivers, the entire environment and can be updated ad-hoc. Secure boot and UEFI is no benefit for the end user, it's benefit for the manufacturers only. Wake up! Security..yes, it is. The manufacturers can be secure to enforce their products. If you think the only intention of M$ to have secure boot and UEFI is to protect you and your PC, then I have to say you have been fooled. Rootkit..buuh...have you ever had one? It's easy to play with the fear of to get malware!
Uhm, so you mean that if I install driver x (a windows driver), it can just be removed? Of course MS can already do that through an update that uninstalls it, but can UEFI also give the command to windows to remove it? I know that UEFI can interact with the OS in a more advanced way than BIOS could, but this is a but to much for me. If I spend $$$$$ on a machine I want to decide what's going on with it. If windows does something you don't want you could go to linux, but you can't replace UEFI by something else. Another thing is like you say about the rootkit yen. The only types of malware nfections that I can think of that could prevented with secure boot are pre-os viruses and maybe drivers. In x64 versions, windows already gives warning if you install unsigned drivers. If you install a virusdriver anyway it's your own damn fault. I don't know if windows or antimalware apps protect your from bootsector/bootloader viruses. But afterall, when you have decent antimalware software installed, you keep your eyes open and you don't do stupid things, these 2 types of malware can't even reach their target. MS only uses it to fix their OEM activation hole, the rest are just excuses.
Daz, did you find out that when you install W8DP in dualboot with W7 for example, and set in the boot options that you want W7 to be your default OS choice, it brings back the original W7 bootloader from now on? Is this of any help for a future loader?!
I think it's still the same bootloader, but I have no idea how it works actually. One could way that when WDP is default it sets the timer to 0s and fakes a bootloader in it's menu, but that's wrong cause the timer is still Ok when looking in msconfig. But one thing is or sure: the bootmenu that WDP shows you is no bootloader at all but it's a pre-logon app. If you select WDP it opens the logon screen, else it reboots and tells the real bootloader what is it should boot. @ DAZ: Patching files is a good solution if and ONLY IF it's done right. It won't ever come even close to loaders and biosmods, not even close to ODIN, but it's a good way. The problem now is that loaders are a perfect solution. You install it and can forget about it. File-patching solutions require more work, and you can't forget about it. Because loaders work so good, the developers aren't motivated enough to work on it. 1) First we need multiple developers working on 1 project. This way they can react fast to MS updates, even if one of the devs can't work on it, the others can simply continue and update the app. 2) Watch unofficial updates, if you patch x.dll and an unofficial update replaces x.dll (even if it has nothing to do with disabling cracks), be prepared for that. 3) MS is big and has lost of custommers, if the crack patches a file, it takes a while before they can release an update for it that's tested and confirmed working. 4) The user of the crack needs to be aware of updates: if windows wants to install updates, check the repo to see if it's safe. 5) The user needs to frequently check for updates. The major problem is with the last 2 points, most users are lazy and want to forget about it. They tend to forget that the have safed a lot of money and that it's the price they pay to use pirated software.
@stannieman The chapter 27 of UEFI_2_3_1_Errata_A.pdf is like a horror story of control. It's about hashes, hash algorithms, Firmware / OS key exchange, signature data and databases. UEFI will provide possibilities of control. UEFI is influenced by M$, U stands for unified, if something is unified it's to handle with the same measure. W8 and UEFI will be developed together so they are working perfectly together. UEFI sure can deny to run something, it's not needed to remove.
No wonder why Windows Defender used so much resources and disabling it makes it run so much better in WDP. Just don't know if you can do this in the future... Wait and see...