I was reading the UEFI drivers developers handbook last night, and their is some pretty scary stuff in it, like UEFI run time drivers can be loaded from any arbitrary device like the ROM of a network card, and then are allowed to run after the OS has booted so key loggers and location logging could happen a the BIOS level and transmit the collected data when ever. SO for gods sake do not buy a Windows 8 machine from Sony.
@Daz The point I was trying to make is that an OEM or Government could abuse the extra features that UEFI offers, Sony is notorious for this kind of stuff, and how long will it be before an OEM sells the right's to display advertising before the system boot's, and if you try to remove it your system wont boot because the BIOS does not have the correct key for an RTM version of Windows 8. Couldn't you see Dell displaying reminders to buy the extended warranty towards the end of your standard warranty period and then add's for Turbo Tax software around tax season I may not be able to afford to have drivers and OS loaders signed but Governments and large corporations can, Governments are paranoid and want to collect data about people and corporations are greedy and want to collect data about customers to sell to advertisers. personally I will never buy any product that does not have the option to disable secure boot, I install Linux and if possible Mac OS X on every laptop I buy so Secure Boot is a deal breaker and I am sure there will be OEM's happy to sell me something with secure boot as an option. I was able to work around the problem with the EFI loader by loading Bootmgfw.efi directly. I have verified that Windows is reading the moved tables, but at this point it seems that Windows is just ignoring the SLIC. I am looking at a disassembly of Winload.efi now to find a clue as to why this is happening, hopefully I just have the table out of spec
@100 The ELAM component can be a executable / driver for UEFI. With that it is possible to block/remove a loader during boot time.
@ nononsence I agree that it could be a problem if OEM's abuse it, but if they were caught out it'd have a serious effect on their reputation. We need to wait and see until the OS goes RTM I guess.
But what I'm saying is that secure boot is trusted boot and that's of course a UEFI feature, one which we think OEM's will require and that will come enabled by default. * Removed *
@100 UEFI will load the Windows 8 OS Loader. In that sense, the Windows 8 OS Loader is an extension to UEFI. The Windows 8 OS Loader certificate must match with whatever is stored in UEFI. The ELAM driver is also signed with a special certificate from Microsoft. The Windows 8 OS Loader loads the ELAM driver and shall have to verify the certificate of the ELAM driver with UEFI. The Windows 8 OS Loader also loads all other kernel-mode drivers. When the kernel is loaded and initialized, ELAM can be used to to verify every bootfile. If a faulty binary is found, the system might get halted and the user will have no Windows logon screen. Or the system is rebooted and the faulty binary is skipped and the user will get a Windows Logon screen and a message.
OK some things seem important to me and I want to summarise them for members who could be confused. -W8 boots at systems with legacy BIOS. You don't need UEFI to run w8. -W8 certified motherboards need to have UEFI -Secure boot is a UEFI protocol that has been introduced at UEFI 2.3.1. It will be a feature that can be enabled and disabled. It isn’t guaranteed that all OEMs that will sell preinstalled machines will get the disable option. -OEM_SLP licenses (w8 is preinstalled when buying a new PC) need to have secure boot enabled and probably a TPM chip for the W8 license in order to become activated. Since secure boot only allows to boot signed boot loaders, this particular license cannot use another uncertified boot loader to DUALBOOT / MULTIBOOT w8 together with other operating systems, others than windows. Anyway you can install any other OS on this machine, therefore secure boot must have the disable option. When secure boot is disabled at a preinstalled w8 PC, w8 may refuse to boot. -UEFI is the successor of BIOS and will replace it completely. UEFI = Unified Extensible Firmware Interface. BIOS = Basic Input Output System. There is no UEFI BIOS. It’s either the old legacy BIOS or an UEFI. The intention to develop UEFI is, generally spoken, to have more options right after when you have switched on the PC. The general chain will change: Switch on PC-->BIOS-->OS to PC-->UEFI-->OS. A loader has to be placed between BIOS-->OS or UEFI-->OS. The clue developing UEFI is to control the pre-OS environment and to control the hardware from OS level. How will it be achieved? Simply by putting more control features into the UEFI. And by programming the UEFI in that way (U= Unified) that it can be accessed by windows, no matter from which OEM vendor the UEFI comes. It doesn’t matter if it’s a UEFI feature or a w8 feature, you have to see the entire new boot chain in detail. Fact will be: Before the boot loader of the OS is called, there will be already something like a pre operating system which will open new possibilities. With a legacy BIOS you have your hardware ready and some BASICS, that’s practically all. B= BASIC What bothers me most (as a BIOS modder) is: The digital signature of the UEFI image itself. I guess UEFI modding will be only allowed at non signed areas, which are not interesting. Feel free to correct me if I am wrong.
@Yen Thanks I was unsure as to weather OEM_SLP would work with Windows 8 when secure boot is disabled, the only way I can see to get around that is to make a replacement for Winload.efi and then patch the crap out of ntoskernel.exe before starting it should only be about 5 years of work
Well some details are still like a open book. My post isn't meant to be the ultimate truth that it will happen exactly for sure, I am no insider. I have tried to summarize what's this thread all about, what I have read about myself and what seems probable to realize for M$ or the OEMs to stay conform to the EU laws. If, for instance, a OEM_SLP license should remain activated and boots without secure boot enabled, the entire thing doesn't make any sense (to me). Also it isn't sure that M$ has already signed-off their specifications about. They may change their ideas as well..
Okay, I'm gonna try and explain this one more time, but apparently nobody is interested in actually reading the documents and figuring out for themselves how it all works together. Reading the "trusted boot" paper makes it clear that trusted boot requires a TPM. Reading the paper also makes it clear that it can work with conventional BIOS, as well as UEFI. "Secure boot", on the other hand, is a feature of UEFI and, as we know, does not require a TPM. Without a TPM it can't possibly be the same as trusted boot, how is that not obvious? The essential difference is that secure boot runs as part of the UEFI boot process, and trusted boot as part of the OS boot process. Try to imagine a system that has a valid Linux boot loader signature in UEFI, which will allow it to boot with secure boot. In that case, where's the trusted boot with its ELAM then? Nowhere, since it's a Windows-based implementation that gets executed through the Windows OS loader/kernel. These are simply two different things. What we know so far is that OEM systems require UEFI and the possibility of secure boot. Secure boot doesn't require a TPM, so it doesn't necessarily mean the system will have to be equipped with one. So far there's no confirmation whatsoever whether that OEM systems will require a TPM, so all of this is purely unfounded speculation.
We know absolutely nothing about OEM Activation yet (seriously... MS said nothing about it) but lemme add something: OEM_SLP does not require TPM (a module mainly used for Enterprise, costs about 10-20$, it's just a chip kinda like a permanent Smartcard) nor will you not be able to boot W8 with Secure Boot disabled, Secure Boot is your choice (if you can disable it lol) UEFI 2.3.1 is required by OEMs to be used, as only this and future Versions support Secure Boot, technically you would be able to Install Linux too if the bootloader and OS (to make full use of the features) support it and the required files like Bootloader is digitally signed, then you would be able to Dualboot W8 and Linux with Secure boot Enabled. But whats less clear, how does W8 with Secure Boot and signed Bootloaders handle Chain-loading of signed bootloaders, which is important to know how Secure Boot really affects a Linux distro on a Dualboot (if the Linux distro would come with a signed bootloader, without it fails anyway) As long as Secure Boot is disabled it should be possible to create a Loader, ofc the loader needs to actually work for EFI and GPT as this will become the Standard, with Secure Boot enabled we need a exploit
Your post isn't addressed to me? 'Nobody apparently is interested in actually reading'.... I did as I have posted. At my post the words 'require' and 'trusted boot' never appear. @Shenj, TPM I don't think personally, secure boot at OEM_SLP seems more than probable, though. All the preinstalled machines will be new ones and it'll take time until w8 becomes RTM. All will get UEFI and OA always used specifications of the firmware (ACPI at BIOS), so why not those of secure boot? It is the only way to prevent OEM_SLP mimicking and M$ has failed so far. It is more than probable that they will go that way.....we'll see.
@ 100 Some of us have read it but each of us read it differently, so who's right? None of us because nobody has the hardware or the software. What we know is that OEM systems must contain secure boot and it doesn't take a brain surgeon to figure out that this will likley link into OA 3.0. What I've said in earlier posts is to do with the emulation of OA 3.0 via a custom built UEFI emulator that runs on older hardware. I didn't ever mention Linux, I simply said that it'd be pretty much impossible to emulate everything with the digital signatures in such a way that Windows can't block the emulator via a Windows update (so blocked via Windows like the leaked Lenovo serial). TPM and secure boot will make no difference. The bottom line is that a UEFI loader for Windows 7 is possible and it wouldn't get blocked but a UEFI loader for Windows 8 will run into problems. Also about the OEM serials, we don't yet know if they will be static or more along the lines of MAK. If they're not static then once again, the loaders pointless. Note: When I say UEFI loader I also mean emulator because activating exiting UEFI systems would require a different activation method.
Sorry Yen, I didn't mean you there There seems to be much confusion about secure boot, trusted boot, ELAM, etc., and how they work together, and many statements made in this thread were just plain wrong. Daz, yes, it's obvious OA 3.0 will be tied to UEFI somehow. You were mentioning though that secure boot and trusted boot were the same, but they're not. I just used the Linux example to help explain that. I think at this time it's too early to discuss OA 3.0 anyway, all we can do is guess, without any way to confirm anything at all.