UEFI Secure Boot
The Windows Hardware Engineering Community (WinHEC) conference in Shenzhen (China, 18-19 March 2015) has attracted a lot attention from the security community recently. It appears the UEFI Secure boot could be permanently enabled by the OEM.
From a slide shown at the conference “UEFI Secure Boot:
– Must ship enabled
– UEFI version 2.31 compliant
– Wind10 Desktop: It’s OEM option whether to allow end user to turn off Secure Boot
-Wind10 Mobile: Must not allow secure boot to be turned off on retail device
-UEFI Secure boot database (PK, KEK, db, dbx) must be configured per Win10 HW requirement.”
The fact the hardware is shipped with Secure boot turned on effectively rendered the Windows 10 hardware device an appliance giving little choice to end users. Maybe we are all used to the rigidity of smartphone and tablets but this takes this inflexibility to a new level.