My main machine runs Ubuntu 20.04 which was upgraded from 16 to 18 previously. Since the machine itself is a 3ghz quad core with 16G of
RAM, I see no point in getting new h/w just because it has a legacy BIOS
Although I know Linux can be installed on a UEFI machine...is there any possible reason it would be a good idea?
Also: Really is Windows 11 safe boot, UEFI and TPM really all that
secure ?
My main machine runs Ubuntu 20.04 which was upgraded from 16 to 18 previously. Since the machine itself is a 3ghz quad
core with 16G of RAM, I see no point in getting new h/w just because it has a legacy BIOS
Although I know Linux can be installed on a UEFI machine...is there any possible reason it would be a good idea?
Also: Really is Windows 11 safe boot, UEFI and TPM really all that secure ?question for a M$oft forum, surely.
philo wrote:
My main machine runs Ubuntu 20.04 which was upgraded from 16 to 18
previously. Since the machine itself is a 3ghz quad core with 16G of
RAM, I see no point in getting new h/w just because it has a legacy BIOS >>
Although I know Linux can be installed on a UEFI machine...is there
any possible reason it would be a good idea?
Also: Really is Windows 11 safe boot, UEFI and TPM really all that
secure ?
The features help the two platforms equally.
The purpose is to detect that boot materials have
been altered. The hardware is there to establish a
root of trust.
But as of this date, I'd like to understand just
how common this problem of compromised boot materials
is, before I would declare in a loud voice that
it was "necessary".
Surely you must have seen a Linux distro attempting
to secure boot... The Linux distros are already set up
for this.
*******
One reason I don't switch on a lot of whizzy security
features, is I don't ever want to be locked out of
my own machine :-)
*******
The highest level of security, comes from BIOS signing.
On some server boards, Tyan buys a batch of Intel processors,
where the processor checks the signature on the BIOS image.
If the BIOS image says "Genuine Tyan", the processor
will jump to the start vector. If the processor checks
the signature of the BIOS and it says "CoreBoot", then
the Tyan-stamped processor won't boot. Features of this
type, change the resale value of components when servers
are taken apart. (It's the same with BEV cars, where the
components have electronic serial numbers, and you cannot
arbitrarily steal a battery pack out of a neighbors
Tesla and plug it into your same-model Tesla. The car
won't drive.) That's the kind of era we're headed towards.
Materials ruined by signing.
*******
Windows has the advantage, that Secure Boot, there are
already Windows Keys in the UEFI BIOS. The BIOS attempts
to help other OSes (such as Windows 7 or Linux), via a
selection of "Other OS" for Secure Boot.
On Linux, this will bring up the topic of MOKUtil. And
you can be unceremoniously thrown into that without warning
and asked whether to change stuff.
https://wiki.ubuntu.com/UEFI/SecureBoot
Linux uses some kind of signed shim for getting Linux
to secure boot on a PC where Secure Boot is enabled and
the Windows Keys are present. But there is also some
reason to be altering Machine Owner Keys in the BIOS
page related to Secure Boot keys. I could not tell you,
whether monkeying with this stuff, allows two OSes to be
ready and able to Secure Boot at a moments notice. I don't
know if this tech is intended for multibooters or
free thinkers :-)
Paul
On 15/09/2021 15:39, philo wrote:
My main machine runs Ubuntu 20.04 which was upgraded from 16 to 18
previously. Since the machine itself is a 3ghz quad core with 16G of
RAM, I see no point in getting new h/w just because it has a legacy BIOS >>
Although I know Linux can be installed on a UEFI machine...is there
any possible reason it would be a good idea?
I have 20.04 running on a no-name UEFI PC, and other than adding an
extra layer of complexity (especially as I backup by creating a bootable image, which I then test by booting off a disk-on-key) there seems to be
no disadvantage, and the only advantage would appear to be the
possibility of (dual) booting windows (I had to do that for work purposes.) All being equal, I would stay with the legacy BIOS
question for a M$oft forum, surely.
Also: Really is Windows 11 safe boot, UEFI and TPM really all that
secure ?
Also: Really is Windows 11 safe boot, UEFI and TPM really all that secure ?
My main machine runs Ubuntu 20.04 which was upgraded from 16 to 18 previously. Since the machine itself is a 3ghz quad core with 16G of
RAM, I see no point in getting new h/w just because it has a legacy
BIOS
Although I know Linux can be installed on a UEFI machine...is there
any possible reason it would be a good idea?
On 15.09.2021 at 07:39, philo scribbled:
My main machine runs Ubuntu 20.04 which was upgraded from 16 to 18
previously. Since the machine itself is a 3ghz quad core with 16G of
RAM, I see no point in getting new h/w just because it has a legacy
BIOS
Although I know Linux can be installed on a UEFI machine...is there
any possible reason it would be a good idea?
UEFI in and of itself is not a bad thing. It's only the successor to
the legacy BIOS.
Booting a protected mode or long mode operating system such as
GNU/Linux on a legacy BIOS machine means that the processor first has
to start off in real mode -- i.e. the DOS-compatible 16-bit mode with
only 640 KiB of main memory, and no multitasking, let alone multi-core processing -- and from there the bootstrap code needs to set up
protected mode or long mode with pagetables, descriptor tables, et al.
The process also involves gathering information about the hardware from
the BIOS and then copying that information to a protected memory
location, so that the operating system will be able to read the
information once it has booted.
UEFI does away with all that, because UEFI runs in 64-bit long mode --
there are some 32-bit UEFI versions out there, but they are rare. The
UEFI sets up the processor's 64-bit long mode before the operating
system is even booted and loads a 64-bit boot loader (such as the UEFI-capable version of GRUB2), and once the operating system is
loaded, it can communicate with the UEFI firmware on account of
whatever information it needs, or needs to change -- e.g. you can set
the order of the items in the UEFI's own boot manager, or add items to
that list, or remove items from it, all from within the operating
system.
Secure Boot is another thing altogether. It's a subsystem of UEFI that
will prevent the loading of operating systems that haven't been signed
with a Microsoft-issued key, but it can be disabled in most UEFI implementations. Also, it has already been bypassed under laboratory conditions, so it isn't all that "secure".
Its intent either way had nothing to do with security, but with putting
the x86 architecture under Microsoft's control, given that Microsoft is
on the UEFI committee, and that Microsoft -- unlike Apple -- had no
general purpose hardware of its own yet at the time. Secure Boot was therefore intended to tie the x86 platform to Microsoft and prevent any
other operating systems from booting. You have to keep in mind that
the introduction of Secure Boot happened while Steve Ballmer was still
the CEO of Microsoft, and that Microsoft had no intention whatsoever at
that point of sharing and cooperating with the FLOSS community.
TPM is a similar technology, but extends beyond the booting process.
It is meant to restrict the user in what software they can run on their
own computer. Perhaps that makes sense in a business environment where
you don't want your employees to be playing computer games during
office hours, but for privately owned computers, it's a load of bull,
and I for one wouldn't want it in any of my machines.
The above all said, this machine here runs Manjaro, and it boots in
UEFI-only mode. No Secure Boot [*] -- the machine did not come with Microsoft Windows preinstalled -- and legacy BIOS emulation has been disabled. Not that Manjaro requires the machine to boot in UEFI mode,
but I see no reason why I would want it to boot in 16-bit legacy BIOS
mode.
[*] Unlike Debian, Ubuntu and RedHat, Manjaro doesn't even support
Secure Boot, although it certainly does support UEFI. Manjaro also
has an AARCH64 branch, and AARCH64 always comes with a UEFI -- it's
not compatible with the 16-bit x86 code used by a legacy BIOS.
On 15/09/2021 15:39, philo wrote:
My main machine runs Ubuntu 20.04 which was upgraded from 16 to 18
previously. Since the machine itself is a 3ghz quad core with 16G of
RAM, I see no point in getting new h/w just because it has a legacy BIOS >>
Although I know Linux can be installed on a UEFI machine...is there
any possible reason it would be a good idea?
I have 20.04 running on a no-name UEFI PC, and other than adding an
extra layer of complexity (especially as I backup by creating a bootable image, which I then test by booting off a disk-on-key) there seems to be
no disadvantage, and the only advantage would appear to be the
possibility of (dual) booting windows (I had to do that for work purposes.) All being equal, I would stay with the legacy BIOS
question for a M$oft forum, surely.
Also: Really is Windows 11 safe boot, UEFI and TPM really all that
secure ?
philo wrote:
My main machine runs Ubuntu 20.04 which was upgraded from 16 to 18
previously. Since the machine itself is a 3ghz quad core with 16G of
RAM, I see no point in getting new h/w just because it has a legacy BIOS >>
Although I know Linux can be installed on a UEFI machine...is there
any possible reason it would be a good idea?
Also: Really is Windows 11 safe boot, UEFI and TPM really all that
secure ?
The features help the two platforms equally.
The purpose is to detect that boot materials have
been altered. The hardware is there to establish a
root of trust.
But as of this date, I'd like to understand just
how common this problem of compromised boot materials
is, before I would declare in a loud voice that
it was "necessary".
Surely you must have seen a Linux distro attempting
to secure boot... The Linux distros are already set up
for this.
*******
One reason I don't switch on a lot of whizzy security
features, is I don't ever want to be locked out of
my own machine :-)
*******
The highest level of security, comes from BIOS signing.
On some server boards, Tyan buys a batch of Intel processors,
where the processor checks the signature on the BIOS image.
If the BIOS image says "Genuine Tyan", the processor
will jump to the start vector. If the processor checks
the signature of the BIOS and it says "CoreBoot", then
the Tyan-stamped processor won't boot. Features of this
type, change the resale value of components when servers
are taken apart. (It's the same with BEV cars, where the
components have electronic serial numbers, and you cannot
arbitrarily steal a battery pack out of a neighbors
Tesla and plug it into your same-model Tesla. The car
won't drive.) That's the kind of era we're headed towards.
Materials ruined by signing.
*******
Windows has the advantage, that Secure Boot, there are
already Windows Keys in the UEFI BIOS. The BIOS attempts
to help other OSes (such as Windows 7 or Linux), via a
selection of "Other OS" for Secure Boot.
On Linux, this will bring up the topic of MOKUtil. And
you can be unceremoniously thrown into that without warning
and asked whether to change stuff.
https://wiki.ubuntu.com/UEFI/SecureBoot
Linux uses some kind of signed shim for getting Linux
to secure boot on a PC where Secure Boot is enabled and
the Windows Keys are present. But there is also some
reason to be altering Machine Owner Keys in the BIOS
page related to Secure Boot keys. I could not tell you,
whether monkeying with this stuff, allows two OSes to be
ready and able to Secure Boot at a moments notice. I don't
know if this tech is intended for multibooters or
free thinkers :-)
Paul
On 9/15/21 07:01, Paul wrote:
philo wrote:
My main machine runs Ubuntu 20.04 which was upgraded from 16 to 18
previously. Since the machine itself is a 3ghz quad core with 16G of
RAM, I see no point in getting new h/w just because it has a legacy
BIOS
Although I know Linux can be installed on a UEFI machine...is there
any possible reason it would be a good idea?
Also: Really is Windows 11 safe boot, UEFI and TPM really all that
secure ?
One doubts it extremely. Otherwise I would not have tow or three Dell Latitudes e6440, e6520, and e7450 running PCLinux. All
had Secure Boot. I turned it off in the Firmware/BIOS I use
EFI and GPT. Primary partitions seem to be better than Logical
Partitions I also used to install multiple distributions to
metal.
The features help the two platforms equally.
The purpose is to detect that boot materials have
been altered. The hardware is there to establish a
root of trust.
But as of this date, I'd like to understand just
how common this problem of compromised boot materials
is, before I would declare in a loud voice that
it was "necessary".
Surely you must have seen a Linux distro attempting
to secure boot... The Linux distros are already set up
for this.
Some Linux distribution are setup for this but
you have to come to agreement with Microsoft to get the
required signatures and it must be changed with every
Kernel.
*******
One reason I don't switch on a lot of whizzy security
features, is I don't ever want to be locked out of
my own machine :-)
*******
Well if you can keep track of your passwords there
is little chance of that happening.
The highest level of security, comes from BIOS signing.
On some server boards, Tyan buys a batch of Intel processors,
where the processor checks the signature on the BIOS image.
If the BIOS image says "Genuine Tyan", the processor
will jump to the start vector. If the processor checks
the signature of the BIOS and it says "CoreBoot", then
the Tyan-stamped processor won't boot. Features of this
type, change the resale value of components when servers
are taken apart. (It's the same with BEV cars, where the
components have electronic serial numbers, and you cannot
arbitrarily steal a battery pack out of a neighbors
Tesla and plug it into your same-model Tesla. The car
won't drive.) That's the kind of era we're headed towards.
Materials ruined by signing.
I agree that too much signing is obviously too much
but considering the price of Telsa battery packs that is not
too much.
*******
Windows has the advantage, that Secure Boot, there are
already Windows Keys in the UEFI BIOS. The BIOS attempts
to help other OSes (such as Windows 7 or Linux), via a
selection of "Other OS" for Secure Boot.
You mean recognize rather than help.
On Linux, this will bring up the topic of MOKUtil. And
you can be unceremoniously thrown into that without warning
and asked whether to change stuff.
https://wiki.ubuntu.com/UEFI/SecureBoot
Linux uses some kind of signed shim for getting Linux
to secure boot on a PC where Secure Boot is enabled and
the Windows Keys are present. But there is also some
reason to be altering Machine Owner Keys in the BIOS
page related to Secure Boot keys. I could not tell you,
whether monkeying with this stuff, allows two OSes to be
ready and able to Secure Boot at a moments notice. I don't
know if this tech is intended for multibooters or
free thinkers :-)
Paul
Some varieties of Linux ignore Secure Boot and simply
have the User access the BIOS/Firmware and turn off secure boot
and depend on passwords to secure the system.
bliss - uses a Pretty Cool Linux Operating System aka pclinuxos
philo wrote:
Also: Really is Windows 11 safe boot, UEFI and TPM really all that secure ?
"Trusted platform module security defeated in 30 minutes, no soldering required" <https://arstechnica.com/gadgets/2021/08/how-to-go-from-stolen-pc-to-network-intrusion-in-30-minutes/>
On 9/15/21 9:04 AM, Henry Crun wrote:
On 15/09/2021 15:39, philo wrote:
My main machine runs Ubuntu 20.04 which was upgraded from 16 to 18
previously. Since the machine itself is a 3ghz quad core with 16G of
RAM, I see no point in getting new h/w just because it has a legacy
BIOS
Although I know Linux can be installed on a UEFI machine...is there
any possible reason it would be a good idea?
I have 20.04 running on a no-name UEFI PC, and other than adding an
extra layer of complexity (especially as I backup by creating a
bootable image, which I then test by booting off a disk-on-key) there
seems to be no disadvantage, and the only advantage would appear to be
the possibility of (dual) booting windows (I had to do that for work
purposes.)
All being equal, I would stay with the legacy BIOS
question for a M$oft forum, surely.
Also: Really is Windows 11 safe boot, UEFI and TPM really all that
secure ?
Asked on one but did not get much of an answer
philo wrote:
My main machine runs Ubuntu 20.04 which was upgraded from 16 to 18
previously. Since the machine itself is a 3ghz quad core with 16G of
RAM, I see no point in getting new h/w just because it has a legacy
BIOS
Although I know Linux can be installed on a UEFI machine...is there
any possible reason it would be a good idea?
Also: Really is Windows 11 safe boot, UEFI and TPM really all that
secure ?
The features help the two platforms equally.
The purpose is to detect that boot materials have
been altered. The hardware is there to establish a
root of trust.
But as of this date, I'd like to understand just
how common this problem of compromised boot materials
is, before I would declare in a loud voice that
it was "necessary".
Paul <nospam@needed.invalid> writes:
philo wrote:
My main machine runs Ubuntu 20.04 which was upgraded from 16 to 18
previously. Since the machine itself is a 3ghz quad core with 16G of
RAM, I see no point in getting new h/w just because it has a legacy
BIOS
Although I know Linux can be installed on a UEFI machine...is there
any possible reason it would be a good idea?
Also: Really is Windows 11 safe boot, UEFI and TPM really all that
secure ?
The features help the two platforms equally.
The purpose is to detect that boot materials have
been altered. The hardware is there to establish a
root of trust.
But as of this date, I'd like to understand just
how common this problem of compromised boot materials
is, before I would declare in a loud voice that
it was "necessary".
Boot sector viruses were a running sore in the past. On a modern
computer there are more convenient places for malware to persist - but ultimately if you’re going to secure a platform, you have to start at
the bottom and work up - CPU microcode, firmware, bootloader, kernel,
and so on.
philo wrote:
On 9/15/21 9:04 AM, Henry Crun wrote:
On 15/09/2021 15:39, philo wrote:
My main machine runs Ubuntu 20.04 which was upgraded from 16 to 18
previously. Since the machine itself is a 3ghz quad core with 16G of
RAM, I see no point in getting new h/w just because it has a legacy
BIOS
Although I know Linux can be installed on a UEFI machine...is there
any possible reason it would be a good idea?
I have 20.04 running on a no-name UEFI PC, and other than adding an
extra layer of complexity (especially as I backup by creating a
bootable image, which I then test by booting off a disk-on-key) there
seems to be no disadvantage, and the only advantage would appear to
be the possibility of (dual) booting windows (I had to do that for
work purposes.)
All being equal, I would stay with the legacy BIOS
question for a M$oft forum, surely.
Also: Really is Windows 11 safe boot, UEFI and TPM really all that
secure ?
Asked on one but did not get much of an answer
Example here.
https://www.forbes.com/sites/daveywinder/2021/07/03/windows-11-security-stink-reveals-massive-microsoft-ransomware-red-herring/?sh=62d064a922e1
As someone there mentions, the boot sequence is currently
buttressed by PKI, and that means for key files ("winload.exe"),
the signing is checked to verify the file came from Microsoft.
That means there's a tiny bit of checking, already in place.
That article gets sidetracked on the keyword "ransomware", and
of course booting has little to do with ransomware.
Part of what Windows 11 is supposed to do, is have containers
conceptually similar to Snaps. Things with attack surfaces
(Excel or MSWD macros) are launched in containers, so all the
things they attempt to do, some of them will be stopped
(writing outside of the home directory). The best way to stop
a pest, is prevent it from gaining a foothold.
There is one other feature which is backed in hardware, to harden
the OS.
https://arstechnica.com/gadgets/2021/08/why-windows-11-has-such-strict-hardware-requirements-according-to-microsoft/
"A towering stack of security acronyms
Windows 11 (and also Windows 10!) uses virtualization-based
security, or VBS.
VBS includes an optional feature called "memory integrity."
That's the more user-friendly name for something called
Hypervisor-protected code integrity, or HVCI.
older computers will incur a significant performance penalty
because their processors don't support mode-based execution control,
or MBEC.
"
I've never seen this dialog on the Windows 10 I have installed,
so I assume this is only on the higher SKUs (Enterprise or Server).
https://cdn.arstechnica.net/wp-content/uploads/2021/08/HVCI-win10.png
It's the MBEC that shortens the CPU list to only three years worth.
And I don't see the MBEC on the Intel ARK pages as a tick box.
The inverted hypervisor on Windows, allows the host OS to be
virtualized and run under the Hypervisor. When you run VirtualBox
in that Windows Host, VirtualBox 6 was modified so it could be "nested",
and in theory now, you should be able to nest Guests as well (Guest
runs VirtualBox, with an OS inside it). It means everything is basically virtualized, and without the "Hyper-V" tick box in Windows Features
turned on. It means the ecosystem is a 3D "ocean" of virtualization.
The containers will be virtual. VirtualBox will be nested. And so on.
Now, if only I could get those idiots to draw a picture of that,
so I can verify this description and point at it when I need to back
up this picture. There *is* a diagram of the hypervisor, that already
exists, for the Windows 10 feature set. But that diagram will become
*much* larger, if they ever get around to drawing it for us. It could
be that this MBEC thing is a key part of making the 3D ocean of crap, performant.
As usual, no helpful background, but a taste of the acronym soup used.
https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
The story would work without MBEC and allow older processors
to be used, but with a performance loss of 40%, according to
one of the above articles.
Paul
https://www.forbes.com/sites/daveywinder/2021/07/03/windows-11-security-stink-reveals-massive-microsoft-ransomware-red-herring/?sh=62d064a922e1
As someone there mentions, the boot sequence is currently
buttressed by PKI, and that means for key files ("winload.exe"),
the signing is checked to verify the file came from Microsoft.
That means there's a tiny bit of checking, already in place.
That article gets sidetracked on the keyword "ransomware", and
of course booting has little to do with ransomware.
Part of what Windows 11 is supposed to do, is have containers
conceptually similar to Snaps. Things with attack surfaces
(Excel or MSWD macros) are launched in containers, so all the
things they attempt to do, some of them will be stopped
(writing outside of the home directory). The best way to stop
a pest, is prevent it from gaining a foothold.
There is one other feature which is backed in hardware, to harden
the OS.
https://arstechnica.com/gadgets/2021/08/why-windows-11-has-such-strict-hardware-requirements-according-to-microsoft/
"A towering stack of security acronyms
Windows 11 (and also Windows 10!) uses virtualization-based
security, or VBS.
VBS includes an optional feature called "memory integrity."
That's the more user-friendly name for something called
Hypervisor-protected code integrity, or HVCI.
older computers will incur a significant performance penalty
because their processors don't support mode-based execution
control, or MBEC.
*******
https://www.express.co.uk/life-style/science-technology/1454710/Windows-11-news-your-laptop-will-need-a-camera-to-run-Microsoft-OS
"The Windows 11 documentation says:Your tag lines (k) were stolen! (more) There is a puff of smoke!
Starting from January 1 2023, all Device Types except Desktop PC,
are required to have Forward-facing camera which meets the
following requirements. A rear-facing camera is optional"
"
The camera is a minimum of 1280x720, 15FPS. Which implies they're
trying to allow USB2 legacy cameras in that spec. As the older webcams,
at resolutions like 1600x1200, manage about 5FPS. It is the
640x480 USB2 cameras that traditionally make 30FPS. So they've
picked a set of conditions so that the hardware requirement for
the camera won't be too high.
My laptop has a "camera" in it, but even with elevated room
lighting, the image remains dark and unusable for any practical
purpose. The manufacturer could tick the "has a camera" box if
they wanted.
Paul
On 9/15/21 9:07 PM, Paul wrote:
philo wrote:
On 9/15/21 9:04 AM, Henry Crun wrote:
On 15/09/2021 15:39, philo wrote:
My main machine runs Ubuntu 20.04 which was upgraded from 16 to 18
previously. Since the machine itself is a 3ghz quad core with 16G
of RAM, I see no point in getting new h/w just because it has a
legacy BIOS
Although I know Linux can be installed on a UEFI machine...is there
any possible reason it would be a good idea?
I have 20.04 running on a no-name UEFI PC, and other than adding an
extra layer of complexity (especially as I backup by creating a
bootable image, which I then test by booting off a disk-on-key)
there seems to be no disadvantage, and the only advantage would
appear to be the possibility of (dual) booting windows (I had to do
that for work purposes.)
All being equal, I would stay with the legacy BIOS
question for a M$oft forum, surely.
Also: Really is Windows 11 safe boot, UEFI and TPM really all that
secure ?
Asked on one but did not get much of an answer
Example here.
https://www.forbes.com/sites/daveywinder/2021/07/03/windows-11-security-stink-reveals-massive-microsoft-ransomware-red-herring/?sh=62d064a922e1
As someone there mentions, the boot sequence is currently
buttressed by PKI, and that means for key files ("winload.exe"),
the signing is checked to verify the file came from Microsoft.
That means there's a tiny bit of checking, already in place.
That article gets sidetracked on the keyword "ransomware", and
of course booting has little to do with ransomware.
Part of what Windows 11 is supposed to do, is have containers
conceptually similar to Snaps. Things with attack surfaces
(Excel or MSWD macros) are launched in containers, so all the
things they attempt to do, some of them will be stopped
(writing outside of the home directory). The best way to stop
a pest, is prevent it from gaining a foothold.
There is one other feature which is backed in hardware, to harden
the OS.
https://arstechnica.com/gadgets/2021/08/why-windows-11-has-such-strict-hardware-requirements-according-to-microsoft/
"A towering stack of security acronyms
Windows 11 (and also Windows 10!) uses virtualization-based
security, or VBS.
VBS includes an optional feature called "memory integrity."
That's the more user-friendly name for something called
Hypervisor-protected code integrity, or HVCI.
older computers will incur a significant performance penalty
because their processors don't support mode-based execution
control, or MBEC.
"
I've never seen this dialog on the Windows 10 I have installed,
so I assume this is only on the higher SKUs (Enterprise or Server).
https://cdn.arstechnica.net/wp-content/uploads/2021/08/HVCI-win10.png
It's the MBEC that shortens the CPU list to only three years worth.
And I don't see the MBEC on the Intel ARK pages as a tick box.
The inverted hypervisor on Windows, allows the host OS to be
virtualized and run under the Hypervisor. When you run VirtualBox
in that Windows Host, VirtualBox 6 was modified so it could be "nested",
and in theory now, you should be able to nest Guests as well (Guest
runs VirtualBox, with an OS inside it). It means everything is basically
virtualized, and without the "Hyper-V" tick box in Windows Features
turned on. It means the ecosystem is a 3D "ocean" of virtualization.
The containers will be virtual. VirtualBox will be nested. And so on.
Now, if only I could get those idiots to draw a picture of that,
so I can verify this description and point at it when I need to back
up this picture. There *is* a diagram of the hypervisor, that already
exists, for the Windows 10 feature set. But that diagram will become
*much* larger, if they ever get around to drawing it for us. It could
be that this MBEC thing is a key part of making the 3D ocean of crap,
performant.
As usual, no helpful background, but a taste of the acronym soup used.
https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
The story would work without MBEC and allow older processors
to be used, but with a performance loss of 40%, according to
one of the above articles.
Paul
Windows keeps getting worse.
At first I thought people were joking when they said that in a few
years, Win11 won't run on a laptop without a hi-res forward camera.
On 9/17/21 18:41, Paul wrote:
https://www.forbes.com/sites/daveywinder/2021/07/03/windows-11-security-stink-reveals-massive-microsoft-ransomware-red-herring/?sh=62d064a922e1
As someone there mentions, the boot sequence is currently
buttressed by PKI, and that means for key files ("winload.exe"),
the signing is checked to verify the file came from Microsoft.
That means there's a tiny bit of checking, already in place.
That article gets sidetracked on the keyword "ransomware", and
of course booting has little to do with ransomware.
Part of what Windows 11 is supposed to do, is have containers
conceptually similar to Snaps. Things with attack surfaces
(Excel or MSWD macros) are launched in containers, so all the
things they attempt to do, some of them will be stopped
(writing outside of the home directory). The best way to stop
a pest, is prevent it from gaining a foothold.
There is one other feature which is backed in hardware, to harden
the OS.
https://arstechnica.com/gadgets/2021/08/why-windows-11-has-such-strict-hardware-requirements-according-to-microsoft/
"A towering stack of security acronyms
Windows 11 (and also Windows 10!) uses virtualization-based
security, or VBS.
VBS includes an optional feature called "memory integrity."
That's the more user-friendly name for something called
Hypervisor-protected code integrity, or HVCI.
older computers will incur a significant performance penalty
because their processors don't support mode-based execution
control, or MBEC.
Trusted Security Module already Obsolete
Windows 11 has that as a requirement a chip or module
that holds security information but some experts think
that approach is already obsolete. TSM has to be accessed
by software which means that attackers can get to the same
information. Some are pushing a ProSPU or Professional
Secuity Processing Unit.
/quote of article by Joel Khalili
Whereas TPMs are passive, creating an opportunity for infiltration by an attacker, the ProSPU is master of the system,
performing active checks to verify each element of the boot process is authentic. Many chips on the market already perform their own secure
boot, Myszne concedes, but there’s nothing out there that “pokes around in all the different places”.
/quote
Whatever this will impact Linux users as most of the
machines we user
are derived from machines capable of running Windows, If
you want to
read more about this go to the following URL.
<https://www.techradar.com/uk/news/forget-tpm-chips-for-windows-11-thats-not-even-the-half-of-it>
big snip
*******Your tag lines (k) were stolen! (more) There is a puff of smoke!
https://www.express.co.uk/life-style/science-technology/1454710/Windows-11-news-your-laptop-will-need-a-camera-to-run-Microsoft-OS
"The Windows 11 documentation says:
Starting from January 1 2023, all Device Types except Desktop PC,
are required to have Forward-facing camera which meets the
following requirements. A rear-facing camera is optional"
"
The camera is a minimum of 1280x720, 15FPS. Which implies they're
trying to allow USB2 legacy cameras in that spec. As the older webcams,
at resolutions like 1600x1200, manage about 5FPS. It is the
640x480 USB2 cameras that traditionally make 30FPS. So they've
picked a set of conditions so that the hardware requirement for
the camera won't be too high.
My laptop has a "camera" in it, but even with elevated room
lighting, the image remains dark and unusable for any practical
purpose. The manufacturer could tick the "has a camera" box if
they wanted.
Paul
Facial recognition software does not work very well the
last I heard.
bliss - uses a Pretty Cool Linux Operating System aka pclinuxos
Bobbie Sellers wrote:
On 9/17/21 18:41, Paul wrote:
https://www.forbes.com/sites/daveywinder/2021/07/03/windows-11-security-stink-reveals-massive-microsoft-ransomware-red-herring/?sh=62d064a922e1
As someone there mentions, the boot sequence is currently
buttressed by PKI, and that means for key files ("winload.exe"),
the signing is checked to verify the file came from Microsoft.
That means there's a tiny bit of checking, already in place.
That article gets sidetracked on the keyword "ransomware", and
of course booting has little to do with ransomware.
Part of what Windows 11 is supposed to do, is have containers
conceptually similar to Snaps. Things with attack surfaces
(Excel or MSWD macros) are launched in containers, so all the
things they attempt to do, some of them will be stopped
(writing outside of the home directory). The best way to stop
a pest, is prevent it from gaining a foothold.
There is one other feature which is backed in hardware, to harden
the OS.
https://arstechnica.com/gadgets/2021/08/why-windows-11-has-such-strict-hardware-requirements-according-to-microsoft/
"A towering stack of security acronyms
Windows 11 (and also Windows 10!) uses virtualization-based
security, or VBS.
VBS includes an optional feature called "memory integrity."
That's the more user-friendly name for something called
Hypervisor-protected code integrity, or HVCI.
older computers will incur a significant performance penalty
because their processors don't support mode-based execution
control, or MBEC.
Trusted Security Module already Obsolete
Windows 11 has that as a requirement a chip or module
that holds security information but some experts think
that approach is already obsolete. TSM has to be accessed
by software which means that attackers can get to the same
information. Some are pushing a ProSPU or Professional
Secuity Processing Unit.
/quote of article by Joel Khalili
Whereas TPMs are passive, creating an opportunity for
infiltration by an attacker, the ProSPU is master of the system,
performing active checks to verify each element of the boot process is
authentic. Many chips on the market already perform their own secure
boot, Myszne concedes, but there’s nothing out there that “pokes
around in all the different places”.
/quote
Whatever this will impact Linux users as most of the
machines we user
are derived from machines capable of running Windows, If
you want to
read more about this go to the following URL.
<https://www.techradar.com/uk/news/forget-tpm-chips-for-windows-11-thats-not-even-the-half-of-it>
big snip
*******Your tag lines (k) were stolen! (more) There is a puff of smoke!
https://www.express.co.uk/life-style/science-technology/1454710/Windows-11-news-your-laptop-will-need-a-camera-to-run-Microsoft-OS
"The Windows 11 documentation says:
Starting from January 1 2023, all Device Types except Desktop PC, >>> are required to have Forward-facing camera which meets the
following requirements. A rear-facing camera is optional"
"
The camera is a minimum of 1280x720, 15FPS. Which implies they're
trying to allow USB2 legacy cameras in that spec. As the older webcams,
at resolutions like 1600x1200, manage about 5FPS. It is the
640x480 USB2 cameras that traditionally make 30FPS. So they've
picked a set of conditions so that the hardware requirement for
the camera won't be too high.
My laptop has a "camera" in it, but even with elevated room
lighting, the image remains dark and unusable for any practical
purpose. The manufacturer could tick the "has a camera" box if
they wanted.
Paul
Facial recognition software does not work very well the
last I heard.
bliss - uses a Pretty Cool Linux Operating System aka pclinuxos
I think it's hard to guess whether the RealSense is
actually used by anyone.
https://support.intelrealsense.com/hc/en-us/articles/360022951533-Windows-10-Issues-with-Intel-RealSense-Cameras-SR300-and-F200
*******
"Some are pushing a ProSPU or Professional Secuity Processing Unit"
The history of security devices on computers is not that good.
The researchers are too good at breaking stuff.
Paul
Also: Really is Windows 11 safe boot, UEFI and TPM really all that
secure ?
On 2021-09-15 05:39, philo wrote:
Also: Really is Windows 11 safe boot, UEFI and TPM really all that
secure ?
no, Micros~1's misbehavior with respect to TPM, including locking out Virtualbox hosts, is PART OF THEIR STRONGARM TACTICS to FORCE YOU TO BUY
NEW HARDWARE
When I buy new hardware, it gets FreeBSD or Linux!!!
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 307 |
Nodes: | 16 (2 / 14) |
Uptime: | 30:38:47 |
Calls: | 6,907 |
Calls today: | 1 |
Files: | 12,376 |
Messages: | 5,427,923 |
Posted today: | 1 |