Hi,

Sorry for bad news but I have to write this to notice you something:

I read some time ago this Windows 8's locked bootloaders: much ado about nothing, or the end of the world as we know it?

Was though, nah, this will not happen soon, well guess what, it does, and even worst!
Lemme explain, at that time I though well in best cases vendors will allow us to disable that check, after all how many use Windows 7 now?
Most companies still use Windows XP or worst cases Vista.

But vendors are not us, and after they saw that amount of hacking we do on UEFI they fight back, the result, at least on board I tested(ASUS z77) any change made to BIOS will result in BIOS flash fail with security check!

Tried leaked AMIBCP, MMTool or Andy's tool, even a small mod will fail with security check.

OK, we may bypass that at some point, but at least for me, this does not look good, and may be THe END.

You have been warned...

There are two things here: 1) protecting/signing bios to allow to flash only signed one and 2) protecting boot environment by allowing loading only drivers/loaders that are properly signed, right?

So, you are saying that moded BIOS can not be flashed any more (1). And the article says that "x86 Windows 8 systems must also allow secure boot to be turned off completely, so that no certificate verification is performed at all." (2).

Meaning, no BIOS mods, but software "mods" will be possible?

Yes, I didn't tried other ways to flash it yet, just built in tool.
-Inserted UEFI Shell with AMI MMTool/Andy, replaced logo with AMI ChangeLogo, security check fail
-Enabled a hidden menu/option with AMIBCP, security check fail

So for me is clear that now BIOS is signed, and if we don't find a way to bypass that we are back on the age where we beg vendors to enable or fix something...
And this is the first step, next is what is described in that article.

The article seems to suggest that this is only a concern on ARM right now, and goes on to say that x86, whether BIOS/EFI/UEFI/etc, will still allow 'custom' mode where you basically run your hardware as you see fit. I don't think desktops and professional workstations will be ARM'd anytime soon (if ever)

dmazar did understand my bad English, after all is not my native tongue...
Yes what they did now was to protect/sign the UEFI BIOS to allow to flash only signed one.
What they will do is to protect boot environment by allowing loading only drivers/loaders that are properly signed.
And NO, this will not be a concern for ARM only, as I know 'Vendors' they will not include the option to disable secure boot unless they will be forced...

When the second step will be accomplished we can say goodbye to the 'hacking' as we know it now...

Threr are indeed 2 things here: Microsoft's desire to stop windows piracy, and their desire to stop "other OS'es" (linux, basically) It has already been shown that microsft has great infuence over hardware vendors and has used this in the past to make bios'es "linux-unfriendly" which led, in some part, to acpi table patching as we know it today. We must also rem,ember that the most common form of windows "crack" in use today is a SLIC-injecting bootloder that emulates an OEM licence. by requiring a signed UEFI environment for "certification" at both the hardware and boot environment level, they can achieve both things at once, without affecting the "average windows user" in any noticeable degree..

it's ironic to think that this started as an open standard to allow greater possibilities with newer hardware than was afforded by the ancient BIOS, and like so many other things these days, it is being subverted to prevent openness and competition in the name of copyright.

Not so big deal anymore, we have flashrom working!