Funny thing here is that the feature OP stumbled upon, Device Guard, does prevent quite a few different malware preinstallation methods. Including the infamous Lenovo one.
This is ridiculous. Lenovo controls all the preinstalled software as well as the drivers that are shipped with the device. Any of them could install a Superfish-like thing at any point.
They may control those parts, but Device Guard won't let you install most rootkits. Starting from Secure Boot and Virtualization Based Security ending with Trusted Boot, the system should be capable of rejecting unsigned privileged components and remain secure. Then an AV is probably capable of detecting and removing actual malware.
Superfish was not a kernel rootkit by any measure of the word. You just have to install a new CA then a NDIS filter, neither of these is either a rare or even blocked operation since they are required for preinstalled software such as drivers or even an AV. There would be absolutely no difference on whether you used Secure Boot or not.
But worst of all: Superfish was actually _signed_ itself. MS has improved the level of vetting they do now, specially for kernel drivers, but how come anyone can still claim with a serious face that a signature requirement from one CA specifically improves security against malware _from that CA_ (or their associates) ?
> Superfish was not a kernel rootkit by any measure of the word.
I didn't say it was, you kinda ignored the context. The person who I replied to was asking how can they trust their Windows is genuine, I replied to them that the feature causing a stir here does protect against some types of malware.
It's a fair assumption that the next thing akin to Superfish would try to implant itself deeper, if given the chance, Device Guard does eliminate some of those ways.
> for preinstalled software such as drivers
If that driver is actually malicious then Early-Launch Antimalware alongside the kernel being protected, can get rid of it.
> There would be absolutely no difference on whether you used Secure Boot or not.
I wasn't talking exclusively about Secure Boot.
> But worst of all: Superfish was actually _signed_ itself.
Sure, now there's a toggle that won't trust some signatures that aren't as heavily vetted (amongst many other things). How is that "ridiculous" or "won't make a difference". Are you just looking for a reason to argue?
> [Device Guard] does prevent quite a few different malware preinstallation methods. Including the infamous Lenovo one.
Which is the infamous Lenovo malware "preinstallation method" ?
How would a signature system would have prevented malware that was literally signed by Lenovo _and_ MS from being preinstalled on a Lenovo OEM image shipped with Lenovo hardware ?
Yes, and I didn't call it a "kernel rootkit" as you said I did.
> How would a signature system would have prevented a malware that was literally signed by Lenovo _and_ MS from being preinstalled on a Lenovo OEM image ?
Because AFAIK Device Guard sets limitations to what WPBT can do. Not to mention it's likely that additional kernel and boot integrity helps against all types of malware.
I do want to use secure boot and TPM2 (I do, currently). Just not with windows. Why should be secure boot windows exclusive feature? Until now, it wasn't.
> device guard and secure boot are different things, related, but different.
The problem is that it can have potentially catastrophic impact. If the user enabled Bitlocker, and didn't save recovery key (it will happen for mainstream users), he can lose his windows drive when he tries linux.
As I wrote above, another extra-hop for those who would like to go off the beaten windows path.
The ubuntu usb key you are booting is safer than what you already got installed...