Announcement

Collapse
No announcement yet.

The State Of Linux Distributions Handling SecureBoot

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • The State Of Linux Distributions Handling SecureBoot

    Phoronix: The State Of Linux Distributions Handling SecureBoot

    For those of you curious about the state of available Linux distributions that can handle UEFI SecureBoot on modern PCs certified for Microsoft Windows 8, here's a run-down of the most common Linux environments and their SecureBoot friendliness...

    http://www.phoronix.com/vr.php?view=MTI2MzI

  • #2
    So if I read that correctly it more or less states that MS gets to decide which linux distros can boot on your shiny new computer..... can I say thats fucked up?

    Comment


    • #3
      Isn't the signing only about the bootloader? I mean, do the bootloaders require the kernel to be signed as well? Maybe that can be turned off or something. I read some stuff about this, but it's unclear from there to me...

      If the answer is yes, then I foresee no more problems.

      If the answer is no, I hope the EU will file lawsuits against whoever is forcing this insanity upon us. Free market? Yeah whatever...

      'Some are more equal than others' (George Orwell, Animal Farm) springs to mind...

      Ow and umm, did anyone ever encounter a virus that works it's way in through the bootloader/kernel? Most stuff I encounter is because of a leak in a browser plugin :/ . Or is SecureBoot just the beginning? Eventually everything has to be signed and verified?

      Comment


      • #4
        Originally posted by Rexilion View Post
        Isn't the signing only about the bootloader? I mean, do the bootloaders require the kernel to be signed as well? Maybe that can be turned off or something. I read some stuff about this, but it's unclear from there to me...
        Define "require". There's no additional security if you permit unsigned kernels, and if your bootloader is signed by Microsoft then it may be considered a violation of the agreement that you signed with them. You're certainly at risk of having your signature blacklisted. If you require explicit user intervention before booting unsigned kernels, then that's fine.

        Ow and umm, did anyone ever encounter a virus that works it's way in through the bootloader/kernel? Most stuff I encounter is because of a leak in a browser plugin :/ . Or is SecureBoot just the beginning? Eventually everything has to be signed and verified?
        The bootloader's not an avenue of initial compromise, but it makes it possible to make the compromise persistent and almost impossible to remove.

        Comment


        • #5
          MS needs to worry about IE's vulnerabilities before they need to worry about the linux kernels vulnerabilities. This secureboot shit is assinine. I'll never use win8 just because of this crap.

          Comment


          • #6
            Originally posted by duby229 View Post
            MS needs to worry about IE's vulnerabilities before they need to worry about the linux kernels vulnerabilities. This secureboot shit is assinine. I'll never use win8 just because of this crap.
            They're not worried about the Linux kernel's vulnerabilities.

            Comment


            • #7
              So then stop fuckin with our shit then.

              Comment


              • #8
                Originally posted by duby229 View Post
                So then stop fuckin with our shit then.
                What's the difference between an unsigned Linux kernel and an unsigned trojaned Windows bootloader?

                Comment


                • #9
                  MS's problem not ours.

                  Comment


                  • #10
                    Originally posted by duby229 View Post
                    MS's problem not ours.
                    And a problem they've solved in the only way that it's possible to solve it.

                    Comment


                    • #11
                      Explain to me how preventing linux from booting does anything, anything at all to help MS security situation?

                      They didnt fix shit. All they did was fuck us. And they did it knowing what they were doing.

                      Comment


                      • #12
                        I am not buying any shitty motherboard with secureboot. In fact, this thing is just crying for lawsuit!

                        Comment


                        • #13
                          Originally posted by duby229 View Post
                          Explain to me how preventing linux from booting does anything, anything at all to help MS security situation?
                          If your bootloader is compromised, you can no longer trust your running kernel. And if you can't trust your running kernel, you have no way of determining whether your machine has been compromised. That means that any security breach that would normally have been detected and fixed when you updated your system can instead remain there until you either boot off recovery media or replace your hard drive.

                          Security is about layers. It's obviously better to prevent a system compromise in the first place, but software has bugs and it's inevitable that some of those will end up being security bugs. Linux isn't a special case here - check any distribution's security updates and you'll see that there's no shortage of remotely-exploitable bugs that permit arbitrary code execution. The sensible thing to assume is that at some point a bad guy will find one you don't know about and exploit it before you've fixed it. That means you need to reduce the damage that that compromise can do. selinux and apparmor are mostly protective technologies, not preventative technologies - both exist to reduce the damage that arbitrary code can do. Secure Boot is another example of a protective technology. It doesn't prevent an initial compromise, but it reduce the damage that that initial compromise can do.

                          But for that to be useful, you need to know that the code you're executing is trusted. There's two ways of handling that - you either have the user explicitly tell you what's trusted (including letting the user tell you to trust everything), or you trust a third party to tell you what's trustworthy. Microsoft's implementation on x86 permits both. You can disable Secure Boot or install your own keys, or you can just assume that everything signed by Microsoft is valid.

                          They didnt fix shit. All they did was fuck us. And they did it knowing what they were doing.
                          Yeah, we're so fucked that there's already mainstream Linux distributions that boot out of the box on Secure Boot systems.

                          Comment


                          • #14
                            Originally posted by crazycheese View Post
                            I am not buying any shitty motherboard with secureboot. In fact, this thing is just crying for lawsuit!
                            Under which law?

                            Comment


                            • #15
                              Next step?

                              Microsoft has been going around spreading FUD about they owning Linux "intellectual property" (lol) and patents.

                              Maybe the next step is, they only sign those who pay to license their patents. Some kind of extortion.

                              Comment

                              Working...
                              X