Announcement

Collapse
No announcement yet.

Three PC Brands Where SecureBoot On Linux Is Botched

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Three PC Brands Where SecureBoot On Linux Is Botched

    Phoronix: Three PC Brands Where SecureBoot On Linux Is Botched

    Matthew Garrett has written a new article summarizing the state of UEFI/SecureBoot on Linux. Overall, the situation isn't good if you're using hardware from one of three major vendors...

    http://www.phoronix.com/vr.php?view=MTI4OTc

  • #2
    Apropos Lenovo: Y and Z-series notebook need an ugly ACPI hack to enable Nvidia Optimus.

    Comment


    • #3
      Except Toshiba case, two other issues is just UEFI bugs (like many BIOS bugs we seen before) that not related to Secure Boot.

      Comment


      • #4
        Sorry, couldn't resist. Make sure you read the title of the comment first.

        Comment


        • #5
          Are you still able to disable secureboot altogether for these machines?

          Last time I heard, using secureboot was optional and one could disable it from BIOS settings. Is this still the case, and does it apply for these vendors?

          Comment


          • #6
            Originally posted by RussianNeuroMancer View Post
            Except Toshiba case, two other issues is just UEFI bugs (like many BIOS bugs we seen before) that not related to Secure Boot.
            Yes, but if the BIOS bugs don't break Windows then they get binned as "low-priority".

            I remember it took HP 4 months to fix their Envy series when it was released due to having huge empty holes or downright incorrect data in their ACPI tables which caused tons of problems on both linux and Windows... Much more so for linux for some reason or another, possibly because HP had tried to fix up some of the problems with their own custom driver patches for Windows to work-around a broken ACPI... Keep in mind, the Envy lineup is HP's consumer flagship product.. What did HP say? They said if you want to run linux you need to buy a "business-class laptop" such as the Pro-books or Elitebooks as linux isn't supported on their "home"/"consumer" models. These laptops can cost almost $1000 more for the exact same specs.

            Granted, I've heard that HP actually provides fantastic US-based hardware support (including BIOS problems) for the Probooks and Elitebooks under linux.


            I'm running a Dell Inspiron 15R Special Edition now and it runs Linux rock solid.. A couple of multimedia buttons don't work ("dell_wmi: unknown key)".. The key presses don't make it past X and don't appear to generate ACPI events either (nothing from acpi_listen)

            The touchpad LED also didn't work by default, but that was just a matter of tweaking a script and getting it to run without prompting for a root password.. Now all documented in the wiki for my laptop.

            Everything else on the laptop works flawlessly out of the box.
            Last edited by Sidicas; 02-01-2013, 05:22 AM.

            Comment


            • #7
              Originally posted by M1kkko View Post
              Last time I heard, using secureboot was optional ...
              There seems to be a belief that secureboot has no value to Linux users (I'm not saying you share that). However it does have value and I wish I could use it everywhere. You could then be reassured that only operating systems and their kernels that you allow to run are in fact what is running. There has to be an unbroken chain of trust starting at the BIOS through the bootloaders, kernels and modules to establish that.

              As a concrete example, I use dmcrypt on my laptop. I have to make /boot a separate unencrypted partition so that the kernel and initrd can be loaded into memory and executed by the BIOS. The initrd then asks for the encryption keys and is able to mount the root filesystem etc. You could trivially change the kernel on that partition and there is no way I would even know. The replacement could capture the encryption keys without me realising.

              If you manage a whole bunch of servers in data centre, it would again be nice to know that only kernels you authorise can run on the systems.

              Comment


              • #8
                Originally posted by grotgrot View Post
                There seems to be a belief that secureboot has no value to Linux users (I'm not saying you share that). However it does have value and I wish I could use it everywhere. You could then be reassured that only operating systems and their kernels that you allow to run are in fact what is running. There has to be an unbroken chain of trust starting at the BIOS through the bootloaders, kernels and modules to establish that.

                As a concrete example, I use dmcrypt on my laptop. I have to make /boot a separate unencrypted partition so that the kernel and initrd can be loaded into memory and executed by the BIOS. The initrd then asks for the encryption keys and is able to mount the root filesystem etc. You could trivially change the kernel on that partition and there is no way I would even know. The replacement could capture the encryption keys without me realising.

                If you manage a whole bunch of servers in data centre, it would again be nice to know that only kernels you authorise can run on the systems.
                Yes, I imagine this going all the way through signed java browser plugins... and they are safe! am I right? ...

                Comment


                • #9
                  Originally posted by M1kkko View Post
                  Last time I heard, using secureboot was optional and one could disable it from BIOS settings. Is this still the case, and does it apply for these vendors?
                  Yes, it is. That will likely change in the next few years though.

                  Comment


                  • #10
                    Originally posted by TheLexMachine View Post
                    Yes, it is. That will likely change in the next few years though.
                    I think the most likely scenario is that the option to disable it remains present, but Windows 9 or 10 will refuse to "activate" unless it's enabled. Not so much for Microsoft's sake (they'd rather have you using an illegal Windows system than a legal Linux system), but rather to enforce restrictions on Windows Store apps.

                    Comment


                    • #11
                      I recommend drinking
                      Way ahead of you, Mr. Garrett..

                      Comment


                      • #12
                        Originally posted by RussianNeuroMancer View Post
                        Except Toshiba case, two other issues is just UEFI bugs (like many BIOS bugs we seen before) that not related to Secure Boot.
                        +1 this. The headline of the article is incorrect. These are UEFI issues, not Secure Boot issues.

                        Comment


                        • #13
                          Originally posted by Ex-Cyber View Post
                          I think the most likely scenario is that the option to disable it remains present, but Windows 9 or 10 will refuse to "activate" unless it's enabled. Not so much for Microsoft's sake (they'd rather have you using an illegal Windows system than a legal Linux system), but rather to enforce restrictions on Windows Store apps.
                          If we're ever going to see a windows 9, that is... if microsoft doesn't simply go bankrupt before they manage to release the next windows, that is.

                          Comment


                          • #14
                            What does this mean for installing/booting Linux on Samsung laptops?

                            This is probably a "dumb question" -- but I am not clear on the point:

                            Since this "samsung-laptop" driver is not usable, what happens when someone tries to install (or boot) Linux on an affected Samsung laptop, without using that driver?

                            (or for that matter, on unaffected ones)?

                            Is there a more generic driver as fall-back?
                            Does the boot just hang?

                            Comment


                            • #15
                              Originally posted by Bernard Swiss View Post
                              This is probably a "dumb question" -- but I am not clear on the point:

                              Since this "samsung-laptop" driver is not usable, what happens when someone tries to install (or boot) Linux on an affected Samsung laptop, without using that driver?

                              (or for that matter, on unaffected ones)?

                              Is there a more generic driver as fall-back?
                              Does the boot just hang?
                              Certain things may not work, such as multimedia keys or maybe suspend or key-based backlight control. Really depends on just how much hardware control is samsung-specific and therefore how much of "normal" control is altered by samsung-laptop. I know on Dell systems if you dont boot with dell-laptop then suspend and backlight can be f*cked up.

                              Comment

                              Working...
                              X