Announcement

Collapse
No announcement yet.

Linux Group Files Complaint With EU Over SecureBoot

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    UEFI/secureboot is complete vendor lock-in crap.
    I've been using computers for decades, and I program for a living. I like to think that I know my way around a computer.
    I still had to follow a guide + it took about 2 hours just to get windows 8 off my laptop and linux onto it. I had to actually disable UEFI and fallback to legacy BIOS because I couldn't install anything else.

    Absolutely ridiculous.

    Comment


    • #17
      Originally posted by duby229 View Post
      No it was intended to be a vendor lock-in mechanism with the excuse that it would prevent unprotected code from booting. If MS had simply admitted what it was instead of making up an excuse for its existence I doubt it would be as heavily targeted today as it is.

      MS created the excuse and now it is only a matter of time until secureboot is completely compromised with the largest selection of boot viruses the world has ever seen. It would -not- have happened if secureboot never existed. This means that the next generation of viruses are going to be largely OS agnostic. They wont need an OS to function.

      MS is just completely retarded. Everything they do blows up. This isnt going to be any different.
      This is just speculation. Nothing more. You're not helping.

      Comment


      • #18
        Originally posted by peppercats View Post
        UEFI/secureboot is complete vendor lock-in crap.
        I've been using computers for decades, and I program for a living. I like to think that I know my way around a computer.
        I still had to follow a guide + it took about 2 hours just to get windows 8 off my laptop and linux onto it. I had to actually disable UEFI and fallback to legacy BIOS because I couldn't install anything else.

        Absolutely ridiculous.
        I'm sure this is a legitimate complaint. There will be many users with this problem. Bottom line is that you succeeded.

        What system was this? Did the vendor provide documentation to you? Did you contact the vendor support line?

        Comment


        • #19
          Originally posted by sofar View Post
          I have not yet heard from something like that.

          Intel is one of the companies working on UEFI, and therefore UEFI Secure Boot. As I said, ARM Secure Boot is something completely different as far as I know.



          UEFI Secure Boot has nothing to do with Windows 8, which is what gets people confused.

          I've called "UEFI Secure Boot" by a more descriptive name before: "UEFI Validated Boot". In effect, your system isn't secure at all, but at least parts of the boot sequence were *validated* during the boot process. Consequences are:

          - something modifies kernel code during boot? you're pwned
          - something runs in unprivileged mode? you're pwned
          - something modifies your kernel file? you won't be able to boot
          - something attempts to upload a trojan driver? you won't be able to boot or possibly load that driver

          Second, NOTHING, absolutely NOTHING prevents a hardware vendor from shipping a system with UEFI Secure Boot enabled with e.g. Linux and NO Microsoft keys, and instead their own keys or someone elses keys. (hell, YOU can even do this).

          (again, I'm not talking about ARM here)

          Except that it is MS that issues keys. If I can use... say Redhats key (that was issued from MS).... for a livedvd that I publish, what would prevent a bootloader virus from using the exact same key?

          And that is my point. It isnt speculation. Its fact.

          Comment


          • #20
            To clear things up

            Originally posted by sofar View Post
            I have not yet heard from something like that.

            Intel is one of the companies working on UEFI, and therefore UEFI Secure Boot. As I said, ARM Secure Boot is something completely different as far as I know.



            UEFI Secure Boot has nothing to do with Windows 8, which is what gets people confused.

            I've called "UEFI Secure Boot" by a more descriptive name before: "UEFI Validated Boot". In effect, your system isn't secure at all, but at least parts of the boot sequence were *validated* during the boot process. Consequences are:

            - something modifies kernel code during boot? you're pwned
            - something runs in unprivileged mode? you're pwned
            - something modifies your kernel file? you won't be able to boot
            - something attempts to upload a trojan driver? you won't be able to boot or possibly load that driver

            Second, NOTHING, absolutely NOTHING prevents a hardware vendor from shipping a system with UEFI Secure Boot enabled with e.g. Linux and NO Microsoft keys, and instead their own keys or someone elses keys. (hell, YOU can even do this).

            (again, I'm not talking about ARM here)
            OFC UEFI SecureBoot doesn't have anything directly to do with Win8, because Intel developed it in the first place. But now comes the magic: Guess which software company forces its hardware-partners to use their keys in order to keep their Windows 8-license? I hope you didn't struggle to find this out.

            And to be realistic, surely everybody can be his own key-publisher, but his imposes two fundamental problems:
            - No hardware vendor goes Linux only (and I am not talking about sporadic Linux-machines)
            - How much sense does this make, when everyone is free to author those keys? The end-users doesn't care and if the system hadn't been broken already, it would still suffer from fundamental problems in regards to actually securing the system.

            I might have been not clear enough, but I know of the non-security of SecureBoot. Most attacks don't even focus on modifying the bootloader, and even if you tried, it is very hard to actually achieve something with it. The days are over when you wrote viruses to just break someone's computer by messing up his MBR.
            Today, when you write a virus, you want to set up a botnet. And setting up a botnet is easiest by sneaking into a system without changing too much (speaking of boot parameters) and staying in userspace.

            Talking of userspace, this is where Microsoft lacks today: Windows didn't change fundamentally in regards to their security: I guess, instead of working on security more thoroughly they rather focus on cementing their monopoly in the interest of a feigned "security" to shut the users up.

            Comment


            • #21
              Originally posted by duby229 View Post
              Except that it is MS that issues keys. If I can use... say Redhats key (that was issued from MS).... for a livedvd that I publish, what would prevent a bootloader virus from using the exact same key?

              And that is my point. It isnt speculation. Its fact.
              This isn't entirely correct, as you can create keys that bear no relation to Microsoft yourself. Redhat is choosing however to have Microsoft sign their keys, which is a *convenience*, but arguably politically problematic as people have pointed out - Microsoft could revoke the certificate for Redhat afterwards.

              But you can really, really remove all control that Microsoft has over your own system. That would make that bootloader virus also not work.

              Comment


              • #22
                Originally posted by sofar View Post
                This isn't entirely correct, as you can create keys that bear no relation to Microsoft yourself. Redhat is choosing however to have Microsoft sign their keys, which is a *convenience*, but arguably politically problematic as people have pointed out - Microsoft could revoke the certificate for Redhat afterwards.

                But you can really, really remove all control that Microsoft has over your own system. That would make that bootloader virus also not work.
                But then it is just a matter of building a list of keys.. Much like how Bluray has been hacked. Bob Homegrown trying to Install Ubuntu on his new Dell laptop isnt going to have the knowledge to do what you suggest he should be able to do. But there is a large hacker community hard at work even as we speak. A large hacker community that wouldnt have anything to do had Secureboot not given them something to target. The problem with shit like Secureboot is that all it effectively does is get in the way of the end user that doesnt have the skill to know any better and provides a target for individuals with the skill to target it.

                The point still holds.
                Last edited by duby229; 03-26-2013, 07:28 PM.

                Comment


                • #23
                  Originally posted by frign View Post
                  - No hardware vendor goes Linux only (and I am not talking about sporadic Linux-machines)
                  now that's a problem I'd like to see solved.... :^)

                  Originally posted by frign View Post
                  Talking of userspace, this is where Microsoft lacks today: Windows didn't change fundamentally in regards to their security: I guess, instead of working on security more thoroughly they rather focus on cementing their monopoly in the interest of a feigned "security" to shut the users up.
                  I hear you.

                  While UEFI Secure Boot doesn't make (windows) more secure (because it's full of holes), nothing says that it can't help make (linux) more secure by allowing people to prevent their systems from booting unauthorized OS's.

                  Comment


                  • #24
                    Originally posted by duby229 View Post
                    But then it is just a matter of building a list of keys.. Much like how Bluray has been hacked. Bob Homegrown trying to Install Ubuntu on his new Dell laptop isnt going to have the knowledge to do what you suggest he should be able to do.

                    The point still holds.
                    If you know one of microsoft's keys, you can own many systems, yes. But you still won't be able to own the systems that has Microsoft's keys removed altogether.

                    Comment


                    • #25
                      Originally posted by sofar View Post
                      This is complete nonsense, and factually incorrect. Please stop spreading FUD, you are completely wrong here.
                      Is personal computer architecture same to proprietary console? No, its not. Hence constant fear - first IBM, then MS, to be caught at monopoly. Personal computers uphold special place.

                      Does secure boot give control to hardware owner?... No, it gives control to manufacturer to decide what is allowed or what not. The proof is that microsoft primary uses secure boot to bind its OS to hardware as a form of anti-piracy and, at same time, to make it much more difficult for people to try or install other OS, because w8 is a failure (Gaben). One is also required to sign up with microsoft in order to get any boot keys for own kernels.

                      In order to secure the boot process, the secure cards and TPM chips with according interfaces were long available and are under full control of the user of hardware, unlike "secure boot".

                      Comment


                      • #26
                        Originally posted by sofar View Post
                        If you know one of microsoft's keys, you can own many systems, yes. But you still won't be able to own the systems that has Microsoft's keys removed altogether.
                        I edited my post with additional information after you quoted me. Just saying that If someone that didnt have the knowledge to do what you suggest wanted to do it, they would be SOL. And that is the problem with Secureboot. It doesnt help average computer users. It doesnt effectively do anything for most folks except lock them in to MS issued keys. Those folks that have the knowledge to do something about it are. Its just like any other Restriction management system.

                        It impedes the end user from doing what they have the right to do, and does nothing at all to prevent unwanted usage scenarios by people with questionable scruples that have the knowledge to do what they want..
                        Last edited by duby229; 03-26-2013, 07:41 PM.

                        Comment


                        • #27
                          SecureBoot for Linux?

                          Originally posted by sofar View Post
                          now that's a problem I'd like to see solved.... :^)



                          I hear you.

                          While UEFI Secure Boot doesn't make (windows) more secure (because it's full of holes), nothing says that it can't help make (linux) more secure by allowing people to prevent their systems from booting unauthorized OS's.
                          Now please tell me when this case would apply in the GNU/Linux-world.
                          Unless you really have direct, immediate access to the computer, there is no real way to modify the MBR, because it would require the attacker to use a variety of 0day-exploits (if existent) to actually access the file system.
                          This model in combination with the little market share and _high_ security of un*x-systems renders the pain of SecureBoot-licensing too high and inefficient and rather encourages to remove this abomination to human kind as soon as possible.

                          Comment


                          • #28
                            Originally posted by sofar View Post
                            I'm sure this is a legitimate complaint. There will be many users with this problem. Bottom line is that you succeeded.

                            What system was this? Did the vendor provide documentation to you? Did you contact the vendor support line?
                            The vendor support will say - we support windows only.
                            Windows only support means - microsoft certification is required.
                            Microsoft certification means - need secure boot.
                            Secure boot means - we control what you can boot.

                            To prove me wrong, try to boot what you own on "secure boot" enabled system without contacting or contracting microsoft.

                            True secure boot would mean - user is able to dictate firmware the CRC for any piece of software he uses, as well that chain loading process is good documented and transparent.
                            Currently UEFI is a mess and microsoft controls what user can boot.

                            Comment


                            • #29
                              adelante cabrones fuck them in their microsoft asses

                              http://www.hispalinux.es/node/758



                              it actually can amount to something because we all broke in europe now and I bet the EU commission would welcome the chance to get some more m$ dollars

                              if they can get 700 million euros for the browser thing they can probably get a couple of million for secure boot


                              and you all just shut the fuck up... microsoft using this uefi shit for security is like a aids ridden diseased crackwhore that raw dogs for $10 asking for a clean needle before injecting

                              Comment


                              • #30
                                Originally posted by phoronix View Post
                                Phoronix: Linux Group Files Complaint With EU Over SecureBoot

                                The Hispalinux Spanish Linux association has filed a complaint against Microsoft with the European Union over the UEFI SecureBoot...

                                http://www.phoronix.com/vr.php?view=MTMzNjc

                                Why are these cases always fought in the EU and never the US? Doesn't America have anti-competitive laws too?

                                Comment

                                Working...
                                X