Announcement

Collapse
No announcement yet.

Linux Group Files Complaint With EU Over SecureBoot

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #46
    Originally posted by alexcortes View Post
    "You could also (assuming you never plan to boot windows) delete all the microsoft keys from the system. Beware if you decide to do this that some of your UEFI drivers may be signed by microsoft keys, and removing them all may limit the functionality of your UEFI platform. Additionally, any UEFI update to your system is also likely to come signed with the microsoft keys, however, in this case you can put the Microsoft keys back before doing the update."
    You simply include the hashes of the UEFI drivers in your whitelist. I don't know why James thinks firmware updates are likely to be signed with the Microsoft key - I've seen no evidence to support that so far.

    Comment


    • #47
      Originally posted by Gps4l View Post
      Their systems sure, but not my pc.

      openSUSE supports both, uefi and secureboot.

      But to install suse, you need to go into windows 8, and tell windows to boot from dvd at next start up.

      Pc stand for personal computer, not for m$ controlled system.
      Is that really all you need to do? Inform the existing OS that you're about to replace it?

      Actually brass tacks, if you buy a Windows 8 Secure booted up the wahoozie laptop what are the actual steps to install, say, Ubuntu.
      That's got to be a common use case.

      Forget the ethics for a moment.
      Assume no contact with Microsoft or between Microsoft and Canonical.

      What are the steps?

      Comment


      • #48
        Originally posted by sofar View Post
        I've called "UEFI Secure Boot" by a more descriptive name before: "UEFI Validated Boot". In effect, your system isn't secure at all, but at least parts of the boot sequence were *validated* during the boot process. Consequences are:

        - something modifies kernel code during boot? you're pwned
        - something runs in unprivileged mode? you're pwned
        - something modifies your kernel file? you won't be able to boot
        - something attempts to upload a trojan driver? you won't be able to boot or possibly load that driver

        Second, NOTHING, absolutely NOTHING prevents a hardware vendor from shipping a system with UEFI Secure Boot enabled with e.g. Linux and NO Microsoft keys, and instead their own keys or someone elses keys. (hell, YOU can even do this).

        (again, I'm not talking about ARM here)
        One very big part of secure data/system is that you can use your system and get access to your data.

        Comment


        • #49
          Originally posted by frign View Post
          Given the condition you are _not_ on ARM.
          Read up the facts and don't be a sheep of the system!

          SecureBoot is stealing the users' freedom and should be abandoned asap; the excuse it has been introduced for is a shame to all computer users and the loose conditions for x86_64 are only there to abandon initial criticism.
          And windows is far from being a monopoly of ARM systems, and just about everyone in the ARM space locks their bootloader in some manner or another.

          Comment


          • #50
            Originally posted by johnc View Post
            If you're buying a Windows 8-certified PC, that's what you're getting. Don't want it locked down? Don't buy it.

            The idea that a manufacturer doesn't have a right to control their product or try things to make it more secure is kinda absurd.
            The idea of a car which would only accept gasoline made by SHELL is absurd. And if you did not know it, there are tons of laws saying what corporations can do and what they can't do. No company is free to do whatever they want - and $ should never be an exception to this.

            There are tons of used computers in the world. People should be able to install whatever OS on those computer they can legally install. That is what people should be able to do. If they can only install $ on those computers, then the result is very insecure system in many ways.

            If GNU/Linux would have 98% share of all computers having preinstalled OS, then, I might have hard time to resist the dark side but rather yell and demand "GIVE US 'SECURE' BOOT authorized by the Big Penguin and give it now!"

            Could be so much fun to say "no, sorry, it is impossible to install $ in that. There should be a switch in BIOS making it possible, but for some very strange reason there is none, and even if the switch would be there it would be very hard and time consuming thing to do so much so that an expert would be needed for it."

            Comment


            • #51
              There are certain boards that don't have an option to turn off Secure Boot, I saw one being mentioned in one of the previous Secure Boot threads. And actually, there is one mentioned in James Bottomley's post comments, the HP G7 Pavilion.

              I also find this particular complaint to be a bit misguided. Secure Boot, as long as it has a mandatory opt-out option, doesn't really break any laws. The ones breaking it are board manufacturers that ship broken UEFIs, and that's who should be punished for it. About time to do that, too, since BIOS and UEFIs have a long history of being utterly broken.

              The UEFI of the PC I'm currently on couldn't even boot anything off EFI files, as it would cause it to immediately crash. In fact, it wouldn't even recognise EFI files as executable if they were on NTFS partitions. And that's required for the Windows installer to run, even, not Linux. So the neglect there is mind-boggling. Thankfully it was (quietly) fixed in a subsequent update to the UEFI. I've also seen a report that some other UEFIs from the same manufacturer would only boot entries named "Windows Bootloader" or such. Again it was solved in an update, but how do they let such issues happen in the first place is beyond me.

              And traditional BIOSs are not much better. Just yesterday I battled with one BIOS just to boot GPartEd. And I lost, for the moment. That BIOS is so utterly broken that it wouldn't boot off any USB storage whatsoever. Trying to boot GPartEd results in a black screen with "_" shining in it. And trying to boot something even simpler, like memtest86+, results in... the system immediately rebooting. Yeap. I could leave it there, and it would be stuck in an infinite booting loop forever, never getting to the point where it's supposed to try booting the executables in the first place. And that's not all - disabling USB 2.0 makes it ignore attached USB keyboards. It detects USB storage devices, but not keyboards, no. even despite the fact that USB keyboard support is explicitly enabled in the BIOS settings and there is no reason why they couldn't run over USB 1.0. So that's just horrible. I'm not even sure how I'm supposed to update the firmware there, given that it hates USB devices so much.

              Comment


              • #52
                Originally posted by GreatEmerald View Post
                There are certain boards that don't have an option to turn off Secure Boot, I saw one being mentioned in one of the previous Secure Boot threads. And actually, there is one mentioned in James Bottomley's post comments, the HP G7 Pavilion.
                Don't forget all of the Chrome Books.

                Comment


                • #53
                  Originally posted by johnc View Post
                  Microsoft should have every right to secure their systems as they see fit. This endless whining over SecureBoot is getting ridiculous.
                  Ok, let them secure.. THEIR systems.

                  NOT MINE!!!!

                  Comment


                  • #54
                    This complaint has zero merit. Microsoft has already clearly mandated in their Win 8 specifications that any OEM which ships a PC preloaded with Win 8 must:

                    - Enable Secure Boot, and
                    - Must provide an option in the UEFI menu to disable AND manage the keys, therefore the user is still in charge of what goes on in the computer.

                    If you got Wind 8-preloaded notebooks or PCs lying around without the option to disable SB or manage SB keys, the OEM is the one fully at fault for shipping a machine with a broken UEFI implementation and is in violation of the Windows 8 certification program.

                    Matthew Garrett himself has already specified that UEFI + Secure Boot can also be used in such a way to ensure that no Microsoft operating system can be installed on a machine by simply deleting Microsoft's key in the UEFI board. That's end-user control for you.

                    Comment


                    • #55
                      Originally posted by sofar View Post
                      This is completely incorrect. you don't even have to boot windows 8 once to install SuSE on a win8 certified PC. You can go straight into the BIOS setup and disable Secure Boot, delete the platform keys and what not (and replace them with your own keys if you wish). This takes 30 seconds, at most.

                      I just did so on two random production laptops last week. Took me literally that - 30 seconds - before I could install a Linux OS.

                      The amount of FUD by folks in this thread is just incredible. Please stop spreading nonsense, and educate yourself.

                      For a good read, go and read Matthew Garrett's blog - http://mjg59.dreamwidth.org/

                      And please, stop repeating nonsense, you're only adding to the misinformation.

                      Don't believe me? Try James Bottomley's HOWTO describing how to own your own system: http://blog.hansenpartnership.com/ow...uefi-platform/
                      Not everybody wants to remove w8.
                      Allot want to dual boot.
                      Go check oenSUSE forum and see for your self how many people are having problems, installing Linux.

                      Comment


                      • #56
                        Originally posted by Sonadow View Post
                        This complaint has zero merit. Microsoft has already clearly mandated in their Win 8 specifications that any OEM which ships a PC preloaded with Win 8 must:

                        - Enable Secure Boot, and
                        - Must provide an option in the UEFI menu to disable AND manage the keys, therefore the user is still in charge of what goes on in the computer.
                        Installing a browser other than IE is much easier than installing cryptographic keys inside a BIOS. And unlike the latter, installing a browser is a fully standardised procedure (so non-Microsoft browser vendors can tell their potential customers "here, perform these steps to install our browser"). Yet, the EU fined Microsoft for almost a billion because even the mere fact of having a default browser installed into every PC was deemed anti-competitive.

                        So this complaint has everything it takes to make Microsoft reconsider their decisions lest they shell another couple hundred millions.

                        Comment


                        • #57
                          Originally posted by droidhacker View Post
                          Ok, let them secure.. THEIR systems.

                          NOT MINE!!!!
                          Microsoft doesn't go into your home and modify YOUR PC to be locked... You most likely buy it already locked, your fault... Choose an unlocked one. Vote with your money.


                          Originally posted by brosis View Post
                          Microsoft console, yes.

                          Personal computer - NO.
                          So, what's the difference EXACTLY? If both come with stickers saying "locked to MS OS" they're the same shit, different OS. Make yourself a favor and choose a non-locked PC.

                          Comment


                          • #58
                            Originally posted by peppepz View Post
                            Installing a browser other than IE is much easier than installing cryptographic keys inside a BIOS. And unlike the latter, installing a browser is a fully standardised procedure (so non-Microsoft browser vendors can tell their potential customers "here, perform these steps to install our browser"). Yet, the EU fined Microsoft for almost a billion because even the mere fact of having a default browser installed into every PC was deemed anti-competitive.

                            So this complaint has everything it takes to make Microsoft reconsider their decisions lest they shell another couple hundred millions.
                            The EU fined MS big over IE because they believed that Microsoft was not playing fair by not informing users that alternatives existed. Honestly, that kind of flawed judgement should not even have had its day on the courts; anybody who uses the Internet will have heard of things like Chrome (especially when accessing Google.com; Google just loves to advertise its Chrome browser in every search) and Firefox.

                            This is not the same case with Secure Boot. Microsoft has already clearly mandated AND publicly announced its requirements that cryptographic keys in Secure Boot must be manageable at the UEFI level by the user if they want to change it. As far as obligations are concerned, Microsoft has already informed its users that Secure Boot is activated in a machine preloaded with Windows 8, and they have every ability to disable or modify Secure Boot any way they see fit if they are so inclined.

                            If a machine does not have such features, shoot the OEM for the broken UEFI implementation, not Microsoft.

                            Lastly, Linux users take pride in being superior to the Windows-using herd, so the only reason they are complaining are either
                            a) it's Microsoft, and any anti-Microsoft news is always great to spread more FUD
                            b) they are too incompetent to change an option in the UEFI menu (barring broken UEFI implementations which the OEM should be 100% responsible for) and just want to use (a) to spread more FUD.

                            Either way I see it, it's FUD, FUD, FUD and more FUD. If it ever goes to court, this will be one of the handful of cases which I will fully support Microsoft and hope that they win the judgement.
                            Last edited by Sonadow; 03-27-2013, 11:36 AM.

                            Comment


                            • #59
                              The facts are the facts... If they cause you to experience Fear Uncertainty and Doubt then that is the entire problem.

                              Comment


                              • #60
                                It does have merit but beyond your little world

                                Originally posted by Sonadow View Post
                                This complaint has zero merit. Microsoft has already clearly mandated in their Win 8 specifications that any OEM which ships a PC preloaded with Win 8 must:

                                - Enable Secure Boot, and
                                - Must provide an option in the UEFI menu to disable AND manage the keys, therefore the user is still in charge of what goes on in the computer.

                                If you got Wind 8-preloaded notebooks or PCs lying around without the option to disable SB or manage SB keys, the OEM is the one fully at fault for shipping a machine with a broken UEFI implementation and is in violation of the Windows 8 certification program.

                                Matthew Garrett himself has already specified that UEFI + Secure Boot can also be used in such a way to ensure that no Microsoft operating system can be installed on a machine by simply deleting Microsoft's key in the UEFI board. That's end-user control for you.

                                Your world may rain, it does not mean others can not enjoy sunshine.
                                Do not think only from you point of view.

                                Plus, please do not talk about technology only from the point of view of technology, but from the reality and all human's abilities.

                                Monopoly can also be that the big company use some methods which seem fair but eventually lure the market to benefit the company much more than the rival, or can even hut the rivals.

                                Most times, it not as simple as 1 + 1. But, we all know that, don't we?

                                Do not play naive, please.

                                Comment

                                Working...
                                X