Announcement

Collapse
No announcement yet.

Ubuntu's Plans To Implement UEFI SecureBoot: No GRUB2

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Could Canonical be leading its Users slowly into the abyss?

    Personally I think signed operating systems are putting all their eggs in one basket when considering boot layer attack. Get attacked and your whole system will be non-loadable and unlikely to be repaired without special(costly) certificate access.

    Comment


    • #12
      One thing is sure is computer companies with an agenda, will try to push Users into cloud computer, so there could be a conspiracy to make personal local storage, prone to problems. If people start getting attacked at a boot layer, then people will be moving their data into storage providers, al a storage clouds, al a paid service and data mined.

      Comment


      • #13
        Also on the subject of keys and the GPL3. it says

        ?Installation Information? for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.


        so suppose, I sell you a device which will only run a binary signed by me. You can ask me for the code and everything necessary for you to install a modified version of the code. I can generate a personal key for you, and send you instructions for how to add that key to the device (equally i could tell you how to generate your own key). you can then run your modified version, and i have kept my key secure.

        Surely that satisfies the GPL3.

        Surely I would only have to give you my key if you were unable to modify the keys on the device.

        There are 2 reasons to make hardware only run signed code. Lock down for the manufacturers benefit, and security for the users benefit. One is bad, one is good. Microsoft might have a strong interest in blurring the 2 issues. But the GPL only disallows the first.

        Comment


        • #14
          Originally posted by ssam View Post
          when i get some UEFI hardware I will put my own key on it. Then I can run whatever I want. And I can be sure it will only run stuff I signed. Sounds pretty handy for me. (Though as I am unlikely to audit all the code that I'd sign then i am probably not much more secure than currently)

          Of course most folk don't want to mess around in their BIOS, so i am glad that the major distros work with the default keys.

          (If someone makes some hardware where i cannot change the key then I would not buy it.)
          Nobody can be forced to buy UEFI hardware with pre-installed MS or Ubuntu etc. I hope.

          Comment


          • #15
            What? Why not implement a very simple bootloader that chainloads Grub2 from the partition? This loader can be very simple, all menus and FS support etc will still be done by Grub2. And the big advantage: Everybody can use it to launch their favorite *actual* bootmanagers or kernels. And its so damn simple it will never have to be modified.

            Comment


            • #16
              Originally posted by disi View Post
              Nobody can be forced to buy UEFI hardware with pre-installed MS or Ubuntu etc. I hope.
              The real problem is there, the manufacturer do whatever he wants. You want an example ? I bought an Asus 1215N with Optimus, and in the first 14 days acording to my country's legislation, if I have a real good reason (i've juste resumed this part), I can send back what i bought and have a new one or just a refund.

              The problem is that when I've tried to get a new one, the reason I told them was that I was using Linux and Optimus isn't compactible, so they contact Asus and the answers was a simple and pure now because the material was only made for Windows.

              The UEFI thing will be the same, they will request a signed OS with signed Kernel etc... and if you don't have that they will just refuse you the refund because (as they say) your are using a non autorized system on the machine.

              This is why I have the all UEFI thing, and this is the principal reason I don't want to buy a Macbook anymore and I have fear on buying future laptops.

              Comment


              • #17
                Originally posted by disi View Post
                Nobody can be forced to buy UEFI hardware with pre-installed MS or Ubuntu etc. I hope.
                But then maybe they cant get a computer at all if it goes wrong, because they are no others, so yes you have than the choice between buying and to not have a pc at all.. so thats somewhat of a free choice ^^


                Its hard to say but I mean america isnt the place of freedom and a good rights system and so on, nor is germany but at least when we fail to make fair processes because the juristic system have to less money and resources... we dont kill that people that we often judged wrong. Or we dont torture them like usa does... so the point was, if we can buy hardware from amerika its also ok to buy it from china... so it seems they care even as goverment about free software, and even if its only selvish its the right thing to do... so maybe this western world is failing totaly... I have no problem with that... but... that away between falling and protests and revolutions that are coming because the rich and mighty blockades all evolutions/bigger reforms, we will maybe have better china stuff because our companys just suck...

                so chinas modell even its also bad, is better than we do... so I go for it, hopefully they crush us... and all our corrupt concerns/enterprises... I go with their shit, they understand that patents and all that crap dont work in our modern internet world.

                Comment


                • #18
                  Originally posted by bug! View Post
                  What? Why not implement a very simple bootloader that chainloads Grub2 from the partition? This loader can be very simple, all menus and FS support etc will still be done by Grub2. And the big advantage: Everybody can use it to launch their favorite *actual* bootmanagers or kernels. And its so damn simple it will never have to be modified.
                  according to http://mjg59.dreamwidth.org/12368.html you need everything that touches actual hardware to be signed. So for example your signed bootloader must refuse to boot an unsigned kernel. If you break the chain, then you could allow malicious code to attack other operating systems on the machine, and hence the other operating system will want your key blacklisted.

                  if you make your own key, and put that in your firmware, then you can sign and run what ever you want.

                  Comment


                  • #19
                    I looked around and did not really find good instructions how to use efilinux. All i found was this:

                    3 replies. Hi, I'm pleased to announce release 0.8 of efilinux, a reference implementation of a minimal UEFI bootloader. This bootloader has no bells or


                    It looks that is was written to load a linux kernel via commandline? in the source i found a reference to eficonfig.cfg but thats all. no idea which syntax is used there. i dont get why somebody would like to modify efilinux to show a menu... maybe they could sign it and just start grub2 with it.

                    Comment


                    • #20
                      Originally posted by lithorus View Post
                      Wasn't this whole signing thing supposed to make security better?
                      If you're drinking the Microsoft Kool-Aid, then yes, SecureBoot is about security, but those of us with half a brain realize it's about 1% security-inspired and 99% about selling keys and making other OS's a pain to use.

                      Comment

                      Working...
                      X