Announcement

Collapse
No announcement yet.

Ubuntu's Plans To Implement UEFI SecureBoot: No GRUB2

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Seems like the NSA is behind all this shit. Cononical can eat shit with its Ubuntu... I wont use it.

    Comment


    • #32
      Now I am confused. The first thread in the comments section here suggests that you can't use your own keys.

      Comment


      • #33
        Originally posted by AdamW View Post
        The conspiracy theories around this whole thing are, honestly, pretty amusing.
        Since Qaridarium is banned, someone had to lead the conspiracy theory..

        Making other OSes a pain to use? Why? If anyone is going to ship OEM systems with Linux pre-installed - the only case in which Microsoft loses sales
        MS loses sales if people building their own systems don't buy a retail copy of Windows.

        Microsoft, at this point, Linux on general-purpose consumer PCs is not a mortal enemy; it's an irrelevance.
        Things like SecureBoot are designed to help keep it that way.

        Microsoft supports Secure Boot for precisely the purpose it claims to support Secure Boot - to reduce the threat of boot sequence malware. Does Secure Boot as designed have some problematic consequences for alternative OSes? Yeah, it does.
        How convenient...

        Comment


        • #34
          Originally posted by DanL View Post
          Since Qaridarium is banned
          Just for week.

          Comment


          • #35
            Originally posted by RussianNeuroMancer View Post
            Just for week.
            I know. Thanks.

            Comment


            • #36
              I really want to know if one ubuntu dev really tried what they want to do. it does not matter if they add a menu to efilinux loader, when you read the purpose of it you could get rid of it as well as linux efi stub would do as well - but then you would sign the kernel.

              Comment


              • #37
                Originally posted by AdamW View Post
                You'd have difficulty convincing anyone of that in a court of law.

                Microsoft isn't preventing anyone else from acting as a signing authority. They aren't preventing OEMs from shipping systems with multiple signing keys; the certification requirements explicitly _don't_ say that the Microsoft key should be the _only_ key present, only that the Microsoft key should be _one_ of the keys present.

                So how, precisely, are Microsoft locking anyone out of anything? The fact that no-one else seems to be willing to act as a signing authority is difficult to hold against Microsoft. They aren't preventing it from happening.
                Let me ask you this: Why are you talking such poor shit?

                Comment


                • #38
                  This is just ridicolous.

                  Comment


                  • #39
                    Originally posted by del_diablo View Post
                    Let me ask you this: Why are you talking such poor shit?
                    It's not poor shit. It's how a court of law would look at it.

                    It's important to realize I'm not giving my personal opinion of how desirable this is from my point of view, because I thought that pretty much goes without saying: of course, for anyone who actually runs Linux on generic PCs, secure boot is going to be something of a pain and our lives would have been easier without it.

                    What I'm trying to make clear is that there is a huge, giant, gigantic, massive gulf between 'this thing kind of sucks for us' and 'OH MY GOD IT'S AN EVIL MICROSOFT CONSPIRACY QUICK SUE THE BASTARDS'. Both in fact - because it's important to understand how things get the way they are instead of just complaining about it - and in a legal perspective. You can't just go to a court and say 'hey, Microsoft did something that's inconvenient for me, find them guility and fine them ONE BEEEEELLLION DOLLARS'. It just doesn't _work_ that way. It's easy to throw that kind of crap around on a comment thread, but doing so isn't achieving anything. It's always important to know where you stand and what the limitations of your position are.

                    It's much less useful to sit around yelling MICRO$OFT IS EVIL over and over like it's 1996 or something than it is to recognize the realities of today's industry. The general-purpose consumer PC is a dying market; it's not the future of anything, there is nothing interesting about it to Microsoft or really to anyone else. The Windows vs. Linux days, as we knew them a decade ago, are _over_. That war is done. Microsoft won it, move on. No force on heaven or earth is going to magically make the generic x86 desktop PC a growth market of vital importance to the future of our industry any more. If you missed the last decade of smartphones and tablets and app stores and HTML5 now would be an *ideal* time to catch up, because you're missing a lot.

                    The desktop PC is now a dull legacy device which will hang around forever in just the same way as mainframes have - it'll be in places it's been for decades, doing useful stuff, because it's not worth the bother to replace it. But it's not a sexy growth market any more, it's just a dull mature one that Microsoft gets to service because no-one else is in a position to (I'm talking about the majority here). Microsoft isn't thrilled about this - have you seen their share price lately? Their ongoing desperate efforts to move into new sexy markets like consoles and music players and cellphones and tablets? Do you never wonder what the hell that's all about? Think about it.

                    So as I said: it's important to actually _understand_ what's going on. Microsoft isn't fighting Linux on the desktop any more; it doesn't have to. That war's over and done. Microsoft's approach to the desktop computer market now is to try and service its existing customer base, which will dwindle modestly and steadily, as efficiently as possible. It does not give a shit at all, in a positive or negative way, about anyone else in that market. It just doesn't care. That's the key thing to understand about this whole brouhaha: Microsoft's perspective isn't 'let's design something to shaft alternative operating systems'. Microsoft's perspective is 'let's see how we can get as much money as possible as efficiently as possible out of our existing customers in this segment'. There is no consideration of alternative OSes in their position, no active malicious intent towards them: the inconvenience that we're going to suffer from secure boot and things like it is simply a _byproduct_, not an active attack. (I did see one interesting perspective on Secure Boot today, btw, which I hadn't previously considered - someone pointed out that, as well as the actual security consequences of Secure Boot, it may well go a long way to shutting down the loophole which is used to pirate Windows 7. Just about all cracked versions of Windows 7 are cracked via bootloader exploits; Secure Boot will make that much harder. If you really insist on an explanation for Microsoft's enthusiasm for Secure Boot besides, well, security, then shutting the piracy loophole seems like a much more plausible one than attacking alternative OSes. Microsoft loses _far_ more money to piracy than it does to alternative OSes. Of course, if that perspective is true, it means Microsoft would rather want Secure Boot to be mandatory not optional, which would be very bad for us if they try and force it later).

                    None of this is intended to 'excuse' Microsoft, or anything like that. That's not what I'm saying. The point of what I'm saying is that to deal with a situation you have to accurately recognize what forces produce that situation, not just idly fall back on your default explanation from ten years ago without actually considering if it really still holds. That just doesn't work.

                    Comment


                    • #40
                      Originally posted by Kristian Joensen View Post
                      Now I am confused. The first thread in the comments section here suggests that you can't use your own keys.
                      That's a fairly old thread, and several things have changed in the spec and the Microsoft requirements since then, I believe. The post which really started this brouhaha - http://mjg59.dreamwidth.org/12368.html - explicitly mentions user enrolment of keys - "The first is for a user to generate their own key and enrol it in their system firmware." - and I'm pretty sure Matthew has talked in more detail about it in the comments to that post and newer ones. Maybe check through those, rather than posts from last year.

                      Comment


                      • #41
                        Ahh, okay. I should have paid attention to how old that was. Thanks again. Interesting.

                        Comment


                        • #42
                          @AdamW

                          I doubt that secure boot prevents privacy because you can run win even without serial and rearm it 2 times. If win8 reset counter code is done the oem activation way is not needed.

                          As you refer to bootloader hacks, which basically use grub4dos with a special hack that loads an encrypted file with a signature into the memory then loads the real win bootloader it is clear that this will not work if uefi is a requirement (because g4d only works in bios mode). But i think there are already hacks that use uefi bootloaders with emulation, so if needed somebody would emulate secure boot as well.

                          The most invasive change is definitely not secure boot but the requirement to use a unique key for each system instead of 1 key for 1 oem (which is not even vendor locked yet). This is basically enough to fight back oem activation hacks. If the rearm counter is attacked then all ms can do is to search for well known hack tools with the integrated virus scanner (like defender) and does not allow the execution in first place. But the counter attack is already known: encrypte the binary with a random key.

                          Basically ms can only lose this battle, but they should not suffer so much that they will become backrupt.

                          Also why is it such a tragic to change one setup option to disable secure boot or use the csm to boot in bios mode to use linux? that option must be there.

                          Comment


                          • #43
                            Originally posted by ssam View Post
                            when i get some UEFI hardware I will put my own key on it. Then I can run whatever I want. And I can be sure it will only run stuff I signed. Sounds pretty handy for me. (Though as I am unlikely to audit all the code that I'd sign then i am probably not much more secure than currently)

                            Of course most folk don't want to mess around in their BIOS, so i am glad that the major distros work with the default keys.

                            (If someone makes some hardware where i cannot change the key then I would not buy it.)
                            That might be a good idea if UEFI was about security but it's to appease the MPAA mafia.

                            Comment


                            • #44
                              Originally posted by AdamW View Post
                              That's a fairly old thread, and several things have changed in the spec and the Microsoft requirements since then, I believe. The post which really started this brouhaha - http://mjg59.dreamwidth.org/12368.html - explicitly mentions user enrolment of keys - "The first is for a user to generate their own key and enrol it in their system firmware." - and I'm pretty sure Matthew has talked in more detail about it in the comments to that post and newer ones. Maybe check through those, rather than posts from last year.
                              Do you know if manufacturer's have to follow all the requirements to be Win8 certified, or is it going to be like ACPI where people just get Windows running by adding Secure Boot and don't bother supporting other OS's with the full spec?

                              Also, last i heard, manufacturers had to allow adding keys OR turning it off, not both. Has that changed?

                              Comment


                              • #45
                                keys

                                I think it will end up being both. I doubt very seriously that any manufacturer will ship with only added keys. And as far as I know the ability to turn off UEFI is not an option. It's the spec.

                                Comment

                                Working...
                                X