Announcement

Collapse
No announcement yet.

Ubuntu's Plans To Implement UEFI SecureBoot: No GRUB2

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #46
    kano: for people like us, not tragic at all. It'll take us thirty seconds when we buy a new PC to turn off Secure Boot and then we'll forget about it. That's certainly what I'll do.

    The reason Fedora and Ubuntu are taking trouble to work even with what a 'stock' config will look in, oh, a year's time - Secure Boot enabled, Microsoft key present - is because we as projects think it's still very important to be as accessible as possible to at least _some_ people who aren't comfortable poking around in the system firmware, or turning off items with 'secure' in their names. For Ubuntu's target audience the case for this is obvious. For Fedora's it's slightly less obvious, but we _do_ target fairly 'non-technical' users in some ways; our avowed target audience is 'people who may contribute back to Fedora', but that's still a pretty wide net in a way. For instance, someone who likes to draw is a potential member of our 'target audience', as design is certainly something that you can contribute to Fedora; such a person isn't necessarily 'technical' enough to be happy poking around in the firmware.

    smitty: As I understand it, at least in theory, you have to comply with all the requirements to be certified (and therefore to qualify for OEM preloads). You can't implement Secure Boot but leave out a mechanism for turning it off, and still expect to pass certification. Of course, we'll only know _for sure_ how Microsoft will handle this when the rubber hits the road, but that's how I understand it at present. I don't feel qualified to comment on the 'or / and' question, I don't know the licensing requirements in enough detail; I'd rather defer to Matthew on that one, try asking him. I _thought_ it was an AND situation, but I'm always entirely prepared for the possibility that I'm wrong at any given time.

    Comment


    • #47
      but if you use it, you aprove it, you legitimise it...

      I see here a problem, so if maybe ubuntu as only distribution would go this way ok... but anybody who installes something else than ubuntu is a geek anyway... because its the standard distribution right know... shurely after the unity-debacel that maybe slightly changed... but fedora is still only used by people who did install anoter distribution before that...


      Maybe I think to strong about that... but if all major distros supports this, some day microsoft will say, see its no problem now in acpi 5.0 we enforce that there is no off switch... and then good arguments against it are gone...

      Comment


      • #48
        A concrete question -

        how will this affect our ability to run multiple-boots ? I've been using the various GRUB versions to do this for the last six years or so and by and large have been satisifed with the function (OK, getting GRUB back after doing an MS re-install can be a pain, but if one is forewarned, one takes the necessary precautions), but what will I have to do if, on a future main box, I want to run, say, Ubuntu, Fedora, and Win8 ? Can I simply turn off the so-called SecureBoot key and then install the current GRUB2 version or are there still other hoops through which I have to be prepared to jump ?...

        Henri

        Comment


        • #49
          First of all grub2 does not detect efi windows installs using os-prober. But i have got a tiny custom.cfg that would find em with grub 2.00. grub 1.99 is not optimal for that, but i dont know why there is not even an experimental debian package with 2.00. Basically you do not necessary need grub, you can use the integrated bootmanager in the setup, then you use just quick boot selection and start the os you like. You just dont get a menu all the time, only when you press the quick boot selection key.

          Comment


          • #50
            Grub2.00 ?

            Originally posted by Kano View Post
            First of all grub2 does not detect efi windows installs using os-prober. But i have got a tiny custom.cfg that would find em with grub 2.00. grub 1.99 is not optimal for that, but i dont know why there is not even an experimental debian package with 2.00. Basically you do not necessary need grub, you can use the integrated bootmanager in the setup, then you use just quick boot selection and start the os you like. You just dont get a menu all the time, only when you press the quick boot selection key.
            Thanks for your speedy reply Kano (嘉納 ?) ! Alas, I'm not familiar with «the integrated bootmanager in the setup» to which you refer and which you say would allow me to use «quick boot selection and start the [OS desired]». Could I prevail upon you to point me to more information on this matter ? I'm currently running 64-bit Ubuntu 12.04 LTS and thus have GRUB1.99 installed....

            Henri

            Comment


            • #51
              Well does your board support efi? When your system is booted via efi then

              efibootmgr

              will not show any error.

              Comment


              • #52
                I fear I didn't make my present situation clear ;

                Originally posted by Kano View Post
                Well does your board support efi? When your system is booted via efi then

                efibootmgr

                will not show any error.
                my mainboard is a GA-990FXA-UD3 and thus supports BIOS rather than UEFI. I was rather hoping to get an answer for future reference ; i e, for my next build....

                Henri

                Comment


                • #53
                  Originally posted by werfu View Post
                  I dont get why this Secured Boot and requiring Microsoft key doesn't bring an Anti-trust suit againt MS. I mean, they're basically locking out people from using other OS unless these OS have paid MS for the signing. That's a hell of case!
                  Actually, no - Microsoft aren't doing anything of the sort. All they've done is require vendors to ship Microsoft's own key - they're in no way preventing (or even pressuring) those vendors to not supply other keys as well. The "pay MS" part comes from the fact that since companies like Canonical or Redhat don't have enough influence with vendors to get their own key shipped, Microsoft will provide a signing service that allows those companies to take advantage of Microsoft's ubiquitous key.

                  It's quite neatly done, actually. Microsoft haven't done anything remotely illegal, nor abused their market position in such a way that anti-trust laws would come into play - indeed, they're going out of their way to help their small competitors. And yet despite that, they've obtained considerable advantage out of it. Say what you want about them, but this is very well thought out.
                  Last edited by Delgarde; 06-24-2012, 07:48 PM.

                  Comment


                  • #54
                    @mhenriday

                    your board should support uefi, a bit uncommonly implemented as bios addon however not the other way around. you need to use a distro with uefi support however, just dd a kanotix iso onto an usb key and try (hybrid mbr+uefi mode).

                    Comment


                    • #55
                      Sure

                      Originally posted by aliasbody View Post
                      The real problem is there, the manufacturer do whatever he wants. You want an example ? I bought an Asus 1215N with Optimus, and in the first 14 days acording to my country's legislation, if I have a real good reason (i've juste resumed this part), I can send back what i bought and have a new one or just a refund.

                      The problem is that when I've tried to get a new one, the reason I told them was that I was using Linux and Optimus isn't compactible, so they contact Asus and the answers was a simple and pure now because the material was only made for Windows.

                      The UEFI thing will be the same, they will request a signed OS with signed Kernel etc... and if you don't have that they will just refuse you the refund because (as they say) your are using a non autorized system on the machine.

                      This is why I have the all UEFI thing, and this is the principal reason I don't want to buy a Macbook anymore and I have fear on buying future laptops.
                      It might be that one won't be able to buy 'stock' laptops any more. Just look for a manufacturer who lets you decide what you get? For my last notebook I searched 'hard' on the internet rather than going to a supermarket. They are certainly out there and let you customize your hardware and choose your OS or no OS at all.
                      nVidia support, it is always better to check beforehand if it works or if they support Linux.

                      For the experience with Asus, did it come with a preinstalled Windows? If not, I would want my money back...

                      Comment


                      • #56
                        And you really have read that on x86 you just can switch of secure boot? That's part of the specification...

                        Comment


                        • #57
                          Originally posted by Kano View Post
                          And you really have read that on x86 you just can switch of secure boot? That's part of the specification...
                          I don't think that it is part of the UEFI Secure Boot specification to have a option to disable it.

                          It is a requirement of the Microsoft Windows 8 Logo Certification that a x86 computer must be able to disable Secure Boot.
                          Interesting enough, it is not a requirement for the Ubuntu certification to have a disable Secure Boot switch.

                          Comment


                          • #58
                            Well do you want to buy an ubuntu only pc I would never do so. Btw. you could prepare your own boot media just with the signed u bootloaders if it does not matter if the kernel bootet later is signed or not. You gain absolutely nothing.

                            Comment


                            • #59
                              "Booting our CDs will rely on a loader image signed by Microsoft's WinQual key, for much the same reasons as Fedora: it's a key that, realistically, more or less every off-the-shelf system is going to have,"


                              They are declaring themself as "off-the-shelf system".

                              This means they are not going for 1st class, but crap class.

                              With such attitude, Canonical is on sure way to hell!

                              Comment


                              • #60
                                Originally posted by Delgarde View Post
                                Actually, no - Microsoft aren't doing anything of the sort. All they've done is require vendors to ship Microsoft's own key - they're in no way preventing (or even pressuring) those vendors to not supply other keys as well. The "pay MS" part comes from the fact that since companies like Canonical or Redhat don't have enough influence with vendors to get their own key shipped, Microsoft will provide a signing service that allows those companies to take advantage of Microsoft's ubiquitous key.

                                It's quite neatly done, actually. Microsoft haven't done anything remotely illegal, nor abused their market position in such a way that anti-trust laws would come into play - indeed, they're going out of their way to help their small competitors. And yet despite that, they've obtained considerable advantage out of it. Say what you want about them, but this is very well thought out.
                                Definition of monopoly:

                                A monopoly (from Greek monos μόνος (alone or single) + polein πωλεῖν (to sell)) exists when a specific person or enterprise is the only supplier of a particular commodity (this contrasts with a monopsony which relates to a single entity's control of a market to purchase a good or service, and with oligopoly which consists of a few entities dominating an industry).
                                ...
                                The verb "monopolize" refers to the process by which a company gains the ability to raise prices or exclude competitors. In economics, a monopoly is a single seller. In law, a monopoly is business entity that has significant market power, that is, the power, to charge high prices.[3] Although monopolies may be big businesses, size is not a characteristic of a monopoly. A small business may still have the power to raise prices in a small industry (or market).[4]
                                Microsoft being the only valid key signer perfectly FITS the definition of monopoly.

                                So, instead RH, SUSE and Canonical getting together and SUING microsoft, they decide to swallow the crap that is thrown onto them???!

                                WTF!!!



                                How it should have been done:

                                Independent entry, that is signing for free, provided the payload passes its review. The costs for review should NOT be extraordinary, especially when the code is open-source.
                                That would solve EVERYTHING.
                                Last edited by crazycheese; 06-25-2012, 06:15 AM.

                                Comment

                                Working...
                                X