Announcement

Collapse
No announcement yet.

UEFI Secure Boot Still A Big Problem For Linux

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by Qaridarium View Post
    you sound like: "oh yes microsoft hurt me i like it its a feature for me i make the best ever out of it give me more of it oo yeess..."
    I don't care one sh*t about MS (either way - I just don't care) and I have not had anything to do with them for many years. Thanks to Linux I run relatively old computers so the UEFI will not hit me in a long while. The secure boot feature is however something that also lots of Linux people actually want Fundamentally, it is a good technology - with the huge bug that it can be abused by the dominant player (MS) and its control over the OEMs. Personally I think that regulators (EU, US etc) need to keep an eye on this technology shift and make sure that installing optional operating systems are easy on all OEM machines sold (including ARM ones).

    For the major distros, they can probably go for signed kernels and run on bare hardware, but for the hobbyist or someone running a less usual distro or alternative open source OS (*BSD, illumos, Plan9 ...), an alternative solution would have to be found - for example a signed microkernel handing over control to the guest OS as soon as possible.

    Comment


    • #12
      Originally posted by staalmannen View Post
      I don't care one sh*t about MS (either way - I just don't care) and I have not had anything to do with them for many years. Thanks to Linux I run relatively old computers so the UEFI will not hit me in a long while. The secure boot feature is however something that also lots of Linux people actually want Fundamentally, it is a good technology - with the huge bug that it can be abused by the dominant player (MS) and its control over the OEMs. Personally I think that regulators (EU, US etc) need to keep an eye on this technology shift and make sure that installing optional operating systems are easy on all OEM machines sold (including ARM ones).

      For the major distros, they can probably go for signed kernels and run on bare hardware, but for the hobbyist or someone running a less usual distro or alternative open source OS (*BSD, illumos, Plan9 ...), an alternative solution would have to be found - for example a signed microkernel handing over control to the guest OS as soon as possible.
      This is economic war there is no peaceful (read: spend money to hurt the enemy) solution at all.

      The only way is do it like Microsoft: pay people to use linux and force them by contract to never use Windows again.

      where do you get the money for it?

      Do it Like Microsoft only a Monopole can do it! Germany for example you are forced by law to send Microsoft money because the official tax paying software is windows based and you are forced by law to use this software!

      This means you just need a new LAW for it! this means in the future every tax payer have to pay the linux tax to force the people by contract to never use windows again!

      This is a great solution! Do it like Microsoft and learn to WIN!

      Comment


      • #13
        From article: "Signed Linux kernels must refuse to load any unsigned kernel modules."

        Why? Secure Boot requires a signed kernel (or isn't it, rather, a signed boot loader?) but the kernel can do anything after boot. Yes, it defies the idea that you should only run trusted code but that can be a boot option or, as someone wrote above, the out of tree projects can provide signed modules.

        Comment


        • #14
          I really this whole sh*t will boost coreboot development. And after all, one of the motherboard companies will make coreboot at least an option. I am eager to hear about the first laptop with coreboot support on FOSDEM after 2 weeks.
          http://fosdem.org/2012/schedule/event/coreboot_laptops

          Comment


          • #15
            What if you build your own?

            I currently build all my own desktops. I have built several with UEFI, but without secure boot. Are manufactures of computer parts suddenly out of business? What about all the computer parts stores worldwide? If I bought a stack of bits and went home to build a Windows 8 machine for someone, would I still be allowed. Will part of the install involve ringing Microsoft to unlock something? But if you cannot boot from a DVD, how do you install an OS, even Windows, in the first place?

            Lots of questions, lots of conjecture, not many straight answers. Surely the purveyors of motherboards will have to supply them with unlocked secure boot, even the ARM ones. And Microsoft have confirmed that that is the case otherwise no one will be able to do a new install of 2000 - Windows7. What about HDD failure? Run down to the shop, pick up a nice new 2tB drive and plug it in and the UEFI has a hissy fit when you try and reinstall. Each Windows install disk would have to be absolutely locked to one piece of hardware. All Windows8 would have to be use once OEM, no more own your own boxed editions. I can guess that the install will generate a key that then has to be entered into the BIOS and then a reboot before Windows 8 will fully function.

            Notebooks, on the other hand, are more easily controlled. There are not many build your own notebooks.

            I do not care about Windows installs for home builds, but answering these questions will go a long way to knowing what will happen to Linux home builds.

            5 - 10 years from now. What happens to Internet Banking or any online commerce? No secure boot no transaction. Maybe.
            Last edited by grege; 01-18-2012, 04:29 AM.

            Comment


            • #16
              We're already dealing with the problems of secure chain booting on ARM chips. Barnes and noble NOOK TABLET uses an OMAP4430, which does a sig check on xloader. Then xloader does a sig check on uboot, and uboot does a sig check on the boot partition. Got lucky in that the stupid uboot didn't verify the load addresses in RAM before running the sig check, so dumping a new (no sig check) uboot over the evil one in RAM and suddenly its happy to load an unsigned kernel.

              Note that the secure boot problem doesn't just enforce BS-OS (balmer-soft, or bull-shit if you prefer), it will just get in the way of the user owning their own hardware regardless of what the vendor puts on it.

              I find this secure boot thing to be criminal.

              Comment


              • #17
                Seems like MS finally found a way to start enforcing that little part of it's Eula that once you install MS your computer belongs to them...
                Win 8 cloud initiative..I'd imagine by Win 9 You'll be required to leave your computer and internet connection on at all times so corporations can use your unused computer cycles, bandwidth and electricity
                for their own..or find your Windows functionality cut to Windows basic. Not too far fetched since I thought I read about that possibility tied in to some "free" donated computers to a 3rd world country(in Africa?).
                Those who would give up Essential Liberty to purchase a little Temporary Safety,deserve neither Liberty nor Safety.
                Ben Franklin 1755

                Comment


                • #18
                  Originally posted by kobblestown View Post
                  From article: "Signed Linux kernels must refuse to load any unsigned kernel modules."

                  Why? Secure Boot requires a signed kernel (or isn't it, rather, a signed boot loader?) but the kernel can do anything after boot. Yes, it defies the idea that you should only run trusted code but that can be a boot option or, as someone wrote above, the out of tree projects can provide signed modules.
                  If your kernel loads unsigned kernel modules then it also permits you to backdoor Windows, which means that Microsoft would blacklist it.

                  Comment


                  • #19
                    What about the initrd, is it secured by tpm?

                    Comment


                    • #20
                      A solution

                      The best solution, according to the post, would be a standard and predictable way for users to install a key: presumably something that could be highly automated by an installer. But the UEFI standard doesn't offer this and it's too late to change that.
                      Perhaps the solution is for the community of minority OSs to come up with a mini OS whose entire purpose is to provide this missing functionality, and get the key for this special purpose OS included by vendors .. difficult, but perhaps easier than other solutions.

                      Comment

                      Working...
                      X