Well when you think of secure then it is somehow unlogical when you would not combine it with encryption. The funny thing would be: even when secure boot would only allow ms bootloaders then you could most likely still boot the the install media. But that has got a konsole and via that you have got full access, no pw needed.
Announcement
Collapse
No announcement yet.
UEFI Secure Boot Still A Big Problem For Linux
Collapse
X
-
Originally posted by kobblestown View PostFrom article: "Signed Linux kernels must refuse to load any unsigned kernel modules."
Why? Secure Boot requires a signed kernel (or isn't it, rather, a signed boot loader?) but the kernel can do anything after boot. Yes, it defies the idea that you should only run trusted code but that can be a boot option or, as someone wrote above, the out of tree projects can provide signed modules.
After kernel loads there should be *nothing* done to modify any of the *trusted* components otherwise the chain of trust is broken...that's where Secure Boot will bite. The trusted components need to be walled off
Comment
-
Don't see the problem
I can see the problem for ARM based devices. But for anything x86 / x86-64 ... didn't the recently published documents by microsoft specify that every windows 8 computer MUST have an option to disable secure boot? So then, what's the problem? offcourse, you would have to turn of this security feature to be able to run linux, but that is unavoidable I think given the way the development model works with everyone building his/her own distro, kernel, etc.
Comment
-
Originally posted by Eragon View PostI can see the problem for ARM based devices. But for anything x86 / x86-64 ... didn't the recently published documents by microsoft specify that every windows 8 computer MUST have an option to disable secure boot? So then, what's the problem? offcourse, you would have to turn of this security feature to be able to run linux, but that is unavoidable I think given the way the development model works with everyone building his/her own distro, kernel, etc.
Comment
-
Originally posted by QaridariumAnd in the end some people do not understand why they should open the chassis and lose warranty just because Linux is to bad to run out of the box.
Comment
-
Originally posted by Eragon View PostI can see the problem for ARM based devices. But for anything x86 / x86-64 ... didn't the recently published documents by microsoft specify that every windows 8 computer MUST have an option to disable secure boot? So then, what's the problem? offcourse, you would have to turn of this security feature to be able to run linux, but that is unavoidable I think given the way the development model works with everyone building his/her own distro, kernel, etc.
Unless you have a reference.....?
Comment
-
Originally posted by droidhacker View PostAs I recall, it was "MAY". Not "MUST".
Unless you have a reference.....?
21. MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement
the ability to disable Secure Boot via firmware setup. A physically present user must be
allowed to disable Secure Boot via firmware setup without possession of PKpriv.
Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot
Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.
Comment
-
Originally posted by droidhacker View PostI don't know what the German law is regarding this, but in North America, it is ILLEGAL for a hardware vendor to blanket void warranties for something like opening the box. The hardware vendor is required to show that the user actually CAUSED the problem for which it is being serviced.
Comment
-
I think secure boot will just create security problems
Secure boot seems like something that will just frustrate users and may make computers less secure. Quite often computer users will throw security to the wind if it makes their computer work the way he or she wants it to work. For example, I've known people that after purchasing a game that uses the DRM of Games for Windows Live, get so frustrated with the DRM that they chose to download and use a cracked copy which may or may not contain a virus. It seems more often than not that a computer user will chose ease of use over security. Arguably, this is even one of the reasons that many computer users choose to use Windows over Ubuntu, even after being made fully aware of there being a choice in operating systems. What does this mean for secure boot? I think this will just cause computer users to chose to download and use bootleg firmware and hacked OS kernels. Some user's may even try to download firmware for older hardware that uses UEFI without secure boot simply because some random person on the internet said it would work. I suppose this wouldn't happen very often as long as Windows would continue to boot without issue. However, all it would take is some minor slip up with Microsoft pushing out a boot loader or kernel update, releasing it without it being properly signed. Not only would frustrated users now be downloading bootleg firmware and hacked kernels like there is no tomorrow, but Microsoft will have crashed more computers than any virus ever could. Also, imagine the horror of a screen that pops up that say "To install Windows 8 Service Pack 1, you must first update your computer's firmware."
Comment
Comment