Announcement

Collapse
No announcement yet.

UEFI Secure Boot Still A Big Problem For Linux

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Well when you think of secure then it is somehow unlogical when you would not combine it with encryption. The funny thing would be: even when secure boot would only allow ms bootloaders then you could most likely still boot the the install media. But that has got a konsole and via that you have got full access, no pw needed.

    Comment


    • #22
      Originally posted by kobblestown View Post
      From article: "Signed Linux kernels must refuse to load any unsigned kernel modules."

      Why? Secure Boot requires a signed kernel (or isn't it, rather, a signed boot loader?) but the kernel can do anything after boot. Yes, it defies the idea that you should only run trusted code but that can be a boot option or, as someone wrote above, the out of tree projects can provide signed modules.

      After kernel loads there should be *nothing* done to modify any of the *trusted* components otherwise the chain of trust is broken...that's where Secure Boot will bite. The trusted components need to be walled off

      Comment


      • #23
        Don't see the problem

        I can see the problem for ARM based devices. But for anything x86 / x86-64 ... didn't the recently published documents by microsoft specify that every windows 8 computer MUST have an option to disable secure boot? So then, what's the problem? offcourse, you would have to turn of this security feature to be able to run linux, but that is unavoidable I think given the way the development model works with everyone building his/her own distro, kernel, etc.

        Comment


        • #24
          Originally posted by Eragon View Post
          I can see the problem for ARM based devices. But for anything x86 / x86-64 ... didn't the recently published documents by microsoft specify that every windows 8 computer MUST have an option to disable secure boot? So then, what's the problem? offcourse, you would have to turn of this security feature to be able to run linux, but that is unavoidable I think given the way the development model works with everyone building his/her own distro, kernel, etc.
          It's not unavoidable at all. Even in the worst case, a user/admin should have the option of signing his own bootloader/kernel/initrd.

          Comment


          • #25
            Originally posted by Qaridarium
            And in the end some people do not understand why they should open the chassis and lose warranty just because Linux is to bad to run out of the box.
            I don't know what the German law is regarding this, but in North America, it is ILLEGAL for a hardware vendor to blanket void warranties for something like opening the box. The hardware vendor is required to show that the user actually CAUSED the problem for which it is being serviced.

            Comment


            • #26
              Originally posted by mjg59 View Post
              If your kernel loads unsigned kernel modules then it also permits you to backdoor Windows, which means that Microsoft would blacklist it.
              I don't see how it matters if MS blacklists anything.... its the bios that you have to worry about.

              Comment


              • #27
                Originally posted by Eragon View Post
                I can see the problem for ARM based devices. But for anything x86 / x86-64 ... didn't the recently published documents by microsoft specify that every windows 8 computer MUST have an option to disable secure boot? So then, what's the problem? offcourse, you would have to turn of this security feature to be able to run linux, but that is unavoidable I think given the way the development model works with everyone building his/her own distro, kernel, etc.
                As I recall, it was "MAY". Not "MUST".
                Unless you have a reference.....?

                Comment


                • #28
                  Originally posted by droidhacker View Post
                  As I recall, it was "MAY". Not "MUST".
                  Unless you have a reference.....?
                  Here it is, from the Windows 8 System Requirements, page 116:

                  21. MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement
                  the ability to disable Secure Boot via firmware setup. A physically present user must be
                  allowed to disable Secure Boot via firmware setup without possession of PKpriv.
                  Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot
                  Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.

                  Comment


                  • #29
                    Originally posted by droidhacker View Post
                    I don't know what the German law is regarding this, but in North America, it is ILLEGAL for a hardware vendor to blanket void warranties for something like opening the box. The hardware vendor is required to show that the user actually CAUSED the problem for which it is being serviced.
                    It's the same in Germany and the rest of the EU: Removing a "warranty" sticker of your computer voids nothing.

                    Comment


                    • #30
                      I think secure boot will just create security problems

                      Secure boot seems like something that will just frustrate users and may make computers less secure. Quite often computer users will throw security to the wind if it makes their computer work the way he or she wants it to work. For example, I've known people that after purchasing a game that uses the DRM of Games for Windows Live, get so frustrated with the DRM that they chose to download and use a cracked copy which may or may not contain a virus. It seems more often than not that a computer user will chose ease of use over security. Arguably, this is even one of the reasons that many computer users choose to use Windows over Ubuntu, even after being made fully aware of there being a choice in operating systems. What does this mean for secure boot? I think this will just cause computer users to chose to download and use bootleg firmware and hacked OS kernels. Some user's may even try to download firmware for older hardware that uses UEFI without secure boot simply because some random person on the internet said it would work. I suppose this wouldn't happen very often as long as Windows would continue to boot without issue. However, all it would take is some minor slip up with Microsoft pushing out a boot loader or kernel update, releasing it without it being properly signed. Not only would frustrated users now be downloading bootleg firmware and hacked kernels like there is no tomorrow, but Microsoft will have crashed more computers than any virus ever could. Also, imagine the horror of a screen that pops up that say "To install Windows 8 Service Pack 1, you must first update your computer's firmware."

                      Comment

                      Working...
                      X