1. Computers
  2. Display Drivers
  3. Graphics Cards
  4. Memory
  5. Motherboards
  6. Processors
  7. Software
  8. Storage
  9. Operating Systems


Facebook RSS Twitter Twitter Google Plus


Phoronix Test Suite

OpenBenchmarking.org

Debian Developers Discuss UEFI SecureBoot Plans

Debian

Published on 09 July 2012 09:54 PM EDT
Written by Michael Larabel in Debian
29 Comments

Debian developers today at DebConf 12, aside from talking about the future Debian codename, discussed what to do about UEFI booting for Debian Linux.

UEFI is a hot discussion topic right now with Microsoft Windows 8 approaching that mandates UEFI SecureBoot support, uncertainty about how different OEMs will implement SecureBoot, different Linux distributions taking distinctly different approaches to supporting the controversial technology, and all around this just being another headache for Linux developers and distribution vendors.

While the room was full of Debian developers in Managua, Nicaragua, nothing really new came out of the discussion. If you've been keeping track of Matthew Garrett's blog posts, talks, and other information concerning SecureBoot on Linux, you didn't miss out on much from this Debian talk.

The developers went over the UEFI SecureBoot state, the approach Fedora is going with, the major UEFI SecureBoot work being done by Red Hat's Matthew Garrett, SecureBoot on QEMU-KVM virtualization, and Ubuntu's controversial approach.

While this work was discussed, nothing genuinely new was brought up during the 45-minute discussion. It's still not decided what approach Debian will ultimately support whether it's like Fedora using GRUB2 and singing the entire stack, Ubuntu using efilinux and only signing the low-level bits, or some entirely new approach for handling EFI/SecureBoot. However, something has to be decided for Debian 7.0 "Wheezy" seeing as when it ships early next year there will be a number of motherboards and PCs shipping with this headache-inducing technology.

Canonical also participated in the discussion, during which they continue to insist that the best legal advice they have is that it's still too dangerous to ship GRUB2 with their secure key, contrary to what the Free Software Foundation recently claimed.

Debian Developers Discuss UEFI SecureBoot Plans

Coming up tomorrow at this Debian event in Managua will be discussing multi-arch cross-building, Debian derivatives BoF, building Debian with the LLVM/Clang compiler, an ARM ports update, supporting ARM AArch64 as the 64-bit ARMv8 architecture, and integrating Emdebian into Debian.

Embedded below are the official notes from the EFI in Debian session.
== EFI in Debian ==

Please take notes here
What do we do?
Two parts to this:
EFI boot itself
* easy - not trivial, not implemented in installer/debian-cd yet.
* SMOP
Secure boot
* what's the least bad way?
Others:
* Fedora - RedHat
* Everything signed
* Full signing of the kernel stack. You even have to sign modules, so it
complicates stuff for things like DKMS.
*
* Ubuntu - Canonical
* not persuaded that it is safe to use GPLv3 bootloaders - differs from
FSF view of the issue under best current legal advice with respect to
their pre-installed requirements in-house.
* for now avoids going the path of fully signing the kernel stack
* for now: prevent the user to have anything to do with BIOS, SecureBoot
key handling, etc.
* FSF
* Tend to think that GPLv3 issues (such as risking the obligation to
release private key content) are either not an issue or that the license
can be changed to avoid them


New hardware for x86 shipping to run Windows8, enabling SecureBoot by default
for Windows certification. Ordinary users will need support to work through
access errors: it's not clear how to disable SecureBoot (it will be different
in different devices) and, even though it will be possible for users to
install their own keys it's unclear how to do so. The EFI spec seems to
require it, but it might not be a MUST nor very clear how it would (or not)
be possible to do it.

Changes within EFI in future
----------------------------

Comes down to MS certification requirements as to what actually ships. Must be
possible to disable SecureBoot but will practically be done via access to the
firmware: usability obstacle. No clarity on how users can install their own
keys, down to particular vendor variability. Part of the spec but not
necessarily implemented by vendors - best effort only and might not work for
all.


Likelihood of changes in MS requirements via public pressure vs pressure on OEMs?
MS are not an implementor, certifier instead. Working with individual OEMs
won't provide 100% coverage. Some clarifications have been made as a result of
bad press from the initial announcements.

Note: MS trying to implement a different mechanism / monopoly play on ARM, including
no requirement for SecureBoot to be capable of being disabled on ARM. Increasing
deployment of ARM devices will become important. Makes Windows phones much less
appealing as hackable devices.

Larger customers may be able to stipulate particular configurations or OS-less
hardware but this isn't just a hobbyist problem.

Reasons behind the spec include virus protection which is being pushed by some
of the larger customers for the hardware. HP want users to run what they want
to run but also take into account requirements from the same customers about
protecting what does run.

Debian
======

What are the limitations on extra keys? Is another key useful?
* could be unlikely to get a response
* actual space within the firmware is limited
Any one binary can only be signed by one key.
Linux Foundation to sign a generic bootloader?


It is quite possible that one or more OEM's will simply not bother to implement
the option to disable SecureBoot or put it in but not adequately test it. Current
certification requires a switch to be available but no requirement for this to
be obvious. Turned off, the machine cannot dual-boot Windows8. Corporate customers
may also require that SecureBoot is not turned off.

Derivatives will expect to be able to use Debian as a base. May be able to treat a
signed bootloader as non-free. Try to support both users and derivatives at
the same time but it disables our standard install media without SecureBoot
first being disabled.

EFI support is still required in Debian Installer - BIOS won't be available
in future machines.

About The Author
Michael Larabel is the principal author of Phoronix.com and founded the web-site in 2004 with a focus on enriching the Linux hardware experience and being the largest web-site devoted to Linux hardware reviews, particularly for products relevant to Linux gamers and enthusiasts but also commonly reviewing servers/workstations and embedded Linux devices. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics hardware drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated testing software. He can be followed via and or contacted via .
Latest Linux Hardware Reviews
  1. NVIDIA GeForce GTX 970 Offers Great Linux Performance
  2. CompuLab Intense-PC2: An Excellent, Fanless, Mini PC Powered By Intel's i7 Haswell
  3. From The Atom 330 To Haswell ULT: Intel Linux Performance Benchmarks
  4. AMD Radeon R9 285 Tonga Performance On Linux
Latest Linux Articles
  1. Ubuntu 14.10 XMir System Compositor Benchmarks
  2. Btrfs RAID HDD Testing On Ubuntu Linux 14.10
  3. Ubuntu 14.10 Linux 32-bit vs. 64-bit Performance
  4. AMD Moves Forward With Unified Linux Driver Strategy, New Kernel Driver
Latest Linux News
  1. Cairo-Dock 3.4 Shows A Lot Of Progress, Works Toward EGL/Wayland Support
  2. Mesa 10.4 Tentatively Planned For Early December
  3. SteamOS Update 145 Brings Compositor, Update Fixes
  4. GStreamer 2014 Conference Videos Posted: Wayland, HTML5, 3D
  5. Nouveau Now Supports DRI3 Without GLAMOR
  6. Features Of The Linux 3.18 Kernel
  7. Debian Now Defaults To Xfce On Non-x86 Desktops
  8. Phoenix Is Trying To Be An Open Version Of Apple's Swift
  9. Linux 3.19 To Have Skylake Graphics, PPGTT Enablement
  10. Ubuntu 16.04 Might Be The Distribution's Last 32-Bit Release
Latest Forum Discussions
  1. HOPE: The Ease Of Python With The Speed Of C++
  2. Users/Developers Threatening Fork Of Debian GNU/Linux
  3. Ubuntu 16.04 Might Be The Distribution's Last 32-Bit Release
  4. AMD Releases UVD Video Decode Support For R600 GPUs
  5. Proof that strlcpy is un-needed
  6. xbox one tv tuner
  7. Bye bye BSD, Hello Linux: A Sys Admin's Story
  8. Updated and Optimized Ubuntu Free Graphics Drivers