Announcement

Collapse
No announcement yet.

Linux 6.9 Makes A Change To Satisfy Microsoft For EFI x86 Shim Loader Signing

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux 6.9 Makes A Change To Satisfy Microsoft For EFI x86 Shim Loader Signing

    Phoronix: Linux 6.9 Makes A Change To Satisfy Microsoft For EFI x86 Shim Loader Signing

    The EFI updates were merged today for the ongoing Linux 6.9 merge window. This cycle the EFI kernel code is seeing enhancements for confidential computing as well as for satisfy Microsoft's requirements for getting them to sign the x86 shim loader again for UEFI Secure Boot handling...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    I, for one, welcome our Microsoft overlords!

    Seriously, it's insane and ridicule to depend on them this way.

    Comment


    • #3
      Originally posted by timofonic View Post
      I, for one, welcome our Microsoft overlords!

      Seriously, it's insane and ridicule to depend on them this way.
      Well they control the master key for UEFI secure boot so that ship have sailed a long time ago. And forcing end users to install their own keys won't fly with the public at large.

      Comment


      • #4
        Secure boot/TPM has never prevented me from running GNU/Linux but then again I mostly stick to corporate distros that sign their stuff. As long as secure boot/TPM can be turned off I don't really mind it.

        Comment


        • #5
          Originally posted by F.Ultra View Post

          Well they control the master key for UEFI secure boot so that ship have sailed a long time ago. And forcing end users to install their own keys won't fly with the public at large.
          I'm not a lawyer, but, that should be illegal

          Comment


          • #6
            Originally posted by mirmirmir View Post

            I'm not a lawyer, but, that should be illegal
            I don't see how you would find legal standing. Every single motherboard manufacturer are free to install any master key(s) they want (and you as the end user can install your own if you like) but have so far decided to only add the Microsoft one (and Apple the Apple one on mac hw).

            Comment


            • #7
              SecureBoot causes more problems than it solves.

              Comment


              • #8
                Originally posted by Abacus123 View Post
                Secure boot/TPM has never prevented me from running GNU/Linux but then again I mostly stick to corporate distros that sign their stuff. As long as secure boot/TPM can be turned off I don't really mind it.
                It's mostly a problem with the community distros that don't have the bandwidth to sign their stuff or just don't want to pay a fee to Microsoft. I would be very surprised if Ubuntu and RHEL didn't work with Secure Boot. I wouldn't at all be surprised if distros like Arch and Gentoo don't work out of the box and require you to add your own keys.

                Personally, I'm still of the mind that it's safe to turn off Secure Boot unless you're a relatively high-value target. How often do you hear about people's /boot or firmware getting targeted and triggering a Secure Boot warning? Certainly it does happen but it's not common.

                Comment


                • #9
                  Linux 6.9 Makes A Change To Satisfy Microsoft
                  ‚ÄčThis is so wrong...
                  Originally posted by F.Ultra View Post

                  Well they control the master key for UEFI secure boot so that ship have sailed a long time ago. And forcing end users to install their own keys won't fly with the public at large.
                  The solution is simple, disable that worthless feature and ur good. Seriously, secure boot doesn't even do anything, it literally only exists as a nuisance.

                  Even if you're a, as ahrs said "high-value target" you have much bigger problems if someone has the phyhsical access to your pc needed for secure boot to actually do anything; and at that point, a little thing like secure boot isn't gonna stop them, secure boot is a stupid feature to enable by default because you need at bare minimum password protected bios for it to even theoretically do anything for you.

                  The only exception is if you're dumb enough to be flashing your bios or booting from untrusted sources, at which point secure boot won't save you either, it isn't the cure for stupidity.

                  Secure Boot should honestly just be named Microsoft Boot, it's more about increasing microsoft's control over average PC users who aren't tech savvy than it is about securing anything.
                  Last edited by rabcor; 14 March 2024, 05:28 AM.

                  Comment


                  • #10
                    I think motherboards should be able to have UEFI Secure Boot keys that are pre-installed from factory but disabled by default, so then the user can easily enter the UEFI Setup Screen and enable one of the pre-installed keys.

                    That way Canonical, Red Hat and SUSE can have their own keys pre-installed.

                    Comment

                    Working...
                    X