No announcement yet.

UEFI Secure Boot Still A Big Problem For Linux

  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    What if you build your own?

    I currently build all my own desktops. I have built several with UEFI, but without secure boot. Are manufactures of computer parts suddenly out of business? What about all the computer parts stores worldwide? If I bought a stack of bits and went home to build a Windows 8 machine for someone, would I still be allowed. Will part of the install involve ringing Microsoft to unlock something? But if you cannot boot from a DVD, how do you install an OS, even Windows, in the first place?

    Lots of questions, lots of conjecture, not many straight answers. Surely the purveyors of motherboards will have to supply them with unlocked secure boot, even the ARM ones. And Microsoft have confirmed that that is the case otherwise no one will be able to do a new install of 2000 - Windows7. What about HDD failure? Run down to the shop, pick up a nice new 2tB drive and plug it in and the UEFI has a hissy fit when you try and reinstall. Each Windows install disk would have to be absolutely locked to one piece of hardware. All Windows8 would have to be use once OEM, no more own your own boxed editions. I can guess that the install will generate a key that then has to be entered into the BIOS and then a reboot before Windows 8 will fully function.

    Notebooks, on the other hand, are more easily controlled. There are not many build your own notebooks.

    I do not care about Windows installs for home builds, but answering these questions will go a long way to knowing what will happen to Linux home builds.

    5 - 10 years from now. What happens to Internet Banking or any online commerce? No secure boot no transaction. Maybe.
    Last edited by grege; 01-18-2012, 05:29 AM.


    • #12
      We're already dealing with the problems of secure chain booting on ARM chips. Barnes and noble NOOK TABLET uses an OMAP4430, which does a sig check on xloader. Then xloader does a sig check on uboot, and uboot does a sig check on the boot partition. Got lucky in that the stupid uboot didn't verify the load addresses in RAM before running the sig check, so dumping a new (no sig check) uboot over the evil one in RAM and suddenly its happy to load an unsigned kernel.

      Note that the secure boot problem doesn't just enforce BS-OS (balmer-soft, or bull-shit if you prefer), it will just get in the way of the user owning their own hardware regardless of what the vendor puts on it.

      I find this secure boot thing to be criminal.


      • #13
        Seems like MS finally found a way to start enforcing that little part of it's Eula that once you install MS your computer belongs to them...
        Win 8 cloud initiative..I'd imagine by Win 9 You'll be required to leave your computer and internet connection on at all times so corporations can use your unused computer cycles, bandwidth and electricity
        for their own..or find your Windows functionality cut to Windows basic. Not too far fetched since I thought I read about that possibility tied in to some "free" donated computers to a 3rd world country(in Africa?).


        • #14
          Originally posted by kobblestown View Post
          From article: "Signed Linux kernels must refuse to load any unsigned kernel modules."

          Why? Secure Boot requires a signed kernel (or isn't it, rather, a signed boot loader?) but the kernel can do anything after boot. Yes, it defies the idea that you should only run trusted code but that can be a boot option or, as someone wrote above, the out of tree projects can provide signed modules.
          If your kernel loads unsigned kernel modules then it also permits you to backdoor Windows, which means that Microsoft would blacklist it.


          • #15
            What about the initrd, is it secured by tpm?


            • #16
              A solution

              The best solution, according to the post, would be a standard and predictable way for users to install a key: presumably something that could be highly automated by an installer. But the UEFI standard doesn't offer this and it's too late to change that.
              Perhaps the solution is for the community of minority OSs to come up with a mini OS whose entire purpose is to provide this missing functionality, and get the key for this special purpose OS included by vendors .. difficult, but perhaps easier than other solutions.


              • #17
                Originally posted by Kano View Post
                What about the initrd, is it secured by tpm?
                The initrd itself is not a concern, it's just a minimal root filesystem after all, the kernel modules included in it that are not signed will be ignored and that's it.


                • #18
                  Secure Boot isn't just a way for Microsoft to fight against mofified pirate copies of windows which can be found around the world, rather than malwares ? With a colateral damage : linux and other "small" os...

                  It would be something similar to the way DRM is due to act against illegal copies of movies, music and so on...



                  • #19

                    So you think the part that asks for the password if you use cryptsetup can not be modified in a way that it could get access to root filesystem after pw entry and could send the pw over internet later?


                    • #20
                      And /bin/login on the root partition can be modified as well to send passwords over the internet, but "secure boot" doesn't care about userspace, just the kernel. If they start enforcing signed binaries for userspace as well this goes well beyond "no more nvidia blob", you won't be able to run anything compiled locally on the "secure" OS.

                      P.S. this will probably come as "secure boot 2.0"