Announcement

Collapse
No announcement yet.

UEFI Secure Boot Still A Big Problem For Linux

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • phoronix
    started a topic UEFI Secure Boot Still A Big Problem For Linux

    UEFI Secure Boot Still A Big Problem For Linux

    Phoronix: UEFI Secure Boot Still A Big Problem For Linux

    Matthew Garrett has provided some insight regarding some of the problems still outstanding for Linux to handle UEFI Secure Boot...

    http://www.phoronix.com/vr.php?view=MTA0NDQ

  • tux9656
    replied
    I think secure boot will just create security problems

    Secure boot seems like something that will just frustrate users and may make computers less secure. Quite often computer users will throw security to the wind if it makes their computer work the way he or she wants it to work. For example, I've known people that after purchasing a game that uses the DRM of Games for Windows Live, get so frustrated with the DRM that they chose to download and use a cracked copy which may or may not contain a virus. It seems more often than not that a computer user will chose ease of use over security. Arguably, this is even one of the reasons that many computer users choose to use Windows over Ubuntu, even after being made fully aware of there being a choice in operating systems. What does this mean for secure boot? I think this will just cause computer users to chose to download and use bootleg firmware and hacked OS kernels. Some user's may even try to download firmware for older hardware that uses UEFI without secure boot simply because some random person on the internet said it would work. I suppose this wouldn't happen very often as long as Windows would continue to boot without issue. However, all it would take is some minor slip up with Microsoft pushing out a boot loader or kernel update, releasing it without it being properly signed. Not only would frustrated users now be downloading bootleg firmware and hacked kernels like there is no tomorrow, but Microsoft will have crashed more computers than any virus ever could. Also, imagine the horror of a screen that pops up that say "To install Windows 8 Service Pack 1, you must first update your computer's firmware."

    Leave a comment:


  • droste
    replied
    Originally posted by droidhacker View Post
    I don't know what the German law is regarding this, but in North America, it is ILLEGAL for a hardware vendor to blanket void warranties for something like opening the box. The hardware vendor is required to show that the user actually CAUSED the problem for which it is being serviced.
    It's the same in Germany and the rest of the EU: Removing a "warranty" sticker of your computer voids nothing.

    Leave a comment:


  • Ex-Cyber
    replied
    Originally posted by droidhacker View Post
    As I recall, it was "MAY". Not "MUST".
    Unless you have a reference.....?
    Here it is, from the Windows 8 System Requirements, page 116:

    21. MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement
    the ability to disable Secure Boot via firmware setup. A physically present user must be
    allowed to disable Secure Boot via firmware setup without possession of PKpriv.
    Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot
    Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.

    Leave a comment:


  • droidhacker
    replied
    Originally posted by Eragon View Post
    I can see the problem for ARM based devices. But for anything x86 / x86-64 ... didn't the recently published documents by microsoft specify that every windows 8 computer MUST have an option to disable secure boot? So then, what's the problem? offcourse, you would have to turn of this security feature to be able to run linux, but that is unavoidable I think given the way the development model works with everyone building his/her own distro, kernel, etc.
    As I recall, it was "MAY". Not "MUST".
    Unless you have a reference.....?

    Leave a comment:


  • droidhacker
    replied
    Originally posted by mjg59 View Post
    If your kernel loads unsigned kernel modules then it also permits you to backdoor Windows, which means that Microsoft would blacklist it.
    I don't see how it matters if MS blacklists anything.... its the bios that you have to worry about.

    Leave a comment:


  • droidhacker
    replied
    Originally posted by Qaridarium View Post
    And in the end some people do not understand why they should open the chassis and lose warranty just because Linux is to bad to run out of the box.
    I don't know what the German law is regarding this, but in North America, it is ILLEGAL for a hardware vendor to blanket void warranties for something like opening the box. The hardware vendor is required to show that the user actually CAUSED the problem for which it is being serviced.

    Leave a comment:


  • Ex-Cyber
    replied
    Originally posted by Eragon View Post
    I can see the problem for ARM based devices. But for anything x86 / x86-64 ... didn't the recently published documents by microsoft specify that every windows 8 computer MUST have an option to disable secure boot? So then, what's the problem? offcourse, you would have to turn of this security feature to be able to run linux, but that is unavoidable I think given the way the development model works with everyone building his/her own distro, kernel, etc.
    It's not unavoidable at all. Even in the worst case, a user/admin should have the option of signing his own bootloader/kernel/initrd.

    Leave a comment:


  • Eragon
    replied
    Don't see the problem

    I can see the problem for ARM based devices. But for anything x86 / x86-64 ... didn't the recently published documents by microsoft specify that every windows 8 computer MUST have an option to disable secure boot? So then, what's the problem? offcourse, you would have to turn of this security feature to be able to run linux, but that is unavoidable I think given the way the development model works with everyone building his/her own distro, kernel, etc.

    Leave a comment:


  • DeepDayze
    replied
    Originally posted by kobblestown View Post
    From article: "Signed Linux kernels must refuse to load any unsigned kernel modules."

    Why? Secure Boot requires a signed kernel (or isn't it, rather, a signed boot loader?) but the kernel can do anything after boot. Yes, it defies the idea that you should only run trusted code but that can be a boot option or, as someone wrote above, the out of tree projects can provide signed modules.

    After kernel loads there should be *nothing* done to modify any of the *trusted* components otherwise the chain of trust is broken...that's where Secure Boot will bite. The trusted components need to be walled off

    Leave a comment:

Working...
X