Forgot your password?
typodupeerror
Operating Systems Ubuntu Linux

Ubuntu Lays Plans For Getting Past UEFI SecureBoot 393

Posted by timothy
from the first-you-fake-an-injury dept.
An anonymous reader writes "Canonical has laid out their plans for handling UEFI SecureBoot on Ubuntu Linux. Similar to Red Hat paying Microsoft to get past UEFI restrictions, Canonical does have a private UEFI key. Beyond that they will also be switching from GRUB to the more liberal efilinux bootloader, and only require bootloader binaries be signed — and they want to setup their own signing infrastructure separate from Microsoft."
This discussion has been archived. No new comments can be posted.

Ubuntu Lays Plans For Getting Past UEFI SecureBoot

Comments Filter:
  • by Anonymous Coward on Friday June 22, 2012 @08:56AM (#40410163)

    Shouldn't I be able to load my own private key (or that of my distribution of choice) in the UEFI interface and then sign the bootloader I want with it (or use that of said distribution)? Ideally changing the key would only be possible while a jumper on the board is set.

    If I trust Ubuntu, then my computer would reject the Windows bootloader and vice versa. Isn't that how it should be?

  • by SuricouRaven (1897204) on Friday June 22, 2012 @08:58AM (#40410177)
    It is the bootloader that needs signing. The problem is that any bootloader capable of loading more than one (signed) kernel would defeat the purpose of secureboot. I mean the official purpose, protection against rootkits, not the actual purpose.
  • by am 2k (217885) on Friday June 22, 2012 @09:02AM (#40410225) Homepage

    Unlike iOS devices, Macs aren't configured (yet) to require a signed bootloader. This is only an optional feature of EFI.

  • by thegarbz (1787294) on Friday June 22, 2012 @09:03AM (#40410247)

    This smells of the war against terror. There are actually very few pieces of malware out in circulation which rely on rootkits invoked by the bootloader. It's something which we haven't really seen much of since the viruses of the DOS days. I'd rather take my chances with the malware than have the liberties of doing what I want with my computer taken away.

  • by Anonymous Coward on Friday June 22, 2012 @09:04AM (#40410261)

    The difference is that you have an iMac that currently does not use the EFI Secureboot features, as I understand it. If you purchase a Windows 8 certified PC, those are the ones that will be requiring the EFI Secure Boot.

    I told my friends & family that I have bought my last Windows PC, shortly after I purchased a Macbook a few years ago...turns out that may have been a good choice...

        I'm not going to encourage PC manufacturers to bow and kowtow to any one software vendors wishes. If I buy my hardware from [insert your favorite PC maker here] and I want to install some oddball software on it, say AROS, or ReactOS, then that is what I should be able to do without having to wage war against EFI or any other "security features" that may prevent me from installing software that I want to use.

    That's a bit of a rant...but things like this that don't make sense to me are hot-button issues with me...

  • by Anonymous Coward on Friday June 22, 2012 @09:19AM (#40410403)

    Seriously... I read the article the FIRST time this UEFI news was posted from http://mjg59.dreamwidth.org/12368.html [dreamwidth.org], when it was regarding Red Hat, and the edit was already made back then. The money does not go to Microsoft! Why are people still saying this?
    It is very misleading to write "Similar to Red Hat paying Microsoft to get past UEFI restrictions" when it is really not the truth.

    "Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access edit: The $99 goes to Verisign, not Microsoft - further edit: once paid you can sign as many binaries as you want)"

    my bias: I have Linux on all of my systems, no MS OS around here. Please, stop the inaccuracies and write what is true.

  • by jo_ham (604554) <joham999 AT gmail DOT com> on Friday June 22, 2012 @09:42AM (#40410629)

    Of course they care. If you don't use their operating system you are much less likely to use the services they have tailored to that system, like iTunes and iCloud and iWhatNot.

    No, they really don't - you already bought the hardware. iTunes, iCloud, the app store, the music and movie stores etc exist to sell the hardware.

    You can see this by looking at their financial statements (unless you think they're lying on a massive scale, in which case report them to the SEC) - the hardware division, on both the iOS and OS X sides of the equation are where the profit is made.

    They'd love you to buy a Mac and run Linux on it - you bought a Mac and gave them 90% of the profit they'd expect to get from you as a customer. The 20-30% margin on a $1-2k purchase is the lion's share of the money they make from you. The $0.30 they make from you every time you buy a song, or the cost they incur by giving you free iCloud access is peanuts in comparison.

  • by Anonymous Coward on Friday June 22, 2012 @09:47AM (#40410697)

    Nobody is saying secure boot is an inherently bad idea that I see. They're saying they should be able to sign their own stuff and load their keys... I also think its a bit shady that other vendors are in a position where for practical purposes they have to pay Microsoft to get signed.

    "Paying Microsoft" actually goes entirely to Verisign, as RedHat clarified previously. But besides that, they definitely don't have to - as Ubuntu is talking about doing, they can always run their own key server. Or load their key manually. Or disable the feature on x86 systems.

  • by LordLimecat (1103839) on Friday June 22, 2012 @10:08AM (#40410987)

    This smells of the war against terror. There are actually very few pieces of malware out in circulation which rely on rootkits invoked by the bootloader.

    Whether or not the reasons they gave are bogus, THIS isnt true. There are TONS of rootkits out there that screw with the bootloader, which is why MBRCheck should be a standard part of everyone's rootkit removal kit. If you ever see a machine with a virus, you must assume the bootloader has been tampered with.

    Off the top of my head, Sinowal and TDSS come to mind.

  • by SuricouRaven (1897204) on Friday June 22, 2012 @11:09AM (#40411805)
    The MBR lock actually only works for OSs that go through the BIOS calls. That means DOS and... well, that means DOS. The MBR-infecting viruses dated from the DOS days and spread via infected floppy. Leave one in your drive when you turn on the computer and it'd write to your MBR, and then to any floppy inserted.
  • by Lord_Jeremy (1612839) on Friday June 22, 2012 @12:02PM (#40412575)
    Jesus christ if they dropped a family pack version to $100 I'd buy it in a heartbeat! I've got three personal machines running Windows and I haven't bought a single license because Home Premium is $200. Never mind that I occasionally use something like XP Mode so having Ultimate was helpful. Actually right now a new Win7 HP license on Newegg is $100, presumably due a price drop in the wake of Win8. On the other hand, Win7 HP upgrade (from Vista or XP) is still $120.
  • ...or a bootloader (Score:5, Informative)

    by DrYak (748999) on Friday June 22, 2012 @12:04PM (#40412605) Homepage

    It will take generations and countless wars to undo the damage that is currently being done.

    Or it will take a signed bootloader that let you then load whatever you want.

    That's what Canonical is paying for:
    they get EFILinux signed.

    EFILinux in turn can load pretty much any kernel you want.
    - Either an official distro provided one.
    - Or your own compiled linux kernel
    - Or another system's kernel (*BSD, ReactOS, etc.)
    - Or even a better/bigger bootloader like GRUB's stage2.

    What we need now is the legislative framework so Microsoft can't revoke the bootloader without attracting a shitstorm of antimonopoly antitrust suits.

  • by letsief (1053922) on Friday June 22, 2012 @05:01PM (#40416565)

    How/why would the chainloaded [modified] Windows boot manager refuse to run? The way UEFI Secure Boot works is that the UEFI BIOS will verify the signature on an EFI executable prior to passing control to it. The UEFI BIOS largely relinquishes control of the system to the bootloader when it executes it. The bootloader will itself call the next piece of code that runs, not the UEFI BIOS, which is why the bootloader needs to do its own signature verification on the OS (or second stage bootloader) to maintain the trust chain. But, the bootloader absolutely could pass control to something without verifying its signature. And, if that's a maliciously modified Windows bootloader, that second bootloader could be designed to execute a maliciously modified Windows kernel without verifying its signature first.

My problem lies in reconciling my gross habits with my net income. -- Errol Flynn Any man who has $10,000 left when he dies is a failure. -- Errol Flynn

Working...