Ubuntu Lays Plans For Getting Past UEFI SecureBoot 393
An anonymous reader writes "Canonical has laid out their plans for handling UEFI SecureBoot on Ubuntu Linux. Similar to Red Hat paying Microsoft to get past UEFI restrictions, Canonical does have a private UEFI key. Beyond that they will also be switching from GRUB to the more liberal efilinux bootloader, and only require bootloader binaries be signed — and they want to setup their own signing infrastructure separate from Microsoft."
Why is this a problem? (Score:5, Informative)
Shouldn't I be able to load my own private key (or that of my distribution of choice) in the UEFI interface and then sign the bootloader I want with it (or use that of said distribution)? Ideally changing the key would only be possible while a jumper on the board is set.
If I trust Ubuntu, then my computer would reject the Windows bootloader and vice versa. Isn't that how it should be?
Re:How much of the 'operating system' needs to sig (Score:5, Informative)
Re:UEFI SecureBoot is a catastrophy (Score:5, Informative)
Unlike iOS devices, Macs aren't configured (yet) to require a signed bootloader. This is only an optional feature of EFI.
Re:How much of the 'operating system' needs to sig (Score:5, Informative)
This smells of the war against terror. There are actually very few pieces of malware out in circulation which rely on rootkits invoked by the bootloader. It's something which we haven't really seen much of since the viruses of the DOS days. I'd rather take my chances with the malware than have the liberties of doing what I want with my computer taken away.
Re:UEFI SecureBoot is a catastrophy (Score:5, Informative)
The difference is that you have an iMac that currently does not use the EFI Secureboot features, as I understand it. If you purchase a Windows 8 certified PC, those are the ones that will be requiring the EFI Secure Boot.
I told my friends & family that I have bought my last Windows PC, shortly after I purchased a Macbook a few years ago...turns out that may have been a good choice...
I'm not going to encourage PC manufacturers to bow and kowtow to any one software vendors wishes. If I buy my hardware from [insert your favorite PC maker here] and I want to install some oddball software on it, say AROS, or ReactOS, then that is what I should be able to do without having to wage war against EFI or any other "security features" that may prevent me from installing software that I want to use.
That's a bit of a rant...but things like this that don't make sense to me are hot-button issues with me...
wrong information, again! (Score:4, Informative)
Seriously... I read the article the FIRST time this UEFI news was posted from http://mjg59.dreamwidth.org/12368.html [dreamwidth.org], when it was regarding Red Hat, and the edit was already made back then. The money does not go to Microsoft! Why are people still saying this?
It is very misleading to write "Similar to Red Hat paying Microsoft to get past UEFI restrictions" when it is really not the truth.
"Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access edit: The $99 goes to Verisign, not Microsoft - further edit: once paid you can sign as many binaries as you want)"
my bias: I have Linux on all of my systems, no MS OS around here. Please, stop the inaccuracies and write what is true.
Re:UEFI SecureBoot is a catastrophy (Score:5, Informative)
Of course they care. If you don't use their operating system you are much less likely to use the services they have tailored to that system, like iTunes and iCloud and iWhatNot.
No, they really don't - you already bought the hardware. iTunes, iCloud, the app store, the music and movie stores etc exist to sell the hardware.
You can see this by looking at their financial statements (unless you think they're lying on a massive scale, in which case report them to the SEC) - the hardware division, on both the iOS and OS X sides of the equation are where the profit is made.
They'd love you to buy a Mac and run Linux on it - you bought a Mac and gave them 90% of the profit they'd expect to get from you as a customer. The 20-30% margin on a $1-2k purchase is the lion's share of the money they make from you. The $0.30 they make from you every time you buy a song, or the cost they incur by giving you free iCloud access is peanuts in comparison.
Re:How much of the 'operating system' needs to sig (Score:2, Informative)
Nobody is saying secure boot is an inherently bad idea that I see. They're saying they should be able to sign their own stuff and load their keys... I also think its a bit shady that other vendors are in a position where for practical purposes they have to pay Microsoft to get signed.
"Paying Microsoft" actually goes entirely to Verisign, as RedHat clarified previously. But besides that, they definitely don't have to - as Ubuntu is talking about doing, they can always run their own key server. Or load their key manually. Or disable the feature on x86 systems.
Re:How much of the 'operating system' needs to sig (Score:5, Informative)
This smells of the war against terror. There are actually very few pieces of malware out in circulation which rely on rootkits invoked by the bootloader.
Whether or not the reasons they gave are bogus, THIS isnt true. There are TONS of rootkits out there that screw with the bootloader, which is why MBRCheck should be a standard part of everyone's rootkit removal kit. If you ever see a machine with a virus, you must assume the bootloader has been tampered with.
Off the top of my head, Sinowal and TDSS come to mind.
Re:How much of the 'operating system' needs to sig (Score:4, Informative)
Re:How much of the 'operating system' needs to sig (Score:5, Informative)
...or a bootloader (Score:5, Informative)
It will take generations and countless wars to undo the damage that is currently being done.
Or it will take a signed bootloader that let you then load whatever you want.
That's what Canonical is paying for:
they get EFILinux signed.
EFILinux in turn can load pretty much any kernel you want.
- Either an official distro provided one.
- Or your own compiled linux kernel
- Or another system's kernel (*BSD, ReactOS, etc.)
- Or even a better/bigger bootloader like GRUB's stage2.
What we need now is the legislative framework so Microsoft can't revoke the bootloader without attracting a shitstorm of antimonopoly antitrust suits.
Re:The rootkit would just infect the kernel (Score:4, Informative)
How/why would the chainloaded [modified] Windows boot manager refuse to run? The way UEFI Secure Boot works is that the UEFI BIOS will verify the signature on an EFI executable prior to passing control to it. The UEFI BIOS largely relinquishes control of the system to the bootloader when it executes it. The bootloader will itself call the next piece of code that runs, not the UEFI BIOS, which is why the bootloader needs to do its own signature verification on the OS (or second stage bootloader) to maintain the trust chain. But, the bootloader absolutely could pass control to something without verifying its signature. And, if that's a maliciously modified Windows bootloader, that second bootloader could be designed to execute a maliciously modified Windows kernel without verifying its signature first.