Ubuntu Lays Plans For Getting Past UEFI SecureBoot 393
An anonymous reader writes "Canonical has laid out their plans for handling UEFI SecureBoot on Ubuntu Linux. Similar to Red Hat paying Microsoft to get past UEFI restrictions, Canonical does have a private UEFI key. Beyond that they will also be switching from GRUB to the more liberal efilinux bootloader, and only require bootloader binaries be signed — and they want to setup their own signing infrastructure separate from Microsoft."
UEFI SecureBoot is a catastrophy (Score:5, Insightful)
Along with draconian DRM and anti privacy laws, UEFI SecureBoot is crippling the computer as a tool.
It will take generations and countless wars to undo the damage that is currently being done.
Next -- compilers (Score:5, Insightful)
The next step should be requiring a background check in order to have access to a compiler. Compilers are a subversive tool that is essential to creating malware, the cyberspace equivalent of a chemistry lab. Just as having an unauthorized chemistry lab should automatically make one suspect for creating drugs, explosives or chemical weapons, posession of an unauthorized compiler and of a machine that does not have a secure boot should make one suspect of cyberterrorism.
Of course, this is impossible right now, just as fifty years ago nobody would have taken such a dire view on chemistry. However, the next generation of people raised in fear of pedophiles and terrorists will work hard to make this a reality. And the generation after that will be the blessing of knowing that things have always been like this, since all authorized books will be in electronic format, periodically updated with the best and most recent knowledge about the past.
Re:UEFI SecureBoot is a catastrophy (Score:5, Insightful)
Because Apple doesn't care if you load Linux - they're a hardware company (well, user experience company, but anyways). You've already bought their hardware and software. But Microsoft, which has the x86/x64 non-Mac world by its balls, is a software company, so they will do things that strategically make non-Windows software harder. So a similarly-capable Acer, as an example, is going to be more locked down than your Mac.
Hence, I'm slowly finding myself thinking of buying Mac hardware again, even given the higher-than-I-need quality (and price).
lol pc users gotta jailbreak their desktops (Score:0, Insightful)
enjoy your microsoft tax, fags.
So... (Score:3, Insightful)
Re:Why not ignore UEFI? (Score:5, Insightful)
Re:How much of the 'operating system' needs to sig (Score:5, Insightful)
Re:How much of the 'operating system' needs to sig (Score:5, Insightful)
That's what I like about it. They're not even paying lip service to that bullshit official purpose. Red Hat made it sound like they have drank some of the Koolaide, with all their worrying about how the person who owns the computer might abuse an unsigned module to take control of their computer.
Once you're running your bootloader, then the issue is over. There is no need to further check for any other signatures or try to guarantee that the owner can't run their own code. You have satisfied the requirement and thereby gotten the computer to work.
crazy stuff (Score:4, Insightful)
How can it happen that one company (however large) can seemingly make most of the manufacturers to comply with their crazy ideas? The option to easily disable uefi secureboot _should_ be there on every and each motherboard (desktop, server or laptop). It should not be the manufacturer (and indirectly Microsoft) who decides what kernel and drivers (regardless f the operating system) a user or developer uses. How would anyone make custom kernels and/or modules (Linux) and/or drivers (e.g. Windows) if signing everything through a 3rd party signing service would be required every time? This is crazy.
Second, I don't like where Fedora/RH and Ubuntu are going with this. Aligning with MS on this issue is definitely not the right way to go and most people start to see this. Yet, nobody seems to want to find a way out, most seem to even have stopped protesting, or asking for mandatory secureboot disable options. There are not only 2 distros out there, there are a lot more of them, and most of them will not go along with MS-signing kernels and drivers. Also, if Ubuntu goes for a secureboot lockdown scheme, they might be good from the enterprise side, moving away from the average users, and that just might be what they want to do.
Some still say this whole thing is a non-issue and too much fuss about nothing, but if it were so, then please, for crying out loud, why is there so much smoke around about the planned existance or non-existance of a secureboot disable option? If manufacturers would just say disabling will be there always, this whole issue would just go away.
The biggest problem still is that most average users can't see the point in all this, simply don't care, thus unwillingly participating in making it worse for those, who do.
Re:How much of the 'operating system' needs to sig (Score:5, Insightful)
The point isn't to protect against bootloader infections, per se. The problem is that if you use a protection mechanism based on one layer being signed (say, signed application code), then it's made irrelevant by attacking one layer lower. So you need to sign from the bottom-most layer all the way up. That means either a signed BIOS or one that can't be changed in software, a signed bootloader, a signed kernel, signed drivers, and signed application code. The purpose of the signed bootloader isn't to protect against bootloader malware that exists now, but to protect against the bootloader malware that would appear if you started relying on a signed kernel.
I'd rather take my chances with the malware than have the liberties of doing what I want with my computer taken away.
So turn off UEFI Secure Boot.
Re:How much of the 'operating system' needs to sig (Score:4, Insightful)
I meant for Microsoft to add that capability to its OWN OS. Obviously it could not enforce such a restriction in Linux; I would think there, if there were a need for such protection, someone could write a kernel module that did the same thing and was an optional component for hardened installations.
What Im saying is that rather than doing this at an EFI level and crippling all OSes, each OS maker should be responsible themselves for making sure that the MBR is untampered with.
Re:Chain loading from "secure" boot to libre boot (Score:5, Insightful)
And also Windows malware that does exactly the same thing. At which point the Canonical key will be revoked, and all Linux distributions that relied on it will cease to function.
Re:How much of the 'operating system' needs to sig (Score:5, Insightful)
And how long before Microsoft and/or the OEMs start saying you can't do that?
Not very. And I don't have much hope given the hordes of people on the last article that honestly believed that Microsoft was being altruistic in this and that anyone questioning their motives was a conspiracy theorist/had a low IQ.
Re:How much of the 'operating system' needs to sig (Score:4, Insightful)
Here's a link for an Office license for $0: http://www.libreoffice.org/ [libreoffice.org]
Comment removed (Score:2, Insightful)