UEFI Secure Boot and Linux: Where Things Stand 521
itwbennett writes "Assuming that Microsoft doesn't choose to implement Secure Boot in the ways that the Linux Foundation says would work with Linux, there 'will be no easy way to run Linux on Windows 8 PCs,' writes Steven Vaughan-Nichols. Instead, we're faced with three different, highly imperfect approaches: Approach #1: Create UEFI Secure Boot keys for your particular distribution, like Canonical is doing with Ubuntu. Approach #2: work with Microsoft's key signing service to create a Windows 8 system compatible UEFI secure boot key, like Red Hat is doing with Fedora."
itwbennet finishes with: "Approach #3: Use open hardware with open source software, an approach favored by ZaReason CEO Cathy Malmrose." When you can't even use a GPLv3 licensed bootloader to boot your system, you might have a problem. Why is everyone so quick to accept the corpse of TCPA in new clothes?
Approach #4 (Score:4, Informative)
Disable secure boot.
From http://msdn.microsoft.com/en-US/library/windows/hardware/jj128256:
"Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows Server may also disable Secure Boot remotely using a strongly authenticated (preferably public-key based) out-of-band management connection, such as to a baseboard management controller or service processor. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure Boot must not be possible on ARM systems."
They made disabling secure boot required for the Windows logo on x86 (while probably worried about the threat of an antitrust investigation).
Re:approach #4 (Score:5, Informative)
if ntldr is modified, it won't pass the hash check and the UEFI loader won't execute it.
Re:yes and no (Score:4, Informative)
Mobile devices are where a majority of computing dollars are going (in the consumer world).
I think it may be where it's going soon in the corporate world too, especially with BYOD. If so, Ubuntu may be on to something with their Ububtu for Android kit.
It lets you run your phone/tablet as a portable device, then as a full desktop OS once it's docked with a monitor, mouse and other external peripherals. In the video, they're even showing it running Citrix for some legacy applications.
http://www.ubuntu.com/devices/android [ubuntu.com]
http://en.wikipedia.org/wiki/Ubuntu_for_Android [wikipedia.org]
http://www.youtube.com/watch?v=wzc0uMXGFBY [youtube.com]
Re:Secure Boot won't catch on (Score:5, Informative)
In the past, I would have agreed with you, but hardware DRM is getting pretty good:
PS3s took almost five years to get cracked, and new PS3s are immune to any holes in them that were used by GeoHot to bust the thing open in the first place.
Satellite TV has not seen any cracks since the patch several years back which completely fried any "master key" cards.
The iPhone 4s is barely jailbroken with only userland available. This is with the best minds in the world working on cracking the thing.
Most Android phones still have locked bootloaders, which nobody has yet been able to get. Newer Android phones actually have a daemon that looks for root process signatures then "bricks" the phone if found until the firmware is reflashed... and with some devices, the reflash is not available to the public.
So, even though hardware might be in the user's physical control, it nowhere near belongs to the user.
It's freedom, not price that matters. (Score:4, Informative)
If you purchase something purely based on price you are one stupid user. Freedom matters and just because the majority don't understand the issue doesn't mean it doesn't mean the lack of freedom isn't harming them.
The lack of freedom causes so many problems. It prevents competition, it prevents compatibility, it prevents upgradability, it makes common applications obsensely and abusively exspensive.
Now I'm not saying you shouldn't pay the developers. You should contribute. For most people payment is how one contributes. While selling free software may not work terribly well for developers due to the lack of understanding of what free software is and is not contributory models work fairly well if done right. So do agrements between companies supporting free software like ThinkPenguin and Trisquel. Or Google and distributions/web applications. There are other agrements as well. Such as CDs and merchandise. All of these have value and can and do fund free software development.
Re:Approach no. 4 - Do nothing (Score:5, Informative)
Re:He's right you know... (Score:5, Informative)
Ever install Vista or Win7?
Yes. I bought this laptop I'm using a couple of months ago. It dual-boots Win7 and openSUSE 12.1, both of which I installed myself.
Boot the disk, answer a couple of questions, the installer does the rest...
First question: Does it have all your device drivers?
essentially imaging the system to a clean install for a computer that doesn't have Windows installed.
With none of those applications you go on about.
Linux in orders of magnitude more difficult to install...
With apologies to any equines who may be in the audience, that's complete and utter horseshit. To quote your own fine self, installing a modern Linux distro is a case of "Boot the disk, answer a couple of questions, the installer does the rest".
...not to mention all the 0.x unfinished apps for supposed Windows app substitutes.
What Windows apps? You mean the apps *for* Windows that don't actually *come* with Windows that you have to find (and possibly *buy*) and install separately? As opposed to the hundreds (thousands?) of perfectly usable apps available in any halfway respectable Linux distro that you can load as part of the OS installation?
BTW, the installation of Windows 7 Pro and about a dozen applications which had to be obtained and installed separately (following the OS installation) took almost exactly *twice* as long as as the openSUSE installation, which provided *everything* I need for both personal and work use with just 2 exceptions--Skype, and a proprietary app we use at work.
Oh, and let's not forget cost: the Windows 7 Pro OEM DVD (English) ran me about 1350 SEK (call it US$200); the blank CD on which I burned the Linux network installer was about a dollar and a half (~10 SEK).
TL;DR: Windows took twice as much time to install, cost me 200 times as much money, and provided about 10% of the software.
So... You are badly misinformed, deluded, or just plain lying. I'd say it's a bit of all 3.
What is it with you guys, anyway, that you find Linux so threatening that you have to resort to spewing garbage like this about it?
Re:Security will not catch on (Score:4, Informative)
Nice try, but the breaching of the kernel.org website had no bearing on the integrity of the kernel sources [linuxfoundation.org].
Re:Secure Boot won't catch on (Score:3, Informative)
This is _not_ DRM, its a security implementation to prevent malware from writing to the boot processes and preempting any possible Operating System security. It does seem a bit like we're trying to right the leaning tower of pizza with a bomb on the low side to see if it will right itself again!
I'm sorry to be so obvious but this needs to be kept far away from the association of DRM.
Here is a rather awesome talk about UEFI and RedHat's work on it. Basically his experience was its very buggy and there are already implementations of it out there that they aren't even going to try to patch. At some point this just seems like a way for some company to add in just one more bit of junkware/middleware that everyone has to rely on and no one has any approving control over.
http://www.youtube.com/watch?v=V2aq5M3Q76U [youtube.com]
Part of the spec says that it must have a disable option, the problem creeps up with inexperienced users who may have tried Linux/Unix or whatever that would usually be available seriously reducing the spread of *nix.
Re:Approach no. 4 - Do nothing (Score:4, Informative)
Most corporate desktop admins are far happier if the machine can be deployed with less mucking around. Just unboxing 1200 new machines is a pain in the ass... if they also have to reimage and reconfigure each new machine (actually easier and more streamlined than unboxing these days, but nonetheless, extra time, extra money they'd rather not spend), they'll not be so joyous, and everything slows down.
This isn't even slightly true. Already every corporate re-images every desktop they get because they all come with Windows 7 and their 12 year old Line of Business apps are all certified for Windows XP only. I know for each of our 15000 or so desktops, every one of them gets attached to the network and the first thing that happens is a tech hits F12 and whacks in the provisioning admin credentials to kick off the otherwise completely zero-touch imaging process. I don't know where you get the idea that it's extra time or that configuration is necessary. Deploying Windows over the network can be done with zero intervention.
Re:Security will not catch on (Score:5, Informative)
That type of rootkit was common years ago and still is. Typically they target one of the low level OS components such as the SATA driver, which is loaded before any security stuff and has full access to the entire memory space.
At first anti-virus software couldn't even detect it because the rooted OS was prevented from seeing the file in directory listings or accessing it directly. Eventually they figured out how to get around that, but still couldn't remove the file. Then they figured out how to remove the file when booted into a different OS (i.e. take the HDD out and put it in another machine) but of course that deleted the SATA driver so a XP refresh install was required. That was where I left it when I stopped working in that business.
Re:Approach no. 4 File complaint to D.O.J. (Score:5, Informative)
First off Apple's share of the desktop market in the USA is 8-12% which is about where it was when Microsoft was considered a monopoly. Microsoft's defense at this point might be the existence of a tablet market where they have no presence. But even if one does include tablets Windows still far outsells iOS and OSX combined. Apple targets profitable customers not marketshare.
As for Apple restricting boot. No they don't. In fact they produce and support a multi-platform bootloader for their computers: http://www.apple.com/support/bootcamp/ [apple.com]
They also work with parallels and VMware to help people load virtual images of windows.
Apple doesn't mind in the slightest if you buy their hardware and then run someone else's OS on it.
On their iOS devices, iTunes allows you to put any BIOS image in you want.
Re:Approach no. 4 File complaint to D.O.J. (Score:5, Informative)
First off, learn manners.
Now for lurkers:
start iTunes on your Mac and hold home- and on/off-button on the iphone. connect mac and iphone and keep holding the buttons on the iphone.
the iphone boots in restore-mode, itunes opens up the restore dialog. release the two buttos on the iphone.
hold option-key on the mac and then press "restore" in iTunes. Dialog pops up asking for the firmware to use then point to the new file and you are set.
_________
And of course Apple lets you install apps on iOS without their approval. They don't let you distribute them widely without their approval. But you can install anything you want using iTunes.