Forgot your password?
typodupeerror
DRM Microsoft Open Source Operating Systems Linux

UEFI Secure Boot and Linux: Where Things Stand 521

Posted by Unknown Lamer
from the don't-boot-that-gnu dept.
itwbennett writes "Assuming that Microsoft doesn't choose to implement Secure Boot in the ways that the Linux Foundation says would work with Linux, there 'will be no easy way to run Linux on Windows 8 PCs,' writes Steven Vaughan-Nichols. Instead, we're faced with three different, highly imperfect approaches: Approach #1: Create UEFI Secure Boot keys for your particular distribution, like Canonical is doing with Ubuntu. Approach #2: work with Microsoft's key signing service to create a Windows 8 system compatible UEFI secure boot key, like Red Hat is doing with Fedora." itwbennet finishes with: "Approach #3: Use open hardware with open source software, an approach favored by ZaReason CEO Cathy Malmrose." When you can't even use a GPLv3 licensed bootloader to boot your system, you might have a problem. Why is everyone so quick to accept the corpse of TCPA in new clothes?
This discussion has been archived. No new comments can be posted.

UEFI Secure Boot and Linux: Where Things Stand

Comments Filter:
  • Re:yes and no (Score:5, Interesting)

    by FudRucker (866063) on Friday August 03, 2012 @09:17PM (#40875055)
    i prefer option 3 too, but...
    microsoft wont go out of business but they could very easily marginalize themselves to the point that they are no longer the 800 pound gorilla of the desktop PC market, and more than likely Apple and Linux will grab more userbase, i prefer old school distros like debian & slackware so apple wont be getting any of my money
  • by Anonymous Coward on Friday August 03, 2012 @09:18PM (#40875059)

    It seems like the obvious way to block this type of stuff is to pass legislation requiring government agencies to only purchase PCs that are free from such encumbrances. The state and taxpayers benefit from keeping their OS options open on new computer hardware and more importantly they represent a large enough percent of total sales to actually get a proper response from manufacturers.

  • Another Approach (Score:5, Interesting)

    by am 2k (217885) on Friday August 03, 2012 @09:22PM (#40875075) Homepage

    (Too many #4 here already, so I'll skip the numbering)

    What about clustering all Linux enthusiasts' computers together and cracking Microsoft's signing key, SETI-style? I'm not sure about the mathematics there (taking longer than the galaxy will exist, etc.), but maybe it's possible. Or maybe somebody made a mistake and the key is much weaker than it is thought at the moment (see PS3).

  • by theRunicBard (2662581) on Friday August 03, 2012 @09:26PM (#40875095)
    They don't try to make better products, they just try to kill the competition. I see ads for their crap with cool songs, a lizard, and neat apps everywhere but the actual thing doesn't work. Even they can't work it right, as shown by several demos they have done. They seem to recognize it but instead of dealing with it, they just try to eliminate everyone else. Linux has a MUCH better programming environment than anything Microsoft can offer. Even its overall usability (I use Ubuntu) is more intuitive. So Microsoft tries this shit. It's not secure and it's not user-friendly. It's just meant to make Linux harder to install. And I can't support a company that takes this approach. Fuck them. It's a good thing their company is dying. Hopefully more OEMs see this and start offering Linux PC's, but I kind of doubt it.
  • Re:Another Approach (Score:4, Interesting)

    by DaveAtFraud (460127) on Friday August 03, 2012 @09:30PM (#40875121) Homepage Journal

    What makes anyone think that UEFI will be any more secure than anything else Microsoft releases? Actually cracking the key may take longer than the universe has been in existence but I'm betting dear Microsoft won't do any better at engineering this than anything else. There is probably an easily exploitable hole that doesn't require actually cracking the key.

    Cheers,
    Dave

  • Flash the BIOS (Score:5, Interesting)

    by bky1701 (979071) on Friday August 03, 2012 @09:36PM (#40875135) Homepage
    We already have hacked BIOSes for far more irrelevant reasons than this. I expect it to become a common thing to just wipe secure boot from the system entirely if this is a problem.
  • by afidel (530433) on Friday August 03, 2012 @09:36PM (#40875137)

    WHAT?!? Secure Boot will do nothing to impede enterprise Windows users. You'll either use Windows8/2012 and have a signed boot loader or use 2008R2/7 and disable secure boot. Btw it would also do nothing to impede enterprise Linux users either, they'd either use a commercial signed distribution or build their own and have the build process install their keys into the TPM chip (trust me, enterprises already deal with crypto from internal PKI to external SSL to drive encryption).

  • Re:Another Approach (Score:4, Interesting)

    by ozmanjusri (601766) <aussie_bob@hotmail.cOPENBSDom minus bsd> on Friday August 03, 2012 @09:50PM (#40875209) Journal

    UEFI and Secure Boot aren't the same thing.

  • by Anonymous Coward on Friday August 03, 2012 @10:03PM (#40875267)

    System admins need to wipe off the OEM stuff and install their Enterprise License stuff on new kit.

    Most corporate desktop admins are far happier if the machine can be deployed with less mucking around. Just unboxing 1200 new machines is a pain in the ass... if they also have to reimage and reconfigure each new machine (actually easier and more streamlined than unboxing these days, but nonetheless, extra time, extra money they'd rather not spend), they'll not be so joyous, and everything slows down.

    If they can't do it, they will simply ignore Windows 8 and wait for the next version

    Half right... because this, basically, is wise. The other half is they will harden what they have. Microsoft early adopters and fanbois notwithstanding, Microsoft has done nothing to increase the productivity of the office worker since XP/Server 2003/Office 2003. The pitfalls of XP are well known and huge incident databases have been built: nothing can break that doesn't have an immediate fix. Seven and even Vista is still in the early stages of figuring out all the solutions of all that can and does go wrong. I think any large or medium sized corporations still on the 2003 paradigm are fine and well under the budget expendature of those idiots that needlessly and irrationally raced to upgrade as long as they are in a rotation of reimaging every XP machine every 4-6 months... if their network infrastructure is resilient to the trouble users can get into, they may never need to upgrade these to new systems until the physical machines and their components cease to function.

  • Re:Flash the BIOS (Score:3, Interesting)

    by Anonymous Coward on Friday August 03, 2012 @10:05PM (#40875275)

    They are almost certainly going to be requiring signed firmware images on any Win8 Logo'd hardware so no you won't be hacking the BIOS so simply.....

    Frankly from a security standpoint what they are proposing makes sense. they aren't even receiving any money from the likes of Ubuntu or RedHat if they choose to use this system. Yeah, it might be painful and it's certainly different but it makes security sense if done right. Had some sort of international consortium come up with this and Microsoft joined in would we be so upset? Oh wait that sort of did kinda' happen....

    Will be very interesting to see how this plays out for sure!

    P.S. Anon to preserve my moderations...

  • by Richard_J_N (631241) on Friday August 03, 2012 @10:39PM (#40875415)

    Seems to me that this is a very serious violation of the spirit of the antitrust rulings when MS killed netscape. Why aren't our consumer protection agencies stepping in to forbid MS from doing this?

  • Re:Approach #4 (Score:5, Interesting)

    by ozmanjusri (601766) <aussie_bob@hotmail.cOPENBSDom minus bsd> on Friday August 03, 2012 @11:44PM (#40875619) Journal

    You need to do more with a computer than just smile smugly and say "i'm runng xyz cool thing". ... Okay.. maybe *you* don't...

    Ah, my little troll is back! Nice to see you again.

    And you're right. Computers are tools, they are at their best when they're used to create cool (and mundane) things, and that's the subtle difference between smartphones and desktop computers that I think Ubuntu got right this time.

    You see my little pet, despite what many people say, phones and tablets aren't for passive consumption, that's the role of TV, books, and maybe e-readers. What Android, iOS et al excel at is to communicate and share cool things (and mundane things, but who wants to talk about those).

    The thing is, computing as a field is all about thresholds. There were text and math thresholds as CPUs/memory etc became large enough and powerful enough to run text editors, then a little faster for word processors, spreadsheets and simulators. Graphical display thresholds gave us GUIs, sound subsystem thresholds and video playback thresholds got us music and movies. There are people here who looked in awe at early Amiga/Atari demos playing two or three simultaneous animations. Desktop computer hardware stopped being a limitation to creating images, video, text, music etc in the late '90s. Phone hardware now is far past that threshold and is about to pass the capabilities of desktop computers from less than a decade ago.

    Coincidentally, a decade ago was when mainstream OS development stagnated. XP was released about then, and continues to be used in business today largely because its successors do little or nothing to improve productivity. You see where I'm going with this, cherub? We have hardware with enough power to run the content creation software and fit in our pockets. That limitation is gone. The remaining limitations are the OS and software stacks, and the peripherals - big screens, digitisers, scanners etc etc, and guess what? Ubuntu has an answer.

    We're seeing enough hints in the market from the likes of Asus, Samsung, Lenovo and even Microsoft that this is something the world's looking for. I'd say Canonical/Ubuntu is in a very good place right now.

  • by sabri (584428) * on Friday August 03, 2012 @11:47PM (#40875631)

    They don't try to make better products, they just try to kill the competition. I see ads for their crap with cool songs, a lizard, and neat apps everywhere but the actual thing doesn't work. Even they can't work it right, as shown by several demos they have done. They seem to recognize it but instead of dealing with it, they just try to eliminate everyone else. Linux has a MUCH better programming environment than anything Microsoft can offer. Even its overall usability (I use Ubuntu) is more intuitive. So Microsoft tries this shit. It's not secure and it's not user-friendly. It's just meant to make Linux harder to install. And I can't support a company that takes this approach. Fuck them. It's a good thing their company is dying. Hopefully more OEMs see this and start offering Linux PC's, but I kind of doubt it.

    Ok, I'm probably going to kill my karma and move from Excellent to Suspected Troll, but so be it...

    Until 5-6 years ago, I would totally agree with you. I've been a *ix advocate for years and will be for a while. However, with the introduction of Windows XP, I've switched from using *ix (more specifically Red Hat, and later on FreeBSD) on my desktop to Windows. Why? Because things just work out of the box. I was used to googling for hours and hours to find the right dependencies for a certain application I wanted, which then would be conflicting with something that I'd already installed and after being forced to use Windows by my then-employer, I quickly installed it on my PCs at home, too.

    When Asus came with their small netbooks, I bought a Linux version. Unfortunately I found it quite unusable so I installed Windows. Again. In my opinion, *ix is perfect, more than perfect in the role of a server. Apache kills IIS just by looking at it. Sendmail outperforms Exchange while picking its nose. SSH is far better than using RDP to administer your server.

    As recent as four months ago, I tried switching to Ubuntu on my corporate Windows Vista laptop. After two days of downtime, I found that I was unable to find a decent calendaring tool that would work with the companies Exchange server. No Lync support. Only partial support for Office tools. I returned my laptop to the IT department to have a new Windows image installed and within 3 hours I was back online.

    Microsoft sucks when it comes to their business practices, I fully, more than fully agree with you on that. But their products are no longer that bad as they once were.

  • by jd2112 (1535857) on Saturday August 04, 2012 @12:00AM (#40875671)

    Most corporate desktop admins are far happier if the machine can be deployed with less mucking around. Just unboxing 1200 new machines is a pain in the ass... if they also have to reimage and reconfigure each new machine (actually easier and more streamlined than unboxing these days, but nonetheless, extra time, extra money they'd rather not spend), they'll not be so joyous, and everything slows down.

    If you are deploying 1200 new machines Dell or HP or whoever will most likely gladly pre-install your corporate OS image for you. There will be an additional cost for doing so but it's usually much less than having your own desktop support staff doing it.

  • by slashmydots (2189826) on Saturday August 04, 2012 @12:55AM (#40875839)
    Your future prediction is unrealistic. Where there's a demand, there's a product. One of the major motherboard manufacturers will release a linux-capable board without all this locked down bullshit loaded onto it. You ever hear of these things called cell phones? The makers unlock them so damn fast when their carrier exclusivity contract runs out, it's insane. So with a limited number of boards, then Linux devs will only have a worry about a very narrow amount of drivers to support, which will be a huge improvement over the situation right now. Linux will vastly improve in performance because of it, MS will probably have multiple glitches that lock itself out of booting, viruses will infect the MBR anyway (or whatever this was allegedly supposed to prevent) and Linux will take over the world.
    I can't imagine how one word of that would be inaccurate.
  • by Z34107 (925136) on Saturday August 04, 2012 @01:40AM (#40875943)

    Why does this keep popping up? XP won't even boot under UEFI.

  • by RobbieThe1st (1977364) on Saturday August 04, 2012 @03:08AM (#40876209)

    Nokia N900 - Commercial, retailed phone, fully open bootloader.

    But, your point still stands.

    That being said, I fully expect the "unlocked" bios-emulation mode to be around for at least 8 years, if not more - corporate needs XP support. However, the lock would actially be a /good/ thing... if we can install our own keys.
    I'm hoping for that sort of support, so corporate IT could sign particular versions of files and/or bootloaders and lock things down. Seems like a step up, there, so long as the accepted key list is editable.

  • by hairyfeet (841228) <.bassbeast1968. .at. .gmail.com.> on Saturday August 04, 2012 @03:42AM (#40876287) Journal

    Damn you had it right and then you had to go and throw in the ribbon LOL!

    You are right about win 7 as I've had my business customers on it since 2010 and it took me on average 20 minutes to show them the new features and then they were off to the races. the improvements over XP are so many when I'm forced to work on an XP machine it feels like going back to Win95, its just painful. You have 64bit with great driver support so you can have the machines loaded with memory, superfetch actually puts that memory to use by having their programs preloaded into RAM and ready to go, breadcrumbs and jumplists make getting back to where you were the day before a breeze, its just a better OS.

    Now you are wrong about the ribbon, only because you are not taking into account office jocks have been using office for over a decade and know it like the back of their hand. The ribbon blows muscle memory all to shit and I've watched as people that could fly on 2K3 were brought to a screeching halt thanks to the ribbon. Sure its great if you've never used office before, but that isn't their biggest demographic is it? IMHO they should have had a switch at install that let the user choose which layout to have along with a GPO so it could be deployed across the network in whichever config the IT dept wanted.

    As for TFA, everyone is worried about this...why exactly? Its win 8, aka "LOL I iz a cell phone LOL" OS, this thing is gonna go over about as well as Michael Richards at an NAACP luncheon. if you don't want Secureboot in X86 its a simple switch away, and nobody is gonna buy WOA unless they find it on Woot! at 80% off. Just look at the numbers or lack thereof for WinPhone 7, If they crack higher than 6% on ARM I'll frankly be shocked. Finally let us not forget the EU doesn't like MSFT anyway so if they try to lock X86 they are gonna get hit with so many fines they won't know what hit them.

  • by Yvanhoe (564877) on Saturday August 04, 2012 @04:37AM (#40876455) Journal
    The fact that mandatory secure boot is a windows 8 requirement for ARM architecture makes it credible to think they would like the same thing in the x86 world. The fact we even accepted in the ARM world is an incredibly sad defeat that will make us waste another 10 years to turn around.

"Morality is one thing. Ratings are everything." - A Network 23 executive on "Max Headroom"

Working...