Forgot your password?
typodupeerror
DRM Microsoft Open Source Operating Systems Linux

UEFI Secure Boot and Linux: Where Things Stand 521

Posted by Unknown Lamer
from the don't-boot-that-gnu dept.
itwbennett writes "Assuming that Microsoft doesn't choose to implement Secure Boot in the ways that the Linux Foundation says would work with Linux, there 'will be no easy way to run Linux on Windows 8 PCs,' writes Steven Vaughan-Nichols. Instead, we're faced with three different, highly imperfect approaches: Approach #1: Create UEFI Secure Boot keys for your particular distribution, like Canonical is doing with Ubuntu. Approach #2: work with Microsoft's key signing service to create a Windows 8 system compatible UEFI secure boot key, like Red Hat is doing with Fedora." itwbennet finishes with: "Approach #3: Use open hardware with open source software, an approach favored by ZaReason CEO Cathy Malmrose." When you can't even use a GPLv3 licensed bootloader to boot your system, you might have a problem. Why is everyone so quick to accept the corpse of TCPA in new clothes?
This discussion has been archived. No new comments can be posted.

UEFI Secure Boot and Linux: Where Things Stand

Comments Filter:
  • by jkrise (535370) on Friday August 03, 2012 @10:11PM (#40875019) Journal

    Just wait for a while. System admins will find it very difficult to install Enterprise Licensed Windows licenses. MS will be forced to cave in, and provide easy mechanisms to do that for early adapters. Just use whatever technique the local PC vendor guy recommends.

    • by afidel (530433) on Friday August 03, 2012 @10:36PM (#40875137)

      WHAT?!? Secure Boot will do nothing to impede enterprise Windows users. You'll either use Windows8/2012 and have a signed boot loader or use 2008R2/7 and disable secure boot. Btw it would also do nothing to impede enterprise Linux users either, they'd either use a commercial signed distribution or build their own and have the build process install their keys into the TPM chip (trust me, enterprises already deal with crypto from internal PKI to external SSL to drive encryption).

    • by nazsco (695026)

      Yeah, because it departments are know for implementing the most sane and practical solutions for every problem, not the one that advertised itself as the only one available and take cto to dinner.

      Man, I'm glad that means my it dept will drop exchange soon..

    • by Anonymous Coward on Friday August 03, 2012 @11:39PM (#40875411)

      If this is not an example of Microsoft's monopolistic practices i don't know what is.

      • by Spiked_Three (626260) on Saturday August 04, 2012 @04:36AM (#40876269)
        haha. Apple has made that frivolous. What jury (be it a judge or real jury) would find Microsoft has a monopoly these days? Apple keeps reminding us how they are the number one now.

        Oh and btw, doesn't Apple also restrict what boots and how? to make sure you ONLY buy Apple hardware? Yep, MS keeps 90% of the market, can and WILL dictate to the OEMs how to build their machines, and there is nothing anyone can do about it, thanks to Apple's efforts.

        And top it off, MS is getting more into the hardware market, and controlling the software sales channels, they want to be just like Apple. I can't wait to see how it comes out. My guess is both MS and Apple will end up being losers, and guess what, linux will still be a loser also. Something new will come along, dictated by ATT and the Olympic comittee, and the 99% will still be whining about how the 1% controls everything. Nothing will change.
        • by jbolden (176878) on Saturday August 04, 2012 @07:25AM (#40876791) Homepage

          First off Apple's share of the desktop market in the USA is 8-12% which is about where it was when Microsoft was considered a monopoly. Microsoft's defense at this point might be the existence of a tablet market where they have no presence. But even if one does include tablets Windows still far outsells iOS and OSX combined. Apple targets profitable customers not marketshare.

          As for Apple restricting boot. No they don't. In fact they produce and support a multi-platform bootloader for their computers: http://www.apple.com/support/bootcamp/ [apple.com]
          They also work with parallels and VMware to help people load virtual images of windows.
          Apple doesn't mind in the slightest if you buy their hardware and then run someone else's OS on it.

          On their iOS devices, iTunes allows you to put any BIOS image in you want.

    • by slashmydots (2189826) on Saturday August 04, 2012 @01:55AM (#40875839)
      Your future prediction is unrealistic. Where there's a demand, there's a product. One of the major motherboard manufacturers will release a linux-capable board without all this locked down bullshit loaded onto it. You ever hear of these things called cell phones? The makers unlock them so damn fast when their carrier exclusivity contract runs out, it's insane. So with a limited number of boards, then Linux devs will only have a worry about a very narrow amount of drivers to support, which will be a huge improvement over the situation right now. Linux will vastly improve in performance because of it, MS will probably have multiple glitches that lock itself out of booting, viruses will infect the MBR anyway (or whatever this was allegedly supposed to prevent) and Linux will take over the world.
      I can't imagine how one word of that would be inaccurate.
  • approach #4 (Score:4, Funny)

    by Cyko_01 (1092499) on Friday August 03, 2012 @10:15PM (#40875045) Homepage
    Modify ntldr to boot to grub automatically and and remove all unnecessary windows components
  • Aproach #4 (Score:5, Insightful)

    by sapgau (413511) on Friday August 03, 2012 @10:16PM (#40875049) Journal

    Lawsuit?

    • Lawsuit?

      Well that or anti-trust, since this is clearly anti-competitive.

      I can accept something like a Mac being locked down, to a certain extent, since it is Apple hardware with Apple software - though I don't believe they prevent you from installing other operating systems? Generic PC hardware not at all, since this is third party hardware, with Windows being an add-on. If Microsoft wants hardware this locked down to run Windows, then they should sell their own hardware.

      What I would like to see is being able to di

  • by Anonymous Coward on Friday August 03, 2012 @10:18PM (#40875059)

    It seems like the obvious way to block this type of stuff is to pass legislation requiring government agencies to only purchase PCs that are free from such encumbrances. The state and taxpayers benefit from keeping their OS options open on new computer hardware and more importantly they represent a large enough percent of total sales to actually get a proper response from manufacturers.

  • by billcopc (196330) <vrillco@yahoo.com> on Friday August 03, 2012 @10:19PM (#40875061) Homepage

    Approach #4: ignore UEFI Secure Boot. It's a blunt solution to an obscure problem. More importantly, it's such a huge pain in the ass, not just for Linux but for ALL system integrators, that anyone actually preventing the user from disabling Secure Boot will end up limiting their own marketability. Two things will happen:

    1. It will be relegated to tiny niches where security trumps usability
    2. It will be cracked

    This is not an either/or. Both things will happen. This whole fiasco is nothing but a huge waste of time for everyone involved.

    • by Dan667 (564390)
      If you have physical access to the hardware it is only a matter of time before it is cracked.
      • by Anonymous Coward on Friday August 03, 2012 @11:28PM (#40875383)

        In the past, I would have agreed with you, but hardware DRM is getting pretty good:

        PS3s took almost five years to get cracked, and new PS3s are immune to any holes in them that were used by GeoHot to bust the thing open in the first place.

        Satellite TV has not seen any cracks since the patch several years back which completely fried any "master key" cards.

        The iPhone 4s is barely jailbroken with only userland available. This is with the best minds in the world working on cracking the thing.

        Most Android phones still have locked bootloaders, which nobody has yet been able to get. Newer Android phones actually have a daemon that looks for root process signatures then "bricks" the phone if found until the firmware is reflashed... and with some devices, the reflash is not available to the public.

        So, even though hardware might be in the user's physical control, it nowhere near belongs to the user.

        • by FranTaylor (164577) on Saturday August 04, 2012 @12:09AM (#40875503)

          We used to call them "general purpose computers"

          We dropped the "general purpose" part at some point, because it seemed redundant at the time.

          Now maybe we need to bring back this term.

          These machines you are talking about are not "general purpose" computers at all.

          It once again goes to show that the Microsoft slogan is "Where do you want to be taken today"

        • Re: (Score:3, Informative)

          by jameshofo (1454841)

          This is _not_ DRM, its a security implementation to prevent malware from writing to the boot processes and preempting any possible Operating System security. It does seem a bit like we're trying to right the leaning tower of pizza with a bomb on the low side to see if it will right itself again!

          I'm sorry to be so obvious but this needs to be kept far away from the association of DRM.

          Here is a rather awesome talk about UEFI and RedHat's work on it. Basically his experience was its very buggy and there are a

        • by Thantik (1207112) on Saturday August 04, 2012 @04:31AM (#40876261)

          PS3s only took about 5 months to be cracked. They were initially untouched because they provided people what they wanted: The ability to boot linux. Once the feature was taken away, it was cracked in very little time at all.

          And the new PS3s are "immune" not due to anything other than harassment of GeoHot by sony. We'll never know if this is true though, because he's barred from ever touching anything branded by Sony ever again.

          And pretty much all Android phones have the bootloaders completely bypassed with 2ndinit.

          Satellite, you've got me on, because I haven't had any interest in.

        • by PingXao (153057)

          Also not cracked: DTCP which, for a good number of years, protected (and still does) the Firewire output of cable set top boxes. Firewire is falling out of favor fast, but DTCP still hasn't been cracked, and I'm pretty sure that goes for newer non-firewire implementations such as DTCP-IP.

          And don't forget HDCP which protects HDMI connections between A/V devices. The master key was leaked, not cracked. There's a huge difference there.

    • by Anonymous Coward

      1. It will be relegated to tiny niches where security trumps usability

      God forbid in this day of malware, server breaches, and root kits, someone should be triumphing that over usability.

      • by 0123456 (636235)

        God forbid in this day of malware, server breaches, and root kits, someone should be triumphing that over usability.

        Indeed. If only people would dump Windows and run Linux, we'd all be better off.

      • What security? Secure Boot protects against pre-kernel-loading rootkits - a type of malware so obscure, I've never even heard of it being used outside of proof-of-concept academic demonstrations.
        • by AmiMoJo (196126) <(mojo) (at) (world3.net)> on Saturday August 04, 2012 @05:48AM (#40876501) Homepage

          That type of rootkit was common years ago and still is. Typically they target one of the low level OS components such as the SATA driver, which is loaded before any security stuff and has full access to the entire memory space.

          At first anti-virus software couldn't even detect it because the rooted OS was prevented from seeing the file in directory listings or accessing it directly. Eventually they figured out how to get around that, but still couldn't remove the file. Then they figured out how to remove the file when booted into a different OS (i.e. take the HDD out and put it in another machine) but of course that deleted the SATA driver so a XP refresh install was required. That was where I left it when I stopped working in that business.

    • by tlhIngan (30335) <slashdot@wSLACKWAREorf.net minus distro> on Saturday August 04, 2012 @01:50AM (#40875825)

      Approach #4: ignore UEFI Secure Boot. It's a blunt solution to an obscure problem. More importantly, it's such a huge pain in the ass, not just for Linux but for ALL system integrators, that anyone actually preventing the user from disabling Secure Boot will end up limiting their own marketability.

      I thought the requirement to run Windows 8 was to have a BIOS option to disable secure boot, or rather, enable legacy (BIOS) booting. So if the user wishes to run another OS, they could - disable secure boot, and the PC boots like it always has - via the old BIOS method. Of course, if you want to boot back into Windows requires flipping the option back (the files are signed and verified before loading, so it's not like running another OS will break the security - the UEFI verifies the loader, the loader verifies the kernel, the kernel verifies the drivers and Windows binaries, etc.).

      I know RedHat and Canonical were worried that the option would be well, optional, but I thought it was now required. And it will be for a little while because Windows 7 isn't ready for secure boot - it can be EFI-booted in 64-bit mode but that's experimental.

      Then there is well, Apple. Whose EFI-based firmware probably doesn't have secure boot in it and thus unable to boot Windows 8... (and probably the only provider that has an easily-accessible EFI boot - is there any other reason why there's an EFI bootloader for Linux for the past few years?)

      • by Yvanhoe (564877) on Saturday August 04, 2012 @05:37AM (#40876455) Journal
        The fact that mandatory secure boot is a windows 8 requirement for ARM architecture makes it credible to think they would like the same thing in the x86 world. The fact we even accepted in the ARM world is an incredibly sad defeat that will make us waste another 10 years to turn around.
      • by arkhan_jg (618674)

        Windows 8 doesn't require secure boot. At all. It will happily boot on a pc without it, or with it turned off. I. E. All the legacy kit out there running windows 7.

        In order to sell an x86 pc as windows 8 certified, you have to have secure boot; it has to have the Windows 8 signing key as default; and it needs to be able to be turned off. The latter matters to Microsoft because all those enterprise users doing their downgrade rights to 7 would be furious if they couldn't buy new new pcs and put older version

      • I thought the requirement to run Windows 8 was to have a BIOS option to disable secure boot, or rather, enable legacy (BIOS) booting.

        There is no such requirement to run Windows 8. There is a UEFI secure boot requirement if you want to put a sticker on the system saying "designed for Windows 8". There is also a requirement that the user must be able to switch off the secure boot.

        Of course, if you want to boot back into Windows requires flipping the option back (the files are signed and verified before loading, so it's not like running another OS will break the security - the UEFI verifies the loader, the loader verifies the kernel, the kernel verifies the drivers and Windows binaries, etc.).

        No, you do not need to flip the option back to boot Windows 8. If you don't flip it back you will not have the security that comes from the knowledge that the boot loader and kernel has not been tampered with, but Windows 8 will boot.

        Of course, if you want to boot back into Windows requires flipping the option back (the files are signed and verified before loading, so it's not like running another OS will break the security - the UEFI verifies the loader, the loader verifies the kernel, the kernel verifies the drivers and Windows binaries, etc.).

        That is correct. But while th

  • Another Approach (Score:5, Interesting)

    by am 2k (217885) on Friday August 03, 2012 @10:22PM (#40875075) Homepage

    (Too many #4 here already, so I'll skip the numbering)

    What about clustering all Linux enthusiasts' computers together and cracking Microsoft's signing key, SETI-style? I'm not sure about the mathematics there (taking longer than the galaxy will exist, etc.), but maybe it's possible. Or maybe somebody made a mistake and the key is much weaker than it is thought at the moment (see PS3).

  • Approach #4 (Score:4, Informative)

    by Anonymous Coward on Friday August 03, 2012 @10:24PM (#40875081)

    Disable secure boot.

    From http://msdn.microsoft.com/en-US/library/windows/hardware/jj128256:

    "Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows Server may also disable Secure Boot remotely using a strongly authenticated (preferably public-key based) out-of-band management connection, such as to a baseboard management controller or service processor. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure Boot must not be possible on ARM systems."

    They made disabling secure boot required for the Windows logo on x86 (while probably worried about the threat of an antitrust investigation).

    • I wonder will that allow booting of fedora or ubuntu which are having their distros signed by Microsoft to boot on arm hardware? anyone else know i would really like to have a ubuntu tablet and that seems like a cheap way.

      • Just buy an Android one next year. It looks like you'll have the best of both worlds.

        http://www.ubuntu.com/devices/android [ubuntu.com]

        http://en.wikipedia.org/wiki/Ubuntu_for_Android [wikipedia.org]

        http://www.youtube.com/watch?v=wzc0uMXGFBY [youtube.com]

    • No kidding. Where is the issue where when you can just do this? You'd think the the general population of people who will be loading their boxes with alternate operating systems could figure this out.

  • by theRunicBard (2662581) on Friday August 03, 2012 @10:26PM (#40875095)
    They don't try to make better products, they just try to kill the competition. I see ads for their crap with cool songs, a lizard, and neat apps everywhere but the actual thing doesn't work. Even they can't work it right, as shown by several demos they have done. They seem to recognize it but instead of dealing with it, they just try to eliminate everyone else. Linux has a MUCH better programming environment than anything Microsoft can offer. Even its overall usability (I use Ubuntu) is more intuitive. So Microsoft tries this shit. It's not secure and it's not user-friendly. It's just meant to make Linux harder to install. And I can't support a company that takes this approach. Fuck them. It's a good thing their company is dying. Hopefully more OEMs see this and start offering Linux PC's, but I kind of doubt it.
    • by nazsco (695026)

      And safeboot won. Thanks to Ubuntu having too much money.

      Now it will be one more pain to buy new machines. Will have to scavenge model numbers know to have a correct implementation... Which will be rare.

    • by sabri (584428) * on Saturday August 04, 2012 @12:47AM (#40875631)

      They don't try to make better products, they just try to kill the competition. I see ads for their crap with cool songs, a lizard, and neat apps everywhere but the actual thing doesn't work. Even they can't work it right, as shown by several demos they have done. They seem to recognize it but instead of dealing with it, they just try to eliminate everyone else. Linux has a MUCH better programming environment than anything Microsoft can offer. Even its overall usability (I use Ubuntu) is more intuitive. So Microsoft tries this shit. It's not secure and it's not user-friendly. It's just meant to make Linux harder to install. And I can't support a company that takes this approach. Fuck them. It's a good thing their company is dying. Hopefully more OEMs see this and start offering Linux PC's, but I kind of doubt it.

      Ok, I'm probably going to kill my karma and move from Excellent to Suspected Troll, but so be it...

      Until 5-6 years ago, I would totally agree with you. I've been a *ix advocate for years and will be for a while. However, with the introduction of Windows XP, I've switched from using *ix (more specifically Red Hat, and later on FreeBSD) on my desktop to Windows. Why? Because things just work out of the box. I was used to googling for hours and hours to find the right dependencies for a certain application I wanted, which then would be conflicting with something that I'd already installed and after being forced to use Windows by my then-employer, I quickly installed it on my PCs at home, too.

      When Asus came with their small netbooks, I bought a Linux version. Unfortunately I found it quite unusable so I installed Windows. Again. In my opinion, *ix is perfect, more than perfect in the role of a server. Apache kills IIS just by looking at it. Sendmail outperforms Exchange while picking its nose. SSH is far better than using RDP to administer your server.

      As recent as four months ago, I tried switching to Ubuntu on my corporate Windows Vista laptop. After two days of downtime, I found that I was unable to find a decent calendaring tool that would work with the companies Exchange server. No Lync support. Only partial support for Office tools. I returned my laptop to the IT department to have a new Windows image installed and within 3 hours I was back online.

      Microsoft sucks when it comes to their business practices, I fully, more than fully agree with you on that. But their products are no longer that bad as they once were.

  • by bmo (77928) on Friday August 03, 2012 @10:28PM (#40875115)

    > Why is everyone so quick to accept the corpse of TCPA in new clothes?

    Only softies and people who don't know any better do. Pointing at Apple and saying they lock their phones and tablets too ignores the fact that what they do is also wrong. It's like Timmy beating up Bobby on the playground, and when you beat up Bobby, you point at Timmy and say "well, he was doing it too!"

    The rest of us want to punch people in the face for even suggesting TCPA 2.0

    --
    BMO

  • Flash the BIOS (Score:5, Interesting)

    by bky1701 (979071) on Friday August 03, 2012 @10:36PM (#40875135) Homepage
    We already have hacked BIOSes for far more irrelevant reasons than this. I expect it to become a common thing to just wipe secure boot from the system entirely if this is a problem.
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      They are almost certainly going to be requiring signed firmware images on any Win8 Logo'd hardware so no you won't be hacking the BIOS so simply.....

      Frankly from a security standpoint what they are proposing makes sense. they aren't even receiving any money from the likes of Ubuntu or RedHat if they choose to use this system. Yeah, it might be painful and it's certainly different but it makes security sense if done right. Had some sort of international consortium come up with this and Microsoft joined in wo

    • by Asic Eng (193332)

      Well if you tell a potential new Linux user they have to flash the BIOS (find the right one for each motherboard) they are going to be a lot less likely to do that than when you tell them: here pop in the LiveCD.

      Similar problem when it's just about turning off secure boot - sounds dangerous right from start, and they'll probably have been warned about not turning that off when some software asks them to.

  • People are going to use Windows 8?
    • Re: (Score:2, Funny)

      by epyT-R (613989)

      I will. it's an awesome operating system... since I spend 95% of my time in the start menu I'm glad they made it full screen and interactive.. it's like a video game!

  • I thought this would only be a problem for people who are afraid to muck around in their bios. The situation is that even tech-savy users can't turn this shit off?
    • by 0123456 (636235)

      I thought this would only be a problem for people who are afraid to muck around in their bios. The situation is that even tech-savy users can't turn this shit off?

      1. That makes life painful for non-techies who want to install Linux and can currently just boot from a CD or USB installer with no BIOS changes.
      2. As soon as Microsoft can demand that this be made compulsory, they will.

      Oh, sorry, I forgot 'the slippery slope is a logical fallacy', so Microsoft couldn't possibly ever do that.

  • by Richard_J_N (631241) on Friday August 03, 2012 @11:39PM (#40875415)

    Seems to me that this is a very serious violation of the spirit of the antitrust rulings when MS killed netscape. Why aren't our consumer protection agencies stepping in to forbid MS from doing this?

    • by jimicus (737525)

      Most regulators can only operate reactively. Even if you issue a complaint today there's a lot of hoops to jump through before anyone can even get Microsoft in a courtoom:

      - Someone has to release a Windows 8 PC with secure boot. That hasn't happened yet.
      - The hoops necessary to disable secure boot need to be sufficiently complicated that its demonstrably a problem. This won't be apparent for some time after we see a serious number of Secure a lot PCs shipping.
      - organisations with some influence (not individ

  • by Rich0 (548339) on Friday August 03, 2012 @11:51PM (#40875441) Homepage

    The MS specs require any MS-certified firmware to allow the user to load their own keys. So, if you want to install linux, just generate your own keypair, use it to sign any OSes you want to boot, and install it as a trusted key in your firmware.

    Viola, you can still use secure boot, and you can boot whatever you want, and as a bonus not even MS can install something on your hard drive and have it be bootable.

    Or you can just disable secure boot.

    Distros should just make it easy for users to sign their bootloaders. This should be easy for distros that have the user manually install grub/etc. Or the distro could just supply a pre-signed bootloader and a key for the user to load into their firmware.

    • You say "just" for things that require a second computer

      Not so easy for the teenager who is mowing lawns and raking leaves to buy a computer to learn programming.

      Now these kids are locked out of the Linux experience because they don't have the resources to "just do" the stuff you find so trivial.

  • by FranTaylor (164577) on Saturday August 04, 2012 @12:22AM (#40875549)

    Forgotten in all of this is that there is no actual value added for the user in all this.

    When it's all said and done, from the user's point of view, it's a step backward in usability and utility without providing ANY extra security for the user's data.

    Think about it: for an actual boot-sector virus to work, it have to break into your computer already. Well since it's already broken in, why does it need the boot sector? It can just break back in using the same mechanism it used in the first place. Secure boot gets you no extra security.

    Notice that Windows had to mandate this, is there any clamor from the user base for computers that are more difficult to use?

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (2) Thank you for your generous donation, Mr. Wirth.

Working...