Forgot your password?
typodupeerror
SuSE DRM Operating Systems Linux

SUSE Slowly Shows UEFI Secure Boot Plan 190

Posted by Soulskill
from the at-a-stately-and-majestic-pace dept.
itwbennett writes "One blog post at a time, SUSE is revealing its plan for getting SUSE Linux Enterprise Server (SLES) to boot on machines with UEFI Secure Boot. The short version: 'For now, it seems, SLES will implement an approach similar to that used by Fedora,' writes Brian Proffitt. '[Director of the SUSE Linux Enterprise Olaf] Kirch's first blog entry on Tuesday merely introduced the problem of UEFI Secure Boot. Today's blog only specified the use of the shim bootloader.' Just dying to know what's next? Tune in to the SUSE blog."
This discussion has been archived. No new comments can be posted.

SUSE Slowly Shows UEFI Secure Boot Plan

Comments Filter:
  • does UEFI secure boot bring any value to users or only to our corporate masters?

    • by countach (534280)

      I think in theory it plugs a malware hole, that the whole OS is secure from the bootloader on up.

      • by morcego (260031)

        Yes. Like the "malware" that allows people to use a pirated copy of Windows 7.
        Somehow, I think that is one of the main reasons they went after this "secure boot" thing.

        • by Nerdfest (867930)

          The best thing that could happen to Windows 8 is for people to pirate it. Perhaps they're trying to build up a false sense of value.

      • by gomiam (587421) on Wednesday August 08, 2012 @07:31PM (#40924627)
        Theory is closer to practice in theory than in practice. The facts are clear: UEFI lets someone else decide what you can or can not run in your computer.

        Think you can disable it? Think again: who is going to care about your being able to disable it when, eventually, Microsoft requires it to be always on on Intel versions of Windows just like they have done on ARM?

        • Think you can disable it? Think again:

          Um, no. It is part of the spec that motherboards must be able to disable UEFI. So if you go out and buy a Windows 8 certified system then you will be able to install any operating system you want. And no amount of bleating about how nobody cares for your right to boot the old fashioned way will change this.

          • by http (589131)
            If being able to disable it is part of the UEFI spec, what are those Windows 8 ARM devices using?
            • It is a different spec for ARM than Intel chips. The ARM version of Windows 8 does not have to maintain backwards compatibility with an existing user base. Intel Windows does have a long pedigree, and the OS will work on systems made in 2002. Given that they are trying to support computers that predate UEFI by a decade, then they can't start insisting on secure boot only.

              • by thegarbz (1787294)

                then they can't start insisting on secure boot only.

                Can't is a strong word in an industry where in the last few years we've seen companies abandon an entire computer architecture breaking all backwards compatibility, moving the software ecosystem from software as a product to software as a service, and one of the biggest vendors has now announced they will be competing directly with their OEM suppliers.

                "Can't" is the one word we can't use to describe anything in the IT industry.

                • "Can't" is the one word we can't use to describe anything in the IT industry.

                  But have a look at the backlash that Microsoft received when Vista had high system requirements. Subsequent versions of Windows have tended towards better support for older systems, and not worse as would happen if secure boot was mandatory.

                  So until we actually see a change in Microsoft's policy, people are complaining about a fantasy future that does not match the current practices of Microsoft regarding Windows.

                  • by thegarbz (1787294)

                    The current practices of Microsoft? You mean the current practices of a company which has in the last few year announced a change from producing an operating system that runs on an open PC architecture to announcing new plans for vendor lock-in (ARM), restrictive usage scenarios (limited app running capabilities), the start of a walled garden (Windows Store), and decided to compete directly with OEMs producing a fully closed hardware/software platform.

                    Regarding Microsoft's future, fantasy is the only thing

          • Think you can disable it? Think again:

            Um, no. It is part of the spec that motherboards must be able to disable UEFI. So if you go out and buy a Windows 8 certified system then you will be able to install any operating system you want. And no amount of bleating about how nobody cares for your right to boot the old fashioned way will change this.

            It is part of the spec AT THE MOMENT, but that doesn't mean it will remain part of the spec.

            • It is part of the spec AT THE MOMENT, but that doesn't mean it will remain part of the spec.

              And it doesn't mean that it won't remain part of the spec. It is all guesswork. Should you really be able to deny people have security features added to Windows because in some dystopian future those features may be made mandatory?

              Should we also ban firewalls because one day the built-in firewall may be only made configurable by a paid service rather than a local tool?

          • by phantomfive (622387) on Wednesday August 08, 2012 @10:58PM (#40926611) Journal
            As someone who's gotten Linux to boot on an EFI machine, I can tell you that motherboards do not always implement the full specification.

            Generally they do what is necessary to boot Windows, and once that's working, call it good. They have no motivation to test and make sure disabling UEFI works.
            • Generally they do what is necessary to boot Windows, and once that's working, call it good. They have no motivation to test and make sure disabling UEFI works.

              Except that if a motherboard can't disable UEFI then older versions of Windows (especially x86 versions) would not boot. Remember that Microsoft's biggest competitor to Windows is older version of Windows. This is going to become even more pronounced if people reject the Metro user interface (or whatever it is called now) and stay with XP or Win7.

  • There are two ways of getting there. One is to work with hardware vendors to have them endorse a SUSE key which we then sign the boot loader with. The other way is to go through Microsoft's Windows Logo Certification program to have the boot loader certified and have Microsoft recognize our signing key (i.e. have it signed with their KEK). We are currently evaluating both approaches, and may eventually even pursue both in parallel.

    Seeing how Microsoft is currently pissing off Hardware vendors (and surface i

  • by Anonymous Coward on Wednesday August 08, 2012 @06:59PM (#40924217)

    running on Chromebooks. All source is there. You can download it and study it and build something good on it.

    So what are the "open source OS companies" putting all their effort into? Satisfying a closed, proprietary system designed to lock users in. Very disappointing.

  • by Anonymous Coward on Wednesday August 08, 2012 @07:20PM (#40924493)

    I don't get it.

    So after several decades of fighting for free software (and computer freedom in general), all these distributions are just going to roll over on command for Microsoft?

    You know what? Anyone who goes along with this UEFI bullshit is a fucking traitor, a coward, and a goddam disgrace to the open source community.

    Playing along here is NOT THE ANSWER. Doing NOTHING is the only appropriate course of action. Why? Simple, because then you're shifting the problem to the hardware manufactures who are going to get shafted in sales because their stuff doesn't run Linux OOTB (not without configuring UEFI first). They're going to realize this mighty fast and either produce cheaper "Linux" versions of their motherboards without UEFI restrictions (or even better, without UEFI at all)- or just drop the whole Secure Boot thing all together.

    Again, playing along with this mockery is the WORST POSSIBLE THING anyone could do. It's like letting the Germans into your country during 1945 because they promised they'd only ask for your papers when you're entering or leaving your own city. How long do you think it'll be until they have the same guards stationed everywhere? Train stations, food stores, clothe stores... How long before you're walking down the street in your own community and you're getting stopped for papers, only blocks away from your house?

    I'm sick and tired of people saying "it's only the bootloader man, chill". Yeah, it might be today. What about tomorrow, when they drop the ability to manually disable Secure Boot permanently? What then, huh? Well, then Microsoft has the power to revoke your keys and doom your operating system to death. After everything Linux has been for, after everything Linux has stood for- why the fuck would you EVER want to give Microsoft this power?

    Fedora, Ubuntu, and SUSE can kiss my fucking ass. All these distributions are a disgrace. A total fucking disgrace. The least they could do is show some goddam balls, stand up and say "No, we're not going to be your bitch". So what if your users have to manually disable Secure Boot for now. At least then they'll realize what is going on here and you might actually educate a few of them as to why CLOSED PLATFORMS ARE BAD.

    -AC

    • by kiwimate (458274)

      Anyone who goes along with this UEFI bullshit is a fucking traitor, a coward, and a goddam disgrace to the open source community.

      Ah, well at least you're putting forth a calm and rational argument.

      Doing NOTHING is the only appropriate course of action. Why? Simple, because then you're shifting the problem to the hardware manufactures who are going to get shafted in sales because their stuff doesn't run Linux OOTB (not without configuring UEFI first).

      This argument isn't going to fly. Most hardware manufacturers don't care about Linux. How long have Slashdotters bemoaned the lack of major manufacturer Linux options, or complained about the small forays by Walmart and Dell which are then pulled back?

      It's like letting the Germans into your country during 1945

      This kind of commentary is not doing your argument any favors. You're shooting yourself in the foot; you obliterate any useful point you may have.

      The least they could do is show some goddam balls, stand up and say "No, we're not going to be your bitch".

      Says the anonymous coward.

      I have several times

      • by epyT-R (613989)

        Ah, well at least you're putting forth a calm and rational argument.

        It is rational. It just isn't calm.

        This argument isn't going to fly. Most hardware manufacturers don't care about Linux. How long have Slashdotters bemoaned the lack of major manufacturer Linux options, or complained about the small forays by Walmart and Dell which are then pulled back?

        agreed. this argument doesn't make much sense.

        This kind of commentary is not doing your argument any favors. You're shooting yourself in the foot; you obliterate any useful point you may have.

        why? the whole nazi police state reference is a perfect analogy with the top down lock down that is signed UEFI. Sure, today, it can be disabled, but the slippery slope does apply here.

        Says the anonymous coward.

        In free societies, anonymity is perfectly acceptable. the argument stands or falls on its own. demanding id just demands an argument from authority. the only thing you might gain is slightly higher confidence in the speaker, but that doesn't p

    • It's like letting the Germans into your country during 1945

      Learn a little history. In 1945, the War was ending. The Allied Forces were squeezing Germany like a lemon. Hitler was ordering that all industries, military installations, machine shops, transportation facilities and communications facilities in Germany be destroyed. German military leaders were committing suicide left, right, and center. There were probably untold thousands of German civilians fleeing the country in 1945. None of them would have been stopping people and asking for papers. They woul

    • by westlake (615356)

      I don't get it.
      So after several decades of fighting for free software (and computer freedom in general), all these distributions are just going to roll over on command for Microsoft?

      Secure Boot is not new.

      Another case of trusted boot is the One Laptop per Child XO laptop which will only boot from software signed by a private cryptographic key known only to the OLPC non-profit organisation. However, the laptop and the OLPC organisation provide a way to disable the restrictions, by requesting a "developer key" unique to that laptop, over the Internet, waiting 24 hours to receive it, installing it, and running the firmware command "disable-security". The stated goal is to deter mass theft of laptops from children or via distribution channels, by making the laptops refuse to boot, making it hard to reprogram them so they will boot and delaying the issuance of developer keys to allow time to check whether a key-requesting laptop had been stolen.

      Hardware restrictions [wikipedia.org]

      Secure Boot makes a great deal of sense.

      Secure Boot is biting the geek in the ass because of his pathetic dependence on affordable hardware designed and built for the mass market Windows platform and because he has had damn little influence or control over the explosive evolution of a mobile market defined and shaped by Apple.

      You do not gain converts to Linux by disabling low-level hardware security in Windows.

      You do not gain converts to Linux by encouraging

    • Hmm, I think only Argentina let Germans into their country in 1945.
  • by Anonymous Coward on Wednesday August 08, 2012 @07:20PM (#40924501)

    I'm used to a little bit of healthy paranoia here, but the amount of FUD and flat-out misinformation in Slashdot's UEFI reporting is frankly astonishing. Let's get a few things straight.

    UEFI is not a Microsoft technology. It is an industry standard intended intended to replace the archaic x86 BIOS. Microsoft participated in the standard, as did Slashdot favorites Red Hat, Canonical, IBM, and AMD. You can freely download the full specification [uefi.org] from the uefi.org website.

    Secure Boot is part of the larger UEFI specification. See section 27 for the technical details. Of particular interest to Slashdot readers will be section 27.7 which describes the key update mechanism.

    Secure Boot is intended to solve the real-world security problem of boot-time malware. No operating system can defend against malware at boot-time; this would be equivalent to defending against the hardware itself. If it helps, imagine how you would defeat a keylogger embedded in your keyboard.

    Secure Boot uses code-signing to defeat boot-time malware. This is the optimal solution and should be full-proof provided (1) the machine is physically secured, and (2) the private keys are secure. (I am defining "full-proof" here to mean the keys and hashes involved are adequately difficuly to brute-force with modern hardware. I am also explicitly discounting scenarios outside of UEFI's area-of-responsibility, such as vulnerabilities in the operating system's signed image.)

    For some real irony, see the Slashdot article Windows 8 Secure Boot Defeated [slashdot.org]. Both the headline and much of the discussion in this article were flat-out wrong. The exploit in question targetted the legacy BIOS and MBR. This is exactly the problem that Secure Boot addresses, and it reinforces the need for this technology.

    Secure Boot is not a DRM scheme, nor it is explicitly a tool for Microsoft lock-in. Remember that on x86 platforms, the end-user can edit the key database, and can disable Secure Boot entirely. I concur that Microsoft's treatment of ARM is a dick move, but is also typical for other vendors in that market segment. In either case, remember that Secure Boot is a logical solution to a real-world problem affecting all operating systems, and evaluate it on this merit first.

    Just because the technology can be mis-used is no reason to completely boycott it. For my part, I intend to use Secure Boot when it becomes generally available, but only buy parts that allow me to edit the key database.

    Links:
    UEFI membership list: http://www.uefi.org/join/list/ [uefi.org]
    UEFI specification: http://www.uefi.org/specs/agreement [uefi.org]

    • by gomiam (587421) on Wednesday August 08, 2012 @07:43PM (#40924781)

      UEFI is not a Microsoft technology. It is an industry standard intended intended to replace the archaic x86 BIOS.

      OOXMLz [wikipedia.org] is a standard as well. Your point being?

      Secure Boot uses code-signing to defeat boot-time malware. This is the optimal solution and should be full-proof provided (1) the machine is physically secured, and (2) the private keys are secure.

      I guess you meant fool-proof. And it is. It is fool-proof against all those fools who want to decide to run their own code on the computer without having to ask permission beforehand.

      Secure Boot is not a DRM scheme, nor it is explicitly a tool for Microsoft lock-in.

      True, and yet... it can be used as such. Excuse me, I meant it is already being used as such (see Windows 8 on ARM).

      Just because the technology can be mis-used is no reason to completely boycott it. For my part, I intend to use Secure Boot when it becomes generally available, but only buy parts that allow me to edit the key database.

      You are free to decide what to use. Just tell me: what will you do when the parts that allow you to edit the key database stop being manufactured? What will you do when, say, the graphics cards you want to use require UEFI to protect their HDMI hardware? It will happen, and rather sooner than later.

      Remember: it's not paranoia when they are out to get you. And they are, oh how they are.

      • Video cards have HDCP now and they don't need UEFI to lock it down.

        • by guruevi (827432) <evi@smoking c u be.be> on Thursday August 09, 2012 @12:48AM (#40927469) Homepage

          But HDCP is also weak and has already been defeated. Secure Boot could make it hard for instance to put in a driver that would accept non-HDCP links.

          The problem is that Secure Boot is a solution looking for a problem. Boot-time malware can already be detected in software, is really hard to pull off, can be secured by not allowing software other than the OS to access the boot records and wouldn't be a benefit to anyone if it was undetectable.

          • video cards still have VGA or DVI ports with analog.

            Also most laptops have HDMI + VGA out and lots of projectors setups are only cabled for VGA. Note I said cabled they have DVI / HDMI now but the cables in the rooms and switchers are VGA only on most of them.

            • by guruevi (827432)

              Yes but 1080p or 120Hz won't work over the analog line and HDCP ensures that the WHOLE SCREEN will show static when any piece of it displays a DRM-protected piece of media and the output is not HDCP secured.

              I work with high-def video in scientific systems and HDCP is a big pain in the neck as it will come on whenever and overlay static (even when no DRM is playing back especially in Windows 7). Disabling it is fairly easy but I can see where Secure Boot will refuse to boot Windows 8/9 if we don't have HDCP

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        But it is paranoia when you assume people are out to get you and ignore the facts of the matter. Facts like:

        1. UEFI Secure Boot is only required for Windows 8 Logo certification. It will not affect OEMs selling Linux machines, servers or hobbyist hardware.
        2. Linux is now a multi-billion dollar market. Do you really think hardware makers are really going to stop supporting Linux? They'd basically lose all the major enterprises in the world over night.
        3. The Secure Boot specification requires that it can be d

        • by Skapare (16644)

          1. UEFI Secure Boot is only required for Windows 8 Logo certification. It will not affect OEMs selling Linux machines, servers or hobbyist hardware.

          This IS THE PROBLEM. One should not have to go buy a different machine to run a different OS. Anyone who OWNS the machine should be able to install AND BOOT any OS they want. Your words are weasel words trying to make the problem look like it isn't there.

          2. Linux is now a multi-billion dollar market. Do you really think hardware makers are really going to stop supporting Linux? They'd basically lose all the major enterprises in the world over night.

          More stupid weasel words. The problem is not that they might stop selling hardware to be used for Linux. The problem is they won't be selling hardware that allows its OWNER to easily and securely change the OS (e.g. disabling UEFI is the wrong way to i

          • by bws111 (1216812)

            Anyone who OWNS the machine should be able to install AND BOOT any OS they want.

            This is just plain false. Anyone who OWNS a machine should be able to use that machine as the manufacturer sold it. Period. If you buy a machine that says it is Linux compatible, then you should be able to boot Linux. If you buy a machine that says it is OS agnostic, then you should be able to boot any OS you want. If you buy a machine that says it runs Windows 8, then you should be able to run Windows 8.

            Nobody is required to produce a product to your liking, ever.

            Nobody is stopping you from doing wh

            • by cduffy (652)

              Nobody is stopping you from doing whatever you want with your device that you own. Hack it up, replace the UEFI, overclock it, replace the processor, throw it in the river, do whatever you want. It's your device. But NOBODY is required to make it EASY for you to modify the device to your liking, or to make it easy for you to use the device in a manner other than as sold.

              Of course nobody is required to make general-purpose computers easy to modify -- but the market can, and should, reject efforts to make har

              • by bws111 (1216812)

                Yes, the market can do whatever it wants. But please, don't try to claim that the people commenting on this article are supporting 'the market'. The number of people who will put an OS other than the one it came with on any device (computer, tablet, phone, embedded devices) is vanishingly small. There is zero market for devices that let you do that. I don't see much acceptance of that on here.

                The market can reject it, true. The market should reject it? Why? If the vast majority of users don't care i

                • by cduffy (652)

                  If the vast majority of users don't care in the slightest about booting an alternate OS, why should they reject something on the basis that they can't boot an alternate OS?

                  Simple: Artificially limiting the uses to which secondhand hardware can be put reduces resale value.

                  • by bws111 (1216812)

                    Haha! That is a good one. So this tiny percentage of people who can't influence the device manufacturers are going to have a significant impact on the USED market? Seriously? And how many people care about the resale value of a relatively cheap item anyway?

                    • by cduffy (652)

                      So this tiny percentage of people who can't influence the device manufacturers

                      This has yet to be seen.

                      And how many people care about the resale value of a relatively cheap item anyway?

                      The people in the business of buying old hardware (which has often had its OS wiped) and reselling it for use, to start with.

        • by Hatta (162192)

          1. UEFI Secure Boot is only required for Windows 8 Logo certification.

          How many instances of Linux today are running on MS certified hardware? I'd be willing to bet most x86 Linux boxes were sold with XP or W7 stickers. What is going to happen to that segment of the open source ecosystem?

          2. Linux is now a multi-billion dollar market. Do you really think hardware makers are really going to stop supporting Linux?

          Sure, Linux is a multi-billion dollar SERVER market. Are OEMs selling internet appliances to

      • by Rich0 (548339)

        I guess you meant fool-proof. And it is. It is fool-proof against all those fools who want to decide to run their own code on the computer without having to ask permission beforehand.

        You don't have to ask for permission - you just have to configure your computer to boot it. If you stick an Ubuntu CD in a PC that isn't configured to boot off of CD, it won't run that either unless you "ask for permission" by telling it to boot from CD.

        On amd64 at least you'll be able to disable it if you want, or configure it with your own keys, so that MS won't be able to install something on your PC without asking YOU for permission.

        • by gomiam (587421)

          On amd64 at least you'll be able to disable it if you want

          For now. Microsoft has already declared the preferred configuration by requiring it on ARM.

    • by kiwimate (458274)

      Excellent post. I have several times thought about pointing out these same points on UEFI, but always gave up. I figured "no point - it'll get modded down because people don't want to hear".

    • Oh ok. So it's all good and fine on x86 systems. Lets completely ignore the amount of "computing devices" which are today being released on an ARM platform rather than x86.

      I was looking forward to UEFI and ARM devices with a proper BIOS and a way to run various operating systems on them. I mean we currently have people running Android on iPhones and on PCs, we have small embedded ARM devices running Linux, but who cares about that when in the future the vast majority of ARM devices will be locked to Windows

      • by bws111 (1216812)

        Why, exactly, do you expect the "vast majority of ARM devices will be locked to Windows only"? There are millions of ARM devices in use today, with the Windows marketshare being approx 0%. Do you expect Apple and all the Android device makers to just give up and switch to Windows-only? The idea is ludicrous. The only way that would happen is if Microsoft produces such a superior product that people simply stop buying Apple and Android. Do you forsee that happening?

        • by thegarbz (1787294)

          The existence of an alternative platform to x86 will invite the microsoft certification. This has happened time and time again and there have been major court cases about people being allowed to put the coveted windows logo on their hardware. Windows 8 may be a flop but the existence of Windows on ARM at all lends weight to ARM being a viable alternative to the x86 platform in the future. In that case I actually truly expect the majority of ARM devices capable of running multiple a full blown OS to tend tow

      • by Rich0 (548339)

        While I'm all for getting rid of lock-in, the fact is that almost all arm-based system in consumer use have locked bootloaders already. Just about every android phone in use falls into this category (and yes, I know the sliver of market share held by Nexus devices are an exception).

        • by thegarbz (1787294)

          This doesn't really counter the argument against vendor lock-in. Also the vast majority of ARM devices are actually NOT bootloader locked. Just go and check the compatibility list for Cyanogenmod.

          Anyway the main point of my post was that there's a significant number of people who are interested in doing with their devices whatever the hell they want, and this even includes installing Android on an iPhone. People want to do this and given it's their hardware we should not be promoting systems to prevent this

    • by Skapare (16644)

      The scheme is poorly designed. THAT is all the reason in the world to fight it every way possible. That and say BS to Anonymous Coward posts. I bet you are one of those Microsoft people, too. The correct way to do this is for the "chain of trust" to be rooted at the owner of the computer, not some corporation, not YOUR employer, and not Anonymous Coward.

      The BIOS can do it this way. Start with a hardware feature that does not allow OS access to (write) BIOS code or data once BIOS "flips the switch" to t

    • by Hatta (162192)

      Secure Boot is not a DRM scheme, nor it is explicitly a tool for Microsoft lock-in.

      No, it's implicitly a tool for Microsoft lock-in.

      Remember that on x86 platforms, the end-user can edit the key database, and can disable Secure Boot entirely.

      For now.

      Just because the technology can be mis-used is no reason to completely boycott it. For my part, I intend to use Secure Boot when it becomes generally available, but only buy parts that allow me to edit the key database.

      When Windows 9 comes around, and Microsoft w

  • by complete loony (663508) <Jeremy.Lakeman@noSpam.gmail.com> on Wednesday August 08, 2012 @08:11PM (#40925169)

    Disabling secure boot, or manually installing a new vendor key, may be easy enough for us. But it adds another large hurdle for joe average user to try another operating system. That alone is reason enough to complain about it and object to it.

    As it stands now the UEFI standard doesn't specify how the user can install a custom trusted key.

    IMHO, hardware vendors should be required to leave the trusted key set empty from the factory. UEFI should then have a standard prompt to enable secure boot and install a key found on bootable media. If Microsoft were forced to guide the user through the same process that a linux installation would require, this process would get the attention it deserves to make it as user friendly and standardised as possible.

    • I wonder if you might be able to estimate how many "average joe users" attempt to install other operating systems. Anyone who even know consider installing Linux is pretty much by definition not average.
    • by waveclaw (43274)

      Joe average user doesn't know Linux exists, but let's pretend he's heard of it somewhere - maybe due to a huge marketing push by a vendor.

      With virtualization, joe average user can try another operating system even in the world of UEFI's Secure boot model. Even today Linux distros become just another "app" joe can download to joe's Microsoft desktop and run.

      There are some downsides to this. Any killer app for Linux becomes also a killer app for Windows. The experience of moving from Metro or Aero to s

      • by exomondo (1725132)

        Of course, as a Convicted Monopolist, Microsoft can report these Linuxes as viruses or trojans and refuse to run Linux virtual machines.

        No, as a convicted monopolist they are under much more scrutiny than other companies such that they don't abuse their position. I don't understand this perception that they are a convicted monopolist and somehow that means they can get away with anti-competitive practices, it means the opposite, they are a convicted monopolist so every competitive move they make is scrutinized by the US and EU.

      • by westlake (615356)

        Joe average user doesn't know Linux exists, but let's pretend he's heard of it somewhere

        Booting Linux was once just the providence of the enthusiast.

        If Joe Average doesn't know Linux exists, then booting Linux remains the sole province of the enthusiast.

        For Joe, maintaining two operating systems, software libraries, and skill sets has all the appeal of root canal. What he needs to see is the "killer app" that makes the pain worthwhile. The FOSS app that hasn't been ported to Windows.

        Name one.

    • by Rich0 (548339)

      Are you suggesting that if I sell somebody a phone it shouldn't be able to boot unless they insert an install SD card or such? Or does this just pertain to PCs? Most people buy PCs with pre-installed OSes. Is there really any value to making it so that those PCs can't be booted without sticking in a CD as the first step?

      And if that happened, how would that help? Anybody with a Windows PC will have stuck in the Windows CD, which will install the MS key and now it won't boot linux when they want to switch

  • Maybe this is more of an issue with machines that have Windows pre-installed but I'm upgrading my motherboard and it has UEFI and the gentoo wiki doesn't make it seem so bad.

    http://en.gentoo-wiki.com/wiki/UEFI [gentoo-wiki.com]

    Laptops, of course are going to be an issue.

    • by makomk (752139)

      Current motherboards with UEFI don't support UEFI Secure Boot. Once Windows 8 comes out, they'll basically be required to support it by Microsoft, who's forcing all OEMs to ship Windows 8 PCs with Secure Boot enabled.

      • by Skapare (16644)

        Having Secure Boot enabled is NOT an issue, by itself. A badly designed Secure Boot is the issue. It needs to have a means to allow the OWNER of the machine to indicate which systems are to be allowed to boot, while still having the means to verify that those OSes have not been altered. Too many OEMs won't do this because the UEFI/SB standard does not require it.

  • But it is the ROOT of the chain of trust that is wrong. Instead of some corporation being the root of trust, the owner of the computer should be that root of trust. A proper UEFI boot system needs to include an option in the BIOS to add ANY boot partition (such as the new OS you just installed) as trusted. That same menu should allow you to delete trust for any, as well. When you add trust, it scans the image to be loaded, calculates a checksum, and stores it into an area of Flash memory that can only b

    • That's pretty much how it works, except that instead of containing a list of boot loader hashes (which would require you to edit every time the boot loader is updated), it contains the list of valid signatures. But you can clear that list (thus revoking MS key), or add your own. The reason why Linux distros are signing their loaders with MS key is that it's the one that will be in the list by default on any PC that has "Certified for Windows 8" sticker on it (i.e. 99% of those sold via retail channels), and

You scratch my tape, and I'll scratch yours.

Working...