The Linux Foundation's UEFI Secure Boot Pre-Bootloader Delayed

hypnosec writes "The Linux Foundation's plans for releasing a signed pre-bootloader that will enable users to install Linux alongside Windows 8 systems with UEFI have been reportedly delayed. The Foundation proposed a signed pre-bootloader that will chain-load a bootloader which, in turn, will boot the desired operating system, thus keeping Linux installations for novice users as simple as it was before. Further, this particular component is meant for small-time Linux distros which otherwise wouldn't have the required expertise or resources to develop their own system to tackle the secure boot issue. This was going as per plans up until Linux kernel maintainer James Bottomley disclosed that he has been having rather bizarre experiences with Microsoft sysdev centre. Bottomley said, 'The first time I sent the loader through, it got stuck (it still is, actually). So I sent another one through after a week or so. That actually produced a download, which I've verified is signed (by the MS UEFI key) and works, but now the Microsoft sysdev people claim it was "improperly" signed and we have to wait for them to sort it out. I've pulled the binary apart, and I think the problem is that it's not signed with a LF [Linux Foundation] specific key, it's signed by a generic one rooted in the UEFI key. I'm not sure how long it will take MS to get their act together but I'm hoping its only a few days." Update: 11/21 14:22 GMT by U L : See the Original weblog post, and one interesting tidbit: Microsoft banned bootloaders licensed under the GPLv3 and "similar open source licenses."

Present user test?

[SuricouRaven]

Does that mean the user has to actually be present to press a key? That renders secure boot unuseable on remote-admined or unattended servers, the very place you would most want to have a secure boot chain.

Not surprised at all

[boorack]

As of now we know that Win8 is vulnerable to a huge chunk of malware designed for older versions of Windows. This "UEFI Secure Boot" does not prevent it at all. I suspected earlier that UEFI Secure Boot wasn't designed to make PCs more secure but rather to lock down PCs, so novice users trying to check out some Linux distribution will have tough time doing so. This fiasco makes me sure that this was the case and makes me wonder why antitrust authorities don't do anything about this. This is potentially more harmful than MSIE case after all.

Disabling secure boot and dual booting?

[efornara]

I know that new laptops shipping with Windows 8 preloaded have to allow the user to disable secure boot.

Now that some laptops are out there, does anyone know if disabling secure boot will still let you run Windows, ideally even after its partition has been resized? Or will the preinstalled Windows just refuse to boot if secure boot has been switched off?

Re:Microsoft banned GPL in UEFI binaries ..

[bWareiWare.co.uk]

This restriction is imposed by the GPLv3 not by Microsoft. They are just being helpful in letting you know, they can't give specifics for all other licensees out there.

Need to replace UEFI with CoreBoot

[LinuxNeverWindows]

The way of breaking that monopoly is to replace UEFI on machines with CoreBoot (http://www.coreboot.org/Welcome_to_coreboot). This still does not support enough hardware but given a bit of support from Linux friendly companies (e.g. Clevo, IBM etc) it could be done. To see CoreBoot in action have a look at the Samsung ChromeBook with CoreBoot (http://www.youtube.com/watch?v=RypqMqtTPs8).

Re:Not surprised at all

[Wattos]

Maybe the "Secure" in "UEFI Secure Boot" referes to securing Microsofts Monopoly and existence in the OS market?

Re:Not surprised at all

[AmiMoJo]

Actually UEFI does prevent a huge amount of it, and most important all the worst stuff that was beyond the ability of AV software to get rid of. Remember all those fake anti-virus scams? They installed a rootkit that changed the low level SATA driver which is loaded very early in the boot process. UEFI prevents an OS modified in that way from booting and the Windows 8 recovery system can detect and fix it.

Re:Not surprised at all

[hAckz0r]

Yes they can and will. That is all a part of the 'forced upgrade' plan to wealth. Microsoft will do most anything to make running an old OS more painful so you will be forced to buy from them again and again. I listen to the trials and tribulations of my coworkers trying to keep their ageing xp machines running on a daily basis. One is forced by M$ to keep the machine off the net because M$ decided that his license (part of a larger sitewide license) is now counterfit. Its used for malware testing so it does not belong on the net in the first place, but restoring and re-patching it every time it is used is a royal pain.