Forgot your password?
typodupeerror
DRM Red Hat Software Windows Linux

Matthew Garrett Makes Available Secure Bootloader For Linux Distros 274

Posted by timothy
from the working-with-the-work-around dept.
TrueSatan writes "Matthew Garrett, formerly of Red Hat, is providing a shim bootloader that will allow installation/booting of secure boot enabled computers. The shim is designed to chain boot GRUB (Grand Universal Bootloader) without the need for a distribution to obtain a key from Microsoft. Garrett asks that further contacts regarding the shim be made to him and not to Red Hat as he no longer works there and they may not have knowledge of the product."
This discussion has been archived. No new comments can be posted.

Matthew Garrett Makes Available Secure Bootloader For Linux Distros

Comments Filter:
  • Yay! (Score:5, Interesting)

    by wgoodman (1109297) on Saturday December 01, 2012 @08:59AM (#42153915)

    I'm really proud of him and I really hope that there is no ensuing lawsuit for violating some sort of propitiatory BS.

    • Re:Yay! (Score:5, Funny)

      by Anonymous Coward on Saturday December 01, 2012 @09:30AM (#42154013)

      violating some sort of propitiatory BS

      Yeah I really hate all that appeasing the gods BS, too.

      • Re: (Score:2, Informative)

        by Russianspi (1129469)
        I'm dying for a mod point here. I don't care if you're an AC. That's FUNNY!
        • Re:Yay! (Score:5, Insightful)

          by Anonymous Coward on Saturday December 01, 2012 @12:25PM (#42154713)

          You should never care if it is an AC.

          It is the message that is important, not the messenger. Why, after 11 years of using this site, should I register an account? My words stay the same. All it would be good for is group validation through karma whoring. I'd rather be ignored out of irrational bias than lauded for conforming to groupthink.

          • by thegarbz (1787294)

            The problem is karma actually provides a good system for weeding out the abusive troll, but not the clever troll. People who register an account and act like many of the ACs here will end up with a very poor default karma and thus their comments will be hidden per default slashdot settings. Yet if you post something completely indifferent you will still end up with karma that gives you a default score of 1 when you post.

            That's the only reason I signed up for an account. I had things to say, and they never g

      • Given that conciliatory is a synonym for propitiatory, I suspect any scenarios involving Red Hat becoming litigious are unlikely to involve Red Hat acting in a conciliatory fashion on the matter at any point in the next decade or so thereafter.

      • Re:Yay! (Score:5, Interesting)

        by TheRealGrogan (1660825) on Saturday December 01, 2012 @02:24PM (#42155459)

        Here's what's funny. The chainloaded "Grub" boot loader is actually circumventing the secure boot, because it has its own "OS kernel-like" functionality until it passes control over to the kernel components that it's booting. Grub was used to circumvent Microsoft's DRM, and now it will be used to circumvent their secure boot nonsense. I love it.

        Grub is way more complex, knowledgeable (figuratively speaking... it's got high level filesystem drivers etc.) and functional than any bootloader Microsoft would envision. They'll be crying foul. Not only will this be used to boot Linux, but it will also allow booting any other OS without signing.

    • Re:Yay! (Score:4, Interesting)

      by Anonymous Coward on Saturday December 01, 2012 @12:15PM (#42154669)

      He violated nothing. The better question to ask is "who the hell does MS think it is?" They don't and cannot control the HW manufacturers. Nothing stops independent HW dealers in Asia or wherever from selling directly to consumers. Look at Google, Amazon, and other large companies. They design and buy their HW direct from the manufacturer, cutting out the middle man. Cutting out the middle man is ALWAYS the right thing to do. No one is entitled to a profit. No one has the right to demand I buy from them and their overly-capitalist markup system. Screw all that.

      I am going to start looking into buying from the source, even as a consumer. I have the right to buy from the source just like a company. I'm tired of dealing with the MS tax on computers. MS was and is a monopoly. I have used Linux as my home desktop/laptop system since 1998 and now this is happening. Screw any and all who would attempt to even try and dictate my actions with HW I've paid money for.

      • Re:Yay! (Score:5, Funny)

        by Anonymous Coward on Saturday December 01, 2012 @01:22PM (#42155031)

        Cutting out the middle man is ALWAYS the right thing to do.

        Next time you're sick, I'll call the undertaker.

      • by sethstorm (512897)

        Cutting out the middle man is ALWAYS the right thing to do

        Unless it comes to the HR department, where the lack of a middleman between a worker and the employer (incorrectly) is considered a problem.

  • by knuthin (2255242) on Saturday December 01, 2012 @09:21AM (#42153969) Homepage
    Can anyone explain me like I am 5, how this must be working? Or speculate?
    • by Kergan (780543) on Saturday December 01, 2012 @09:37AM (#42154043)

      In simplistic terms, it's a bit like on iOS devices: they'll only boot software that is signed by Apple, thus preventing low-level viruses and such from tampering with the OS.

      In more complicated terms, I'll defer to the wiki page [wikipedia.org].

      • by schitso (2541028) on Saturday December 01, 2012 @09:39AM (#42154055)

        thus preventing people from using their hardware as they see fit.

        FTFY

        • "thus preventing Romanian hackers from installing undetectable bootkits on your dad's computer"

          Fixed that for you

      • by knuthin (2255242)
        No. I don't mean UEFI. I mean the bootloader. How can it work without the key that all distributions are supposed to have (the one that first Fedora and later Ubuntu, OpenSUSE and Linux Foundation were paying Microsoft/Verisign for)?
      • by Tuoqui (1091447)

        And we all seen how well it stops people from rooting or jailbreaning iOS devices because an Apple product has never been rooted or jailbroken before.

  • by ClaraBow (212734) on Saturday December 01, 2012 @09:24AM (#42153981)
    Will someone one please clarify for me if we will always be able to buy computers without a securebootloader, or will I have to deal with this shit sometime down the road. Thanks!
  • Kudos (Score:4, Funny)

    by cheesybagel (670288) on Saturday December 01, 2012 @09:27AM (#42153995)

    The man delivered! I really hate not being able to use GRUB or some other bootloader anymore. Why the heck can't I choose what to install on the computer I bought with my own money? Imagine you were Linux Torvalds trying to write your own operating system but in a computer with UEFI enabled.

    The way to get the key is also particularly weird. It's like Microsoft has gone out of their way to make it so you need to use Windows to get a key. .CAB files, Silverlight applications, .exe to generate a key, etc.

    You can't even choose not to enable UEFI anymore. I bought a 3 TB hard disk recently and the BIOS isn't able to see anything above 2 TB on a non-UEFI system without GPT partitions.

    • s/Linux/Linus/ Sorry dude.
    • Re:Kudos (Score:4, Informative)

      by recoiledsnake (879048) on Saturday December 01, 2012 @09:42AM (#42154081)

      First UEFI != UEFI Secure Boot.

      Second, you can turn off Secure Boot in the settings. So, I am guessing the young Mr. Torvalds would be smart enough to do that.

      Third, the keys are editable, i.e you can remove Microsoft's key and add your own or Linux's key if you don't trust Microsoft and that'll stop your machine from ever booting Windows. Thus, you're really in control of your computer. The defaults are setup that way to stop undetectable bootkits infecting your mom's computers because just wants to run Excel and doesn't know or care about signing keys and hashes.

      There is so much FUD and misinformation being spread by stupid people.

      • Re:Kudos (Score:5, Informative)

        by bmo (77928) on Saturday December 01, 2012 @10:01AM (#42154143)

        But to get your own key, you have to shell out 99 bucks.

        That's fucking galling. It's a tax.

        --
        BMO

        • Re:Kudos (Score:5, Informative)

          by jonwil (467024) on Saturday December 01, 2012 @10:24AM (#42154219)

          No.
          The $99 fee is if you want to get stuff signed with the default Microsoft keys (or rather, with a chain-of-trust that ties back to the default Microsoft keys)

          Anyone can load new keys into the UEFI boot key-store no problems via the BIOS options.

          • Re:Kudos (Score:4, Interesting)

            by cheesybagel (670288) on Saturday December 01, 2012 @10:57AM (#42154347)
            The Microsoft key comes pre-loaded with every BIOS. Try installing your own key in the UEFI boot key store and see how easy that is. Microsoft users just pop in a DVD and install. Linux users can't do that.
            • First of all, adding keys should NOT be with a simple click or else malware will just instruct users to do that to watch DancingBunnies.exe

              Second of all, it isn't that bad, There are GUI screens navigatable with a mouse(unlike BIOS) where you can input/remove keys. Perhaps you have ideas to make it easier while still maintaining security, instead of just kneejerk bashing and conspiracy theories of "OH THEY'RE GONNA GET US OMG".

              If there are users incapable of doing that, do you really expect to be able to in

              • Re:Kudos (Score:5, Informative)

                by greenbird (859670) on Saturday December 01, 2012 @03:01PM (#42155733)

                Second of all, it isn't that bad, There are GUI screens navigatable with a mouse(unlike BIOS) where you can input/remove keys. Perhaps you have ideas to make it easier while still maintaining security, instead of just kneejerk bashing and conspiracy theories of "OH THEY'RE GONNA GET US OMG".

                It's a much bigger deal than apologists are making it out to be. It's a big step in making the switch to Linux MUCH more difficult.

                For the last ten years or so Linux has been easier to install on a raw machine then Windows. Microsoft finally came up with a way to reverse that. And of course it has nothing to do with making their OS easier to install.

                Also no more booting a live CD/DVD so you can try things out or show them to someone. No more Knoppix STD when you're trying to figure out what crap your mom got on her computer this time or recover data from a flaked hard drive. Etc, etc...

          • by neokushan (932374)

            I don't suppose you (or anyone else) knows if these options (loading keys, disabling secure boot, etc.) will be available from all OEMs or is it something they can choose to not implement if they want?

            I know with Windows RT, it's all locked down with no way to change it but that's not a "real" PC in any term.

            • by PPH (736903)

              I know with Windows RT, it's all locked down with no way to change it but that's not a "real" PC in any term.

              Right. Its not a "real" PC. Its an ARM based mobile device.

              Because Microsoft smells the death of "real" PCs and the market's migration to mobile and to ARM, away from Intel. So, sure, you can still have your beige tower and run whatever OS you want on it.

              • by neokushan (932374)

                Apparently I need to qualify my statement further: Windows RT is generally built on some sort of a SoC rather than assembling together components in the traditional sense (CPU, Motherboard, RAM, etc.). Different ARM SoC's tend to use customised code left, right and centre which includes the boot code so it's expected that it'll be as locked down as the likes of smartphones, routers, set top boxes, etc.
                At least with traditional x86 PC's, they'll (hopefully) still be made up of off-the-shelf components from p

                • by PPH (736903)

                  Well, laptops are usually not built up of components like 'traditional' PCs are. And yet the mandatory lockdown doesn't seem to apply to them. It seems to be a function of ARM/not ARM (Windows RT/not RT) rather than the hardware architecture of the device.

                  I'd expect the Windows RT architecture for ARM devices to allow for upgrades to drivers and other components for patching purposes as well as to the entire OS for new releases. So, in this sense, the s/w architecture of an ARM device needs to be closer to

                  • by neokushan (932374)

                    I don't think laptops are a fair comparison to an SoC. While the components may be generally soldered to the motherboard, they're still based off of discrete components supplied by other parties. The same motherboard can accompany several different CPUs and even different GPUs. They still use the same boot code as their desktop counterparts and things like that.

                    Still what you're saying is true, RT has to be flexible enough to allow for other components and drivers. I believe Microsoft mandates that this all

        • Re: (Score:2, Informative)

          by recoiledsnake (879048)

          First, that's to get your own binary get signed with the default installed Microsoft key, so it's meant for distributors, not users who can add/remove keys without any cost.

          Also, if you think Microsoft is trying to make any money from the $99 you're sorely mistaken.

          Read this and I hope you have enough reading comprehension skills to under the reasoning behind Microsoft's fee.

          http://indiegames.com/2012/09/valves_solution_for_steam_gree.html [indiegames.com]

          If there was no fee, every Russian malware author will apply thousand

  • Fuck secure boot. (Score:4, Insightful)

    by bmo (77928) on Saturday December 01, 2012 @09:34AM (#42154031)

    I find it disappointing that instead of actively fighting secure boot and making a BIG PUBLIC STINK about it and embarrassing everyone involved in implementing this, the community is aquiescing to the concept and "working with it."

    Stallman is right, guys, and anyone endorsing Trusted Computing 2.0 by either actively participating in the distribution of it, or tacit approval needs to be publicly humiliated and embarassed into doing the right thing.

    Secure boot was never about protecting the end user.

    --
    BMO

    • Re: (Score:3, Insightful)

      by budr (111245)

      What BMO said. Where's a +10 when you need it.

    • by zakeria (1031430) on Saturday December 01, 2012 @09:50AM (#42154111) Homepage
      exactly; this is just another attempt to stifle and forthcoming competition in the OS development arena and at the same time helping to cement the belief in people that the PC only has one true OS that should be running on the machine namely Microsoft Windows!
    • by eexaa (1252378)

      Don't frown upon this please. It is usually better to first show that any resistance is futile, before politely asking not to put such weird and unusuable features into production machines.

      • by bmo (77928)

        There was a time when the community embarassed Intel into not putting serial numbers into their processors.

        I miss that time.

        We have become soft.

        --
        BMO

    • by bytesex (112972)

      Because secure boot actually has real, nice consequences, open source or not?

      • Re: (Score:2, Interesting)

        by bmo (77928)

        If you could generate a self-signed key for free, then I would have less of a problem with this.

        But to get a key, you have to pay a notary and prostrate yourself before Microsoft and get their blessing, for 99 bucks. It's a tax on kernel builders and hobbyists who compile their own kernels with experimental patches - a tax on progress for BSD, Linux, Haiku, everyone who isn't Microsoft. It's also a hoop to jump through deliberately engineered to scare the less informed and to make it inconveniient to use

        • Re:Fuck secure boot. (Score:4, Informative)

          by Multiplicity (2498210) on Saturday December 01, 2012 @11:10AM (#42154373)

          No, no, no. You got it wrong.

          I hate this whole kerfuffle as much as everybody, but the part about not being able to load self signed keys isn't correct. You can load self-signed keys into the UEFI boot key-store right from the UEFI UI. Of course that will prevent Windows 8+ from booting, but that's another story. You can disable it altogether, with the same result.

          So you can either disable secure boot or have your own chain of trust separated from Microsoft and boot other OSes. BUT if you want to boot Windows 8+ you have to enable it and use Microsoft's chain of trust, and is in THAT case, when you want to also boot other OSes you must have the other OSes bootloaders signed by Microsoft.

          This shim bootloader represents a convenience to the users of that specific case (which indeed is the most common one). They have a "generic" Microsoft-signed bootloader along with some tools to extend a chain of trust from that bootloader to another one, and this second one won't have to get through the dreaded certification process (which indeed forces you to use Windows).

          The problem here is NOT UEFI / SECURE BOOT. The problem is MICROSOFT CERTIFICATION PROGRAM. That's where they boicott the whole industry, and where they should be given a fight. That stupid certification process they combined with a twisted use of the new capabilities of UEFI. Make no mistakes, shouldn't UEFI exist today, they would still be looking for ways to exploit their certification program to make manufacturers do anything they want, just so they can bless them with being "Win compatible". THAT is the great lie right there, by which they have the industry inexplicably grabbed by the balls.

          The solution of course would be everyone giving the finger to Microsoft on their fucking certification program, and a more open competition would arise. I very much want to see how long they last on that environment.

          • The problem here is NOT UEFI / SECURE BOOT. The problem is MICROSOFT CERTIFICATION PROGRAM. That's where they boicott the whole industry, and where they should be given a fight. That stupid certification process they combined with a twisted use of the new capabilities of UEFI. Make no mistakes, shouldn't UEFI exist today, they would still be looking for ways to exploit their certification program to make manufacturers do anything they want, just so they can bless them with being "Win compatible". THAT is the great lie right there, by which they have the industry inexplicably grabbed by the balls.

            The solution of course would be everyone giving the finger to Microsoft on their fucking certification program, and a more open competition would arise. I very much want to see how long they last on that environment.

            You're close, and much better informed unlike the other modded up posts which are simply put, retarded. But you got a few things wrong.

            The motherboard manufacturers and OEMs offered RedHat and others to include their keys. But they or the Linux foundation are too afraid to maintain a key signing infrastructure and to filter malware and are shirking from the responsibility. Perhaps your energy is better directed at making an organization which does key signing instead of just blaming MS for their certificati

        • by bytesex (112972)

          It isn't about the kernel - it's about the boot loader. And yes, I agree that there should be a dip switch on the motherboard that disables secure boot (letting this know to the boot loaders, so that they won't boot potentially).

          "It's a tax, an inconvenience, and it does absolutely nothing in reality to protect the end user."

          Yes it does, it's just that you don't see it. Probably because the end user scenarios that you can think of, don't involve it. But when a box is properly tamper-evident, secure boot doe

        • If you could generate a self-signed key for free, then I would have less of a problem with this.

          Oh please, you can do exactly that.

          It's clear by your posts that you're out of your technical depth here inspite of your misinformed rants getting modded up by clueless moderators. Your every new post on this topic shows that you're probably a 14 year old kid who just got his new Macbook and iPad.

          May I ask what you do for a living? Or are you afraid to tell us?

    • Re: (Score:2, Insightful)

      by jonwil (467024)

      secure boot is in no way "Trusted Computing 2.0" and Microsoft requires OEMs shipping Windows 8 to provide both options for the user to turn secure boot off completly AND for the user to install new keys of their choice.

      Also, Secure Boot is very much about protecting the end user. It stops unknown/untrusted/unwanted low-level code running including many of the new breed of viruses that infect the master boot record to make it harder for anti-virus programs to defeat them.

      Now if a manufacturer of x86 PCs sta

      • Re:Fuck secure boot. (Score:5, Informative)

        by bmo (77928) on Saturday December 01, 2012 @10:40AM (#42154265)

        " Microsoft requires OEMs shipping Windows 8 to provide both options for the user to turn secure boot off completly AND for the user to install new keys of their choice."

        A half truth is a whole lie.

        Stop lying.

        The other half of the truth is that on ARM devices, Secure Boot is ABSOLUTELY REQUIRED AND MUST NEVER BE TURNED OFF

        Shill.

        --
        BMO

        • Microsoft requires OEMs shipping Windows 8 to provide both options for the user to turn secure boot off completly AND for the user to install new keys of their choice.

          The other half of the truth is that on ARM devices, Secure Boot is ABSOLUTELY REQUIRED

          And the gripping half [catb.org] is that the operating system for devices with an ARM CPU is not called Windows 8. It is called Windows RT (for 10" screens) or Windows Phone 8 (for 4" screens).

        • Re: (Score:2, Insightful)

          by recoiledsnake (879048)

          I love it how Windows RT tablets(which are supposed to be DoA anyway according to Slashdotters) are somehow "ARM devices" but the iPads and Android tablets, Kindle Fires, Nooks with locked bootloaders with 99% marketshare in mobile are just iPads and Android tablets, Kindle Fires, Nooks. Win32 software which is a big reason for the monopoly won't even run on Windows RT. And then they call for government intervention. Meanwhile Apple is locking everything down but the fanboys keep the discussion down. Why do

    • Oh to have mod points!...If people keep working around this crap rather than voting with their wallets they're saying it's OK. Everyone who gives a shit about this MUST refuse to buy any computer with secure boot...period.

      • by Nerdfest (867930)

        I'd like to know why there's all this outrage about this, but iOS devices which are even worse get a pass. Someone above said you can actually install your own key and remove the Microsoft ones as well.

        • by Nerdfest (867930)

          I'd also like to clarify that by "someone above" I meant a previous commenter, not FSM. Sorry for the confusion.

        • by bmo (77928)

          >but iOS devices which are even worse get a pass

          No they don't, not from the technorati. The lumpenproletariat don't care, but that's because they don't know and don't want to know.

          Just because Apple does it doesn't make it right for Microsoft to do it.

          "Timmy, stop hitting Audrey on the playground! It's not nice!"
          "But moooom, Bobby was hitting Audrey too!"

          Fucking schoolyard mentality.

          --
          BMO

          • by Nerdfest (867930)

            I'm not saying it's right, I'm saying people should call Apple on it as well. Apple is defended regularly here, which is a somewhat technically literate site.

            • which is a somewhat technically literate site

              No longer, my friend. It's now all kids who think it's cool to hate on MS and then many run to buy the latest iDevices and then promote it to everyone around them.

              It's more about hating on MS and bringing them down than fighting for true user and developer freedom. Since Apple is a rival to MS, it gets a free pass and even promotion on Slashdot even though it goes much farther than Secure Boot and implements the Palladium spec to the letter to all programs runnin

          • by tepples (727027)

            No they don't, not from the technorati. The lumpenproletariat don't care, but that's because they don't know and don't want to know.

            The problem here is that marketing a product to the technorati and only the technorati is often unprofitable. The proles dictate what enjoys economies of scale. Otherwise, for example, there would be more video games targeted at members of the technorati who want to replace a video game console with a home theater PC. Instead, because of tradition, video games in console-style genres tend to be released only for PlayStation 3 and Xbox 360 and not ported to the PC, despite that PCs use an operating system th

    • by DRJlaw (946416)

      I find it disappointing that instead of actively fighting secure boot and making a BIG PUBLIC STINK about it and embarrassing everyone involved in implementing this, the community is aquiescing to the concept and "working with it."

      Stallman is right, guys, and anyone endorsing Trusted Computing 2.0 by either actively participating in the distribution of it, or tacit approval needs to be publicly humiliated and embarassed into doing the right thing.

      We will tolerate no dissent! Not only will we refuse to use

    • by westlake (615356)

      I find it disappointing that instead of actively fighting secure boot and making a BIG PUBLIC STINK about it and embarrassing everyone involved in implementing this, the community is aquiescing to the concept and "working with it."

      The community is not united against secure boot. There are real benefits for the user.

      One security threat that has been getting a lot of interest lately is the ability to ensure the integrity of the early boot sequence - the handoff of control from the lowest level system firmware (traditionally provided by the hardware vendor) through to the operating system kernel. This is important because there have increasingly been real-world exploits where fraudulently modified early boot code has introduced vulnerabilities into the operating system.

      To confront this challenge, the upcoming generation of system firmware, referred to as Unified Extensible Firmware Interface (UEFI) secure boot, has capabilities in the system startup sequence designed to only pass control to operating system software that can be confirmed to be not tampered with. The mechanism used to confirm the integrity of operating system software is not novel, rather it uses traditional key signing and variations of checksumming. While these mechanisms have traditionally been used higher up in the software stack and later in the startup sequence - what is new is the fact that these validation checks are expected to now be available at the earliest points in the system startup sequence. Performing the checks early is crucial as it provides a safe, verified starting point.

      UEFI Secure Boot [redhat.com] [Tim Burke, vice president, Linux Engineering, Red Hat]

  • Doesn't work (Score:4, Insightful)

    by Anonymous Coward on Saturday December 01, 2012 @10:23AM (#42154213)

    I happen to have a computer with Secure Boot enabled by default. Matthew Garrett's boot loader doesn't work while Secure Boot is enabled. The reason being that the machine will not (repeat not) boot from any device except the hard drive unless Secure Boot is first disabled. The steps to load any OS, with or without Secure Boot support, goes like this:

    Enter into UEFI control panel.
    Disable Secure Boot
    Enable Legacy boot options
    Enable specific Legacy device, such as DVD drive
    Save settings and reboot.
    Change boot device to DVD

    If Secure Boot is turned on, "Legacy" devices can not be used to boot the computer. Therefore having this boot loader doesn't do any good on machines with Secure Boot enabled. It has to be turned off just to access the installation media.

    • by cynyr (703126)

      Please provide the exact text that will show up on each menu/button. ohh right, UEFI did not spec the menu/configuration structure and nameing conventions. So directions for a VENDOR1 may not work for VENDOR2, and worse than that VENDOR1-2012 may not work for VENDOR1-2013.

      So yea, that is really the issue here. It's like explaining to someone (who has issues with why Gmail and their computer can have different passwords) how to boot their computer from a USB stick. There is no common layout to BIOS and the s

    • Re:Doesn't work (Score:5, Informative)

      by mjg59 (864833) on Saturday December 01, 2012 @03:08PM (#42155803) Homepage

      If your system currently has Windows 8 installed, then do this:

      1) Insert the install media
      2) Mouse to the bottom right
      3) Select "Settings"
      4) Click "Power"
      5) While holding down shift, click "Restart"
      6) Click "Use a device"
      7) Click your install media

      This is a little more involved than ideal, but it's got the huge benefit that it's consistent between systems rather than requiring you to use different hotkeys for different platforms.

  • What's the point of secure boot, if you can just use this bootloader to boot anything you want?

"The value of marriage is not that adults produce children, but that children produce adults." -- Peter De Vries

Working...