Forgot your password?
typodupeerror
Linux Hardware

UEFI Secure Boot Pre-Bootloader Rewritten To Boot All Linux Versions 185

Posted by timothy
from the next-level-reached dept.
hypnosec writes "The Linux Foundation's UEFI secure boot pre-bootloader is still in the works, and has been modified substantially so that it allows any Linux version to boot through UEFI secure boot. The reason for modifying the pre-bootloader was that the current version of the loader wouldn't work with Gummiboot, which was designed to boot kernels using BootServices->LoadImage(). Further, the original pre-bootloader had been written using 'PE/Coff link loading to defeat the secure boot checks.' As it stands, anything run by the original pre-bootloader must also be link-loaded to defeat secure boot, and Gummiboot, which is not a link-loader, didn't work in this scenario. This is the reason a re-write of the pre-bootloader was required and now it supports booting of all versions of Linux." Also in UEFI news: Linus Torvalds announced today that the flaw which was bricking some Samsung laptops if booted into Linux has been dealt with.
This discussion has been archived. No new comments can be posted.

UEFI Secure Boot Pre-Bootloader Rewritten To Boot All Linux Versions

Comments Filter:
  • by Anonymous Coward on Saturday February 02, 2013 @05:06AM (#42769969)

    Because the alternative is to sign with your own key and enter that into the UEFI firmware. Which you can do. The complaint from some parties is that users are too stupid to do so, so bootloaders 'must' be signed with an existing key.

  • by ProfMobius (1313701) on Saturday February 02, 2013 @05:35AM (#42770049)
    Agreed. From http://www.jakobheinemann.de/en/blog.html [jakobheinemann.de] :

    The implementation in Samsungs UEFI shows some weird behavior. Error code EFI_INVALID_PARAMETER should only be returned, if one of the given pointers to variables is NULL and pointing to an invalid memory section. Samsungs implementation also throughs this error, if the given memory blocksize is not exactly 128 bytes, so for example (like the Linux-efivars module does) 1024 bytes. The Linux module does not expect the strange error code (it checks for NULL pointers itself) and does not report any UEFI variables, no boot entries, no nothing. The installer accepts that and installs the Linux boot entry into the first slot, where actually the boot entry for the setup is located - overwriting that entry! Setup is dead since Linux took its boot entry.

    It does look like the Samsung implementation is doing weird things and Linux is doing weird things in return because it is expecting it to follow standards...

  • by bcmm (768152) on Saturday February 02, 2013 @07:26AM (#42770309)
    It's a misdirection. We direct our anger at untouchable faceless corporations instead of individuals who are actually vulnerable at election time.
  • Re:Alternatives (Score:4, Informative)

    by Anonymous Coward on Saturday February 02, 2013 @07:34AM (#42770339)
    Which they do. Every motherboard out there can have its secure boot disabled by the user, in addition they should all accept custom keys.
  • by segedunum (883035) on Saturday February 02, 2013 @08:16AM (#42770469)
    I don't know where people get that idea from. If you read the kernel people are just disabling the driver because the code is so utterly retarded. Samsung haven't done shit about it as is typical for Samsung.
  • Re:Alternatives (Score:4, Informative)

    by nojayuk (567177) on Saturday February 02, 2013 @08:22AM (#42770481)

    Not implementing UEFI means the mobos can't be used in a production environment where they can receive the coveted "Windows 8 Ready" approval for millions of customers in the coming years. Continuing with the older BIOS system means they can easily boot alternative OSes for a few thousand enthusiast customers (who can in fact use UEFI anyway) but they lose the much bigger market. Decisions decisions...

    Mobos are megacheap for what they do because of the numbers of each model that are built; a custom mobo with classic BIOS to specifically support Linux or other open OSes would cost hundreds of bucks per unit produced in limited quantities. At that point a cost-benefit analysis says "pay the damn Microsoft tax already!"

  • Re:Yeah (Score:4, Informative)

    by Microlith (54737) on Saturday February 02, 2013 @04:10PM (#42772913)

    It is not written into the UEFI spec. In fact, the UEFI specification makes no such statements with respect to it being possible to disable secure boot, only how it is supposed to work. That was done deliberately.

    The only reason you can even turn off secure boot on hardware now is because Microsoft caught shit for the first pass of their guidelines that left it up to OEMs whether or not users would be able to turn off secure boot. Had they left like that you can guarantee that Samsung et. al. would have locked every laptop and desktop they shipped with Windows 8 and you would never actually own your PC again.

    I bet Samsung is more pissed that Microsoft changed it so they had to allow for unlocks than they are at their own developers.

A failure will not appear until a unit has passed final inspection.

Working...