Forgot your password?
typodupeerror
Linux Hardware

UEFI Secure Boot Pre-Bootloader Rewritten To Boot All Linux Versions 185

Posted by timothy
from the next-level-reached dept.
hypnosec writes "The Linux Foundation's UEFI secure boot pre-bootloader is still in the works, and has been modified substantially so that it allows any Linux version to boot through UEFI secure boot. The reason for modifying the pre-bootloader was that the current version of the loader wouldn't work with Gummiboot, which was designed to boot kernels using BootServices->LoadImage(). Further, the original pre-bootloader had been written using 'PE/Coff link loading to defeat the secure boot checks.' As it stands, anything run by the original pre-bootloader must also be link-loaded to defeat secure boot, and Gummiboot, which is not a link-loader, didn't work in this scenario. This is the reason a re-write of the pre-bootloader was required and now it supports booting of all versions of Linux." Also in UEFI news: Linus Torvalds announced today that the flaw which was bricking some Samsung laptops if booted into Linux has been dealt with.
This discussion has been archived. No new comments can be posted.

UEFI Secure Boot Pre-Bootloader Rewritten To Boot All Linux Versions

Comments Filter:
  • The redesigned bootloader has already been submitted to Microsoft for singing and once the signed version is received, The Linux Foundation is planning to provide it for free.

    Why in hell did the world give Microsoft control over computer bootup hardware?

    That's just insane.

    • by Xipher (868293) on Saturday February 02, 2013 @03:14AM (#42769845)

      The alternative is to try and get every motherboard manufacturer to accept a singing key from them. Having Microsoft sign it means they don't have to deal with that headache.

      • by Zemran (3101) on Saturday February 02, 2013 @03:45AM (#42769915) Homepage Journal

        I love the idea of singing motherboards :-) it would be much better than this stupid idea that is being forced on us in order to make more money for M$...

        • by Anonymous Coward on Saturday February 02, 2013 @05:09AM (#42770141)

          It'd be loads more fun to troubleshoot as well.

          fur elise - bad ram check
          oh fortuna - check video card

          etc etc.

          Much easier than beep codes and instills a bit of culture too.

        • these days, its usually the dc/dc converters that cause motherboards to sing. coils, specifically.

          (I'm serious, actually).

          a mini-itx intel mobo that I use for music playback (fanless) sings pretty loudly. a real sick joke, that is.

          • Some people have reported that a dab of hot glue on the coils will quiet them down. (Caveat: I have not personally tried this.)
        • by antdude (79039)

          I prefer talking motherbords. I remember I had my DFI P2XBL motherboard (Revision A; 440BX) with my Pentium 2 CPU. I remember my mobo. didn't boot up and told me "CPU error". :O

        • by symbolset (646467) *
          Singing motherboards are a sign of bad capacitors.
        • by Sigg3.net (886486)

          You wouldn't love the idea of singing motherboards if you had the night to learn the BIOS beep codes for the 10 year old mail server (without backup). It would make a great alarm clock!

      • Alternatives (Score:5, Insightful)

        by fyngyrz (762201) on Saturday February 02, 2013 @04:10AM (#42769979) Homepage Journal

        Well, actually, another alternative is for motherboard manufacturers to continue to make motherboards that boot the same way as they have for some time. So older, fully functional operating systems can continue to boot.

        Of course, this would allow us to continue to use those fully functional OSs, and remove a goodly portion of the incentive to upgrade... so one might, if one were cynical, imagine that there is a corporate motive at work here.

        • Re:Alternatives (Score:4, Informative)

          by Anonymous Coward on Saturday February 02, 2013 @06:34AM (#42770339)
          Which they do. Every motherboard out there can have its secure boot disabled by the user, in addition they should all accept custom keys.
          • What the hell difference does it make, then, if the user can disable it? So somebody could e.g. modify GRUB to default to when booting Windows pass some sort of --secure-boot-on flag, and --secure-boot-off for everything else, right? In which case the only thing we gain from it is Windows patting itself on the back that it's "secure"...until somebody figures out how to hack it in about 6 months...

        • Re:Alternatives (Score:4, Informative)

          by nojayuk (567177) on Saturday February 02, 2013 @07:22AM (#42770481)

          Not implementing UEFI means the mobos can't be used in a production environment where they can receive the coveted "Windows 8 Ready" approval for millions of customers in the coming years. Continuing with the older BIOS system means they can easily boot alternative OSes for a few thousand enthusiast customers (who can in fact use UEFI anyway) but they lose the much bigger market. Decisions decisions...

          Mobos are megacheap for what they do because of the numbers of each model that are built; a custom mobo with classic BIOS to specifically support Linux or other open OSes would cost hundreds of bucks per unit produced in limited quantities. At that point a cost-benefit analysis says "pay the damn Microsoft tax already!"

          • Re:Alternatives (Score:5, Interesting)

            by Simon Brooke (45012) <stillyet@googlemail.com> on Saturday February 02, 2013 @08:53AM (#42770719) Homepage Journal

            Mobos are megacheap for what they do because of the numbers of each model that are built; a custom mobo with classic BIOS to specifically support Linux or other open OSes would cost hundreds of bucks per unit produced in limited quantities. At that point a cost-benefit analysis says "pay the damn Microsoft tax already!"

            While in practice the pragmatics of the situation are that you are right, in principal I believe that we should be talking to the anti-trust authorities - both sides of the Atlantic - because this is very clear abuse of monopoly. Unless, of course, Microsoft irrevocably commits to authorise any version of any competing operating system for free, in which case the whole point of secure boot has just vanished.

            • by westlake (615356)

              While in practice the pragmatics of the situation are that you are right, in principal I believe that we should be talking to the anti-trust authorities - both sides of the Atlantic - because this is very clear abuse of monopoly. Unless, of course, Microsoft irrevocably commits to authorise any version of any competing operating system for free, in which case the whole point of secure boot has just vanished.

              UEFI and Secure Boot are not backed by Microsoft alone.

              The Unified EFI Forum or UEFI Forum (where UEFI stands for Unified Extensible Firmware Interface) is an alliance between several leading technology companies to modernize the booting process. The board of directors includes representatives from eleven "Promoter" companies: AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde Software, Intel, Lenovo, Microsoft, and Phoenix Technologies.

              Unified EFI Forum [wikipedia.org]

              Secure Boot was introduced in v. 2.2 of the UEFI spec,. ca. 2008-2009.

              The geek feels ambushed and pole-axed by a technology that has been in development for over five years. But if he had been paying attention he would known this was coming. Unified Extensible Firmware Interface [wikipedia.org]

              ''Secure boot'' is a technology described by recent revisions of the UEFI specification; it offers the prospect of a hardware-verified, malware-free operating system bootstrap process that can improve the security of many system deployments. Linux and other open operating systems will be able to take advantage of secure boot if it is implemented properly in the hardware.

              Making UEFI Secure Boot Work With Open Platforms [linuxfoundation.org]

      • by exomondo (1725132) on Saturday February 02, 2013 @07:01AM (#42770435)

        The alternative is to try and get every motherboard manufacturer to accept a singing key from them. Having Microsoft sign it means they don't have to deal with that headache.

        Or to not use secureboot motherboards or just turn secureboot off and continue on as we do now, hell if you really wanted to use windows 8 you still could, it doesn't need secureboot either, it doesn't even need UEFI.

          1. Step 1: Create SecureBoot, and make it "optional"
          2. Step 2: Make SecureBoot mandatory on ARM
          3. Step 3: As the market continues to shift towards phones and tablets, let x86 compatibility become obsolete
          4. Step 4: There is no step 4; Linux is now locked out of all new hardware

          We're at step 2 already and step 3 is inevitable. That means we've already lost.

          • if ARM an x86 becomes a no-go, I suppose there's always a cluster of arduinos and the eventual port of linux to them.

            (yes, I'm kidding. I'm pretty sure I'm kidding..)

          • by exomondo (1725132)

            1. Step 1: Create SecureBoot, and make it "optional"
            2. Step 2: Make SecureBoot mandatory on ARM
            3. Step 3: As the market continues to shift towards phones and tablets, let x86 compatibility become obsolete
            4. Step 4: There is no step 4; Linux is now locked out of all new hardware

            We're at step 2 already and step 3 is inevitable. That means we've already lost.

            Your conspiracy theory ignores the fact that the ARM market is completely dominated by iOS and Android, I guess I missed the memo that WindowsRT is just flying off the shelves? Also that Intel and AMD would just let x86 fold into obsolescence is another ridiculous assertion. Surely you don't actually believe that companies like Samsung would abandon all the products that have made them the most prominent mobile device maker to appease Microsoft.

      • Uh, no... Merely getting the top 20 motherboard manufacturers to do thiat would do just fine...

        In fact after 4 or 5 include the keys, the rest will be scrambling over each other to "let their computers run Linux"

        Signatures can be revoked. Is it more difficult (or attractive) for 20 manufacturers to revoke keys, or for Microsoft to?

        • Good luck with that. Asus (largest motherboard maker) isn't very Linux friendly. They sometimes use semi-custom chips for peripheral functions (USB 3.0, temperature monitoring, etc.) and won't release specs to the FOSS community. The FOSS drivers do catch up eventually, but it means using a recent Asus motherboard is often a crapshoot with regards to Linux driver support. If this is how they deal with device drivers, I can't imagine them being particularly receptive to any requests to include Linux boot key

      • by ZorinLynx (31751) on Saturday February 02, 2013 @10:30AM (#42771095) Homepage

        Why not allow the owner of the motherboard to sign their own code? This could be done at OS install, then if any malware modifies the code, it won't boot.

        Giving control to the manufacturer just sounds wrong.

        • With that approach there is still a manual procedure to install the key into the list of things trusted by Secure Boot. This is by design (of Secure Boot), otherwise malware (e.g. a rootkit) could sign itself and add itself to the list. Seems to me what they're trying to avoid is requiring the user to manually install the key or dig through the BIOS to figure out how to disable Secure Boot.
    • by fph il quozientatore (971015) on Saturday February 02, 2013 @03:16AM (#42769855) Homepage

      Why in hell did the world give Microsoft control over computer bootup hardware? That's just insane.

      I am curious - with a huge SSL signing and authorities infrastructure in place, why did no one ever think to use it? That's probably horribly broken in many other ways, but at least it will only take one solution to solve both problems, when someone manages to fix SSL.

    • by SuricouRaven (1897204) on Saturday February 02, 2013 @03:33AM (#42769891)

      Because Microsoft demanded OEMs give it that control, or else lose their access to dirt-cheap OEM windows licenses. As it is impossible to sell a computer without Windows outside of a very small niche - most users don't even know what an OS is - that gives Microsoft such bargaining power that when they demand, OEMs have no choice but to comply.

      • by PRMan (959735)
        But it also cuts down on phone support for boot sector viruses, which take significant resources for the manufacturers. So Microsoft probably didn't have to twist their arms much.
        • But it also cuts down on phone support for boot sector viruses,

          Such as?

          It's not a common vector any more.

      • You mean those Windows 8/RT licenses for devices that few consumers are buying? The OEMs got suckered because they did not have he spine to tell Microsoft where to go. Now they realize they made a mistake, but the problem is already in existence. The OEMs should make a pair of firmwares for each device, and give the purchaser the choice, not let Microsoft dictate.
    • by Bob9113 (14996) on Saturday February 02, 2013 @03:48AM (#42769925) Homepage

      Why in hell did the world give Microsoft control over computer bootup hardware?

      Because our government leaders voted that the risk of allowing corporations to inhibit competition was less threatening than the risk of allowing the government to regulate such behavior. It reflects the laissez-faire notion that corrupt elected officials are more dangerous than corrupt corporate executives. Though, in practice, our lax policy regarding such anti-free-market behavior is the result of corrupt corporate executives financing corrupt elected officials.

      • by bcmm (768152) on Saturday February 02, 2013 @06:26AM (#42770309)
        It's a misdirection. We direct our anger at untouchable faceless corporations instead of individuals who are actually vulnerable at election time.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Because the alternative is to sign with your own key and enter that into the UEFI firmware. Which you can do. The complaint from some parties is that users are too stupid to do so, so bootloaders 'must' be signed with an existing key.

      • How would entering a bootloader key into an UEFI input box be more complicated than typing a product key into an installer input box, which apparently users managed to do for quite some time?

        • by nukenerd (172703)

          How would entering a bootloader key into an UEFI input box be more complicated than typing a product key into an installer input box, which apparently users managed to do for quite some time?

          Not neccessarily more complicated, but a serious psychological barrier. Because when installing an app with a product key the user is not overriding, or conscious of overriding, a "safety feature". But entering a bootloader key will have the nature of overriding a safety feature, which will deter casual users from trying out Linux and possibly liking it. Microsoft hate it when that happens.

          Of course, most Windows users never install an OS, Windows being pre-installed. To do things at UEFI level will

    • by Mike Frett (2811077) on Saturday February 02, 2013 @04:07AM (#42769971)

      I actually sent a very long and detailed letter the DOJ about this and how it constitutes a violation of the Sherman Act. Not Five (5) minutes after sending I received a generic reply about how Microsoft was not in violation of anything.

      With all the E-Mail these people receive and the sheer size of my Letter, there is no way in hell the DOJ read my Letter that fast. What they did was see the word 'Microsoft' and instantly reject it.

      Next week my lawyer is cutting me a deal to rewrite my letter and send it by other means to the right people, we'll see what happens then. Of course I have no money to fight anybody in court, but at least I am trying to get a response that isn't generic.

      • by EvilIdler (21087) on Saturday February 02, 2013 @04:13AM (#42769989)

        That could potentially be an article of its own. Hope you post it everywhere :)

      • My guess would be that the DOJ has already thoroughly investigated secure boot, and hence they didn't really need to read your arguments in detail in order to determine where you are wrong. It wouldn't take more than a few seconds to scan your email and see that you were complaining about Microsoft and secure boot and throw it away.

        • by Patch86 (1465427) on Saturday February 02, 2013 @04:45AM (#42770085)

          If he was wrong, it would be nice if they could respond to each point he raised and tell him why he was wrong. Getting a reply which says "trust us, don't worry about it" is always going to be unsatisfying.

          • Re: (Score:2, Insightful)

            by KingMotley (944240)

            If he wants to find out why he is wrong, perhaps he should be consulting with a lawyer. No offense, but I don't want to pay for a DOJ that staffs an extra 2,000 people just so that they can read every piece of email that comes in, and respond back with a detailed analysis of all the legal mistakes made.

            They are doing exactly what they should be doing. They group up emails that pertains to specific subjects then determine which ones they need to look into based on the number of people affected, the serious

            • No offense, but I don't want to pay for a DOJ that staffs an extra 2,000 people just so that they can read every piece of email that comes in, and respond back with a detailed analysis of all the legal mistakes made.

              If they've already done the investigation, they should include the findings in the automated boilerplate response to any question about secure boot. No additional staff needed.

              • If they've already done the investigation, they should include the findings

                That is what they did.

                I received a generic reply about how Microsoft was not in violation of anything.

                They didn't say they weren't interested in reviewing the situation. They said they did review it and found they were not in violation of any current laws. Other than going into each law (or supposed law) the writer mentioned and demonstrating why it wasn't an actual breach, I don't see how this could get any clearer. If writer really wanted to know the ins and outs and have a discussion about it point for point, he should seek legal council. He doesn't seem to be interested in that,

            • by martin-boundary (547041) on Saturday February 02, 2013 @06:40AM (#42770363)

              No offense, but I don't want to pay for a DOJ that staffs an extra 2,000 people just so that they can read every piece of email that comes in, and respond back with a detailed analysis of all the legal mistakes made.

              I'd prefer they waste their money on that, than use it to prosecute hackers who copy science papers. The money, once in the budget, will be spent regardless. If it _won't_ be spent on serving the public, it _will_ get spent on selfish career making schemes.

            • by Patch86 (1465427)

              If he wants to find out why he is wrong, perhaps he should be consulting with a lawyer. No offense, but I don't want to pay for a DOJ that staffs an extra 2,000 people just so that they can read every piece of email that comes in, and respond back with a detailed analysis of all the legal mistakes made.

              Presumably, it is the DoJ's job to look into this sort of matter. If they have done so (i.e., tasked some of their staff or a lawyer to exam the case), presumably a report contains the findings. If I were to write to them with a serious query, I'd expect at least to be pointed in the direction of their findings.

              They are a government organisation and a public service, so their findings should reasonably be considered public (redacted if necessary, although I can't see why that would be in this case).

              I am in

              • We (citizens of the US) don't vote for those in the department of justice (DoJ), and they don't have a customer support office, nor should they. He might have a better chance writing his state representative. They typically have a larger staff, they are supposed to be a representative of their citizens, are voted into office, and as they are technically part of the legislative branch of government, are supposed to oversee the judicial branch that the DoJ is in. Which coincidentally is in the US is about

        • by segedunum (883035)

          My guess would be that the DOJ has already thoroughly investigated secure boot

          ROTFL.

      • by Sulphur (1548251)

        I actually sent a very long and detailed letter the DOJ about this and how it constitutes a violation of the Sherman Act. Not Five (5) minutes after sending I received a generic reply about how Microsoft was not in violation of anything.

        With all the E-Mail these people receive and the sheer size of my Letter, there is no way in hell the DOJ read my Letter that fast. What they did was see the word 'Microsoft' and instantly reject it.

        Next week my lawyer is cutting me a deal to rewrite my letter and send it by other means to the right people, we'll see what happens then. Of course I have no money to fight anybody in court, but at least I am trying to get a response that isn't generic.

        Microsoft is proprietary and not generic.

    • Re: (Score:3, Interesting)

      by sl4shd0rk (755837)

      Why in hell did the world give Microsoft control over computer bootup hardware?

      The world didnt. Microsoft, along with a handful of major hardware vendors did. This is what monopolies do.

    • Because collectively we're a bunch of dumb bastards, that's why.

      But the good news is that this new multi-bootloader is effectively a crack for UEFI secure boot. Virus writers could use it for boot sector viruses, putting the situation right back where it stood before, but with more complexity...which is probably the best we could hope for at this point. Boot sector viruses were an extreme rarity before, and I don't see them being any more common now that most Windows users aren't running with admin privileg

      • by Microlith (54737)

        this new multi-bootloader is effectively a crack for UEFI secure boot

        Last I checked, this bootloader prompts before booting anything, i.e. it would be blatantly obvious if you used it.

    • by isorox (205688)

      The redesigned bootloader has already been submitted to Microsoft for singing and once the signed version is received, The Linux Foundation is planning to provide it for free.

      Why in hell did the world give Microsoft control over computer bootup hardware?

      That's just insane.

      The idea was suggested 16 years ago, you have Stallman to blame.

      Dan would eventually find out about the free kernels, even entire free operating systems, that had existed around the turn of the century. But not only were they illegal, like debuggers—you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that. [gnu.org]

    • by c (8461)

      Why in hell did the world give Microsoft control over computer bootup hardware?

      That's just insane.

      In return, the world got some marketing incentives for shipping Windows 8 on their computers.

      That's just... wow.

  • ... no story here, move along.

  • Who would have thought that just randomly poking memory of a laptop would brick it. Long ago Samsung told me that it was just fine to be doing this, and that there would not be any problems (I based the samsung-laptop driver on code that Samsung themselves gave me.)

    Hmm... so the firmware is so retarded that bad values in RAM can permanently break the hardware?

    That sounds safe. Hope that thing comes with ECC RAM!

    • Later on in the thread someone said that clearing NVRAM is enough to fix the brick, ie. either remove the NvRAM battery or otherwise prevent it from refreshing the NvRAM for 30 seconds and you're golden. Granted, that still requires opening up the whole laptop.

  • Samsung UEFI (Score:2, Interesting)

    by Anonymous Coward

    So ... does this mean Windows installs are just as vulnerable to a malicious piece of code poking bits to the wrong memory addresses and bricking the laptop? since it's an UEFI problem, it should be OS-agnostic.

  • Samsung's response? (Score:4, Interesting)

    by harryjohnston (1118069) <harry.maurice.johnston@gmail.com> on Saturday February 02, 2013 @05:44AM (#42770213) Homepage

    Has anybody seen confirmation that Samsung will be repairing affected user's machines under warranty? Definitely a design fault, it should be impossible for software to brick hardware.

  • by segedunum (883035) on Saturday February 02, 2013 @07:16AM (#42770469)
    I don't know where people get that idea from. If you read the kernel people are just disabling the driver because the code is so utterly retarded. Samsung haven't done shit about it as is typical for Samsung.
  • While there might be a good use for something like SecureBoot, answering to a manufacturer (whether it be Microsoft or anyone else) only makes avoidance or removal the only good decisions.

    Same thing goes with TCPA/TCG equipment.

Maternity pay? Now every Tom, Dick and Harry will get pregnant. -- Malcolm Smith

Working...