Become a fan of Slashdot on Facebook


Forgot your password?
Operating Systems Ubuntu Linux

Ubuntu Lays Plans For Getting Past UEFI SecureBoot 393

An anonymous reader writes "Canonical has laid out their plans for handling UEFI SecureBoot on Ubuntu Linux. Similar to Red Hat paying Microsoft to get past UEFI restrictions, Canonical does have a private UEFI key. Beyond that they will also be switching from GRUB to the more liberal efilinux bootloader, and only require bootloader binaries be signed — and they want to setup their own signing infrastructure separate from Microsoft."
This discussion has been archived. No new comments can be posted.

Ubuntu Lays Plans For Getting Past UEFI SecureBoot

Comments Filter:
  • by Anonymous Coward on Friday June 22, 2012 @08:55AM (#40410155)

    Along with draconian DRM and anti privacy laws, UEFI SecureBoot is crippling the computer as a tool.

    It will take generations and countless wars to undo the damage that is currently being done.

  • Next -- compilers (Score:5, Insightful)

    by Anonymous Coward on Friday June 22, 2012 @08:59AM (#40410193)

    The next step should be requiring a background check in order to have access to a compiler. Compilers are a subversive tool that is essential to creating malware, the cyberspace equivalent of a chemistry lab. Just as having an unauthorized chemistry lab should automatically make one suspect for creating drugs, explosives or chemical weapons, posession of an unauthorized compiler and of a machine that does not have a secure boot should make one suspect of cyberterrorism.

    Of course, this is impossible right now, just as fifty years ago nobody would have taken such a dire view on chemistry. However, the next generation of people raised in fear of pedophiles and terrorists will work hard to make this a reality. And the generation after that will be the blessing of knowing that things have always been like this, since all authorized books will be in electronic format, periodically updated with the best and most recent knowledge about the past.

  • by cdwiegand ( 2267 ) <> on Friday June 22, 2012 @09:01AM (#40410209) Homepage

    Because Apple doesn't care if you load Linux - they're a hardware company (well, user experience company, but anyways). You've already bought their hardware and software. But Microsoft, which has the x86/x64 non-Mac world by its balls, is a software company, so they will do things that strategically make non-Windows software harder. So a similarly-capable Acer, as an example, is going to be more locked down than your Mac.

    Hence, I'm slowly finding myself thinking of buying Mac hardware again, even given the higher-than-I-need quality (and price).

  • by Anonymous Coward on Friday June 22, 2012 @09:04AM (#40410257)

    enjoy your microsoft tax, fags.

  • So... (Score:3, Insightful)

    by SuricouRaven ( 1897204 ) on Friday June 22, 2012 @09:07AM (#40410291)
    In order to compete with Microsoft, they have to beg Microsoft to sign their bootloader? UEFI's secure boot was dubious idea at best, and Microsoft has just hijacked it into a way to greatly inconvenience all the competition under the excuse of security against a threat that barely exists. Red Hat and Fedora might be able to jump through these hoops and beg Microsoft for permission to compete (Which I sure will involve a hefty signing fee for 'administrative costs') but how are the hundreds of smaller distros and niche distros supposed to exist? Right now the only concession made to them is that Microsoft generously permits for secure boot to be disabled (though only on x86, not ARM) - and who here trusts them not to reverse that policy in a few years?
  • by oakgrove ( 845019 ) on Friday June 22, 2012 @09:09AM (#40410315)
    How do you presume they build their own laptops and x86 tablets?
  • by kav2k ( 1545689 ) on Friday June 22, 2012 @09:11AM (#40410331)
    There are, however, easy-to-use piracy tools for Windows that do exactly that. I'm pretty sure it's a big chunk of MS motivation for the whole mess.
  • by Sloppy ( 14984 ) on Friday June 22, 2012 @09:11AM (#40410341) Homepage Journal

    That's what I like about it. They're not even paying lip service to that bullshit official purpose. Red Hat made it sound like they have drank some of the Koolaide, with all their worrying about how the person who owns the computer might abuse an unsigned module to take control of their computer.

    Once you're running your bootloader, then the issue is over. There is no need to further check for any other signatures or try to guarantee that the owner can't run their own code. You have satisfied the requirement and thereby gotten the computer to work.

  • crazy stuff (Score:4, Insightful)

    by l3v1 ( 787564 ) on Friday June 22, 2012 @09:16AM (#40410377)
    I have multipl issues wih this whole uefi secureboot shebang.

    How can it happen that one company (however large) can seemingly make most of the manufacturers to comply with their crazy ideas? The option to easily disable uefi secureboot _should_ be there on every and each motherboard (desktop, server or laptop). It should not be the manufacturer (and indirectly Microsoft) who decides what kernel and drivers (regardless f the operating system) a user or developer uses. How would anyone make custom kernels and/or modules (Linux) and/or drivers (e.g. Windows) if signing everything through a 3rd party signing service would be required every time? This is crazy.

    Second, I don't like where Fedora/RH and Ubuntu are going with this. Aligning with MS on this issue is definitely not the right way to go and most people start to see this. Yet, nobody seems to want to find a way out, most seem to even have stopped protesting, or asking for mandatory secureboot disable options. There are not only 2 distros out there, there are a lot more of them, and most of them will not go along with MS-signing kernels and drivers. Also, if Ubuntu goes for a secureboot lockdown scheme, they might be good from the enterprise side, moving away from the average users, and that just might be what they want to do.

    Some still say this whole thing is a non-issue and too much fuss about nothing, but if it were so, then please, for crying out loud, why is there so much smoke around about the planned existance or non-existance of a secureboot disable option? If manufacturers would just say disabling will be there always, this whole issue would just go away.

    The biggest problem still is that most average users can't see the point in all this, simply don't care, thus unwillingly participating in making it worse for those, who do.
  • by blueg3 ( 192743 ) on Friday June 22, 2012 @10:19AM (#40411121)

    The point isn't to protect against bootloader infections, per se. The problem is that if you use a protection mechanism based on one layer being signed (say, signed application code), then it's made irrelevant by attacking one layer lower. So you need to sign from the bottom-most layer all the way up. That means either a signed BIOS or one that can't be changed in software, a signed bootloader, a signed kernel, signed drivers, and signed application code. The purpose of the signed bootloader isn't to protect against bootloader malware that exists now, but to protect against the bootloader malware that would appear if you started relying on a signed kernel.

    I'd rather take my chances with the malware than have the liberties of doing what I want with my computer taken away.

    So turn off UEFI Secure Boot.

  • by LordLimecat ( 1103839 ) on Friday June 22, 2012 @10:23AM (#40411163)

    I meant for Microsoft to add that capability to its OWN OS. Obviously it could not enforce such a restriction in Linux; I would think there, if there were a need for such protection, someone could write a kernel module that did the same thing and was an optional component for hardened installations.

    What Im saying is that rather than doing this at an EFI level and crippling all OSes, each OS maker should be responsible themselves for making sure that the MBR is untampered with.

  • by Anonymous Coward on Friday June 22, 2012 @11:22AM (#40411995)

    And also Windows malware that does exactly the same thing. At which point the Canonical key will be revoked, and all Linux distributions that relied on it will cease to function.

  • by psm321 ( 450181 ) on Friday June 22, 2012 @11:25AM (#40412051) Journal

    And how long before Microsoft and/or the OEMs start saying you can't do that?

    Not very. And I don't have much hope given the hordes of people on the last article that honestly believed that Microsoft was being altruistic in this and that anyone questioning their motives was a conspiracy theorist/had a low IQ.

  • by Kazymyr ( 190114 ) on Friday June 22, 2012 @03:11PM (#40415223) Journal

    Here's a link for an Office license for $0: []

  • Actually Mr or Mrs AC you have proved that YOU are equally clueless, as there is nothing other than AD support in Win Pro that can't be had cheap or free with third party products that run fine on Win 7 HP. I have several customers using HP at work and frankly not a single one has any trouble running a small business on HP, and if they run into any old software that won't run (rare) they simply use their original XP install that was turned into a VM and just use VMWare Player.

    So there really isn't a point of pro or enterprise unless you are working in a place that requires AD, and while ultimate does have bitlocker there are several other free disc encryption tools out there that would just as good like Truecrypt. Frankly the only ones I've ever seen with Ultimate are gamers that treat their PC as an ePeen and have more damned bling on them than an LA ricer.

    And finally I'm sorry but if you honestly think a Home user can have their PC replaced by Linux WITHOUT a full time admin to fix the damned thing when the updates crap on drivers? Well then you might be interested in these magic beans I have for sale. Linux is like a 75 Dodge sitting in a field, IF you learn all its quirks AND spend hours on fixing it up AND are willing to jump through hoops to keep it running? It can be good, maybe even a hot rod if you sink enough time in. the rest of the world would rather just get something that runs NOW and will KEEP running. That simply isn't the state of Linux right now friend, as the rants about Nvidia and ATI drivers we saw this week soundly illustrates.

"You must have an IQ of at least half a million." -- Popeye