UEFI Secure Boot and Linux: Where Things Stand 521
itwbennett writes "Assuming that Microsoft doesn't choose to implement Secure Boot in the ways that the Linux Foundation says would work with Linux, there 'will be no easy way to run Linux on Windows 8 PCs,' writes Steven Vaughan-Nichols. Instead, we're faced with three different, highly imperfect approaches: Approach #1: Create UEFI Secure Boot keys for your particular distribution, like Canonical is doing with Ubuntu. Approach #2: work with Microsoft's key signing service to create a Windows 8 system compatible UEFI secure boot key, like Red Hat is doing with Fedora."
itwbennet finishes with: "Approach #3: Use open hardware with open source software, an approach favored by ZaReason CEO Cathy Malmrose." When you can't even use a GPLv3 licensed bootloader to boot your system, you might have a problem. Why is everyone so quick to accept the corpse of TCPA in new clothes?
Re:yes and no (Score:5, Interesting)
microsoft wont go out of business but they could very easily marginalize themselves to the point that they are no longer the 800 pound gorilla of the desktop PC market, and more than likely Apple and Linux will grab more userbase, i prefer old school distros like debian & slackware so apple wont be getting any of my money
Restrict Government PC Purchases to Open Hardware (Score:4, Interesting)
It seems like the obvious way to block this type of stuff is to pass legislation requiring government agencies to only purchase PCs that are free from such encumbrances. The state and taxpayers benefit from keeping their OS options open on new computer hardware and more importantly they represent a large enough percent of total sales to actually get a proper response from manufacturers.
Another Approach (Score:5, Interesting)
(Too many #4 here already, so I'll skip the numbering)
What about clustering all Linux enthusiasts' computers together and cracking Microsoft's signing key, SETI-style? I'm not sure about the mathematics there (taking longer than the galaxy will exist, etc.), but maybe it's possible. Or maybe somebody made a mistake and the key is much weaker than it is thought at the moment (see PS3).
This is why I hate Microsoft (Score:4, Interesting)
Re:Another Approach (Score:4, Interesting)
What makes anyone think that UEFI will be any more secure than anything else Microsoft releases? Actually cracking the key may take longer than the universe has been in existence but I'm betting dear Microsoft won't do any better at engineering this than anything else. There is probably an easily exploitable hole that doesn't require actually cracking the key.
Cheers,
Dave
Flash the BIOS (Score:5, Interesting)
Re:Approach no. 4 - Do nothing (Score:5, Interesting)
WHAT?!? Secure Boot will do nothing to impede enterprise Windows users. You'll either use Windows8/2012 and have a signed boot loader or use 2008R2/7 and disable secure boot. Btw it would also do nothing to impede enterprise Linux users either, they'd either use a commercial signed distribution or build their own and have the build process install their keys into the TPM chip (trust me, enterprises already deal with crypto from internal PKI to external SSL to drive encryption).
Re:Another Approach (Score:4, Interesting)
UEFI and Secure Boot aren't the same thing.
Re:Approach no. 4 - Do nothing (Score:5, Interesting)
System admins need to wipe off the OEM stuff and install their Enterprise License stuff on new kit.
Most corporate desktop admins are far happier if the machine can be deployed with less mucking around. Just unboxing 1200 new machines is a pain in the ass... if they also have to reimage and reconfigure each new machine (actually easier and more streamlined than unboxing these days, but nonetheless, extra time, extra money they'd rather not spend), they'll not be so joyous, and everything slows down.
If they can't do it, they will simply ignore Windows 8 and wait for the next version
Half right... because this, basically, is wise. The other half is they will harden what they have. Microsoft early adopters and fanbois notwithstanding, Microsoft has done nothing to increase the productivity of the office worker since XP/Server 2003/Office 2003. The pitfalls of XP are well known and huge incident databases have been built: nothing can break that doesn't have an immediate fix. Seven and even Vista is still in the early stages of figuring out all the solutions of all that can and does go wrong. I think any large or medium sized corporations still on the 2003 paradigm are fine and well under the budget expendature of those idiots that needlessly and irrationally raced to upgrade as long as they are in a rotation of reimaging every XP machine every 4-6 months... if their network infrastructure is resilient to the trouble users can get into, they may never need to upgrade these to new systems until the physical machines and their components cease to function.
Re:Flash the BIOS (Score:3, Interesting)
They are almost certainly going to be requiring signed firmware images on any Win8 Logo'd hardware so no you won't be hacking the BIOS so simply.....
Frankly from a security standpoint what they are proposing makes sense. they aren't even receiving any money from the likes of Ubuntu or RedHat if they choose to use this system. Yeah, it might be painful and it's certainly different but it makes security sense if done right. Had some sort of international consortium come up with this and Microsoft joined in would we be so upset? Oh wait that sort of did kinda' happen....
Will be very interesting to see how this plays out for sure!
P.S. Anon to preserve my moderations...
EU vs monopolistic behaviour? (Score:5, Interesting)
Seems to me that this is a very serious violation of the spirit of the antitrust rulings when MS killed netscape. Why aren't our consumer protection agencies stepping in to forbid MS from doing this?
Re:Approach #4 (Score:5, Interesting)
You need to do more with a computer than just smile smugly and say "i'm runng xyz cool thing". ... Okay.. maybe *you* don't...
Ah, my little troll is back! Nice to see you again.
And you're right. Computers are tools, they are at their best when they're used to create cool (and mundane) things, and that's the subtle difference between smartphones and desktop computers that I think Ubuntu got right this time.
You see my little pet, despite what many people say, phones and tablets aren't for passive consumption, that's the role of TV, books, and maybe e-readers. What Android, iOS et al excel at is to communicate and share cool things (and mundane things, but who wants to talk about those).
The thing is, computing as a field is all about thresholds. There were text and math thresholds as CPUs/memory etc became large enough and powerful enough to run text editors, then a little faster for word processors, spreadsheets and simulators. Graphical display thresholds gave us GUIs, sound subsystem thresholds and video playback thresholds got us music and movies. There are people here who looked in awe at early Amiga/Atari demos playing two or three simultaneous animations. Desktop computer hardware stopped being a limitation to creating images, video, text, music etc in the late '90s. Phone hardware now is far past that threshold and is about to pass the capabilities of desktop computers from less than a decade ago.
Coincidentally, a decade ago was when mainstream OS development stagnated. XP was released about then, and continues to be used in business today largely because its successors do little or nothing to improve productivity. You see where I'm going with this, cherub? We have hardware with enough power to run the content creation software and fit in our pockets. That limitation is gone. The remaining limitations are the OS and software stacks, and the peripherals - big screens, digitisers, scanners etc etc, and guess what? Ubuntu has an answer.
We're seeing enough hints in the market from the likes of Asus, Samsung, Lenovo and even Microsoft that this is something the world's looking for. I'd say Canonical/Ubuntu is in a very good place right now.
Re:This is why I hate Microsoft (Score:4, Interesting)
They don't try to make better products, they just try to kill the competition. I see ads for their crap with cool songs, a lizard, and neat apps everywhere but the actual thing doesn't work. Even they can't work it right, as shown by several demos they have done. They seem to recognize it but instead of dealing with it, they just try to eliminate everyone else. Linux has a MUCH better programming environment than anything Microsoft can offer. Even its overall usability (I use Ubuntu) is more intuitive. So Microsoft tries this shit. It's not secure and it's not user-friendly. It's just meant to make Linux harder to install. And I can't support a company that takes this approach. Fuck them. It's a good thing their company is dying. Hopefully more OEMs see this and start offering Linux PC's, but I kind of doubt it.
Ok, I'm probably going to kill my karma and move from Excellent to Suspected Troll, but so be it...
Until 5-6 years ago, I would totally agree with you. I've been a *ix advocate for years and will be for a while. However, with the introduction of Windows XP, I've switched from using *ix (more specifically Red Hat, and later on FreeBSD) on my desktop to Windows. Why? Because things just work out of the box. I was used to googling for hours and hours to find the right dependencies for a certain application I wanted, which then would be conflicting with something that I'd already installed and after being forced to use Windows by my then-employer, I quickly installed it on my PCs at home, too.
When Asus came with their small netbooks, I bought a Linux version. Unfortunately I found it quite unusable so I installed Windows. Again. In my opinion, *ix is perfect, more than perfect in the role of a server. Apache kills IIS just by looking at it. Sendmail outperforms Exchange while picking its nose. SSH is far better than using RDP to administer your server.
As recent as four months ago, I tried switching to Ubuntu on my corporate Windows Vista laptop. After two days of downtime, I found that I was unable to find a decent calendaring tool that would work with the companies Exchange server. No Lync support. Only partial support for Office tools. I returned my laptop to the IT department to have a new Windows image installed and within 3 hours I was back online.
Microsoft sucks when it comes to their business practices, I fully, more than fully agree with you on that. But their products are no longer that bad as they once were.
Re:Approach no. 4 - Do nothing (Score:4, Interesting)
Most corporate desktop admins are far happier if the machine can be deployed with less mucking around. Just unboxing 1200 new machines is a pain in the ass... if they also have to reimage and reconfigure each new machine (actually easier and more streamlined than unboxing these days, but nonetheless, extra time, extra money they'd rather not spend), they'll not be so joyous, and everything slows down.
If you are deploying 1200 new machines Dell or HP or whoever will most likely gladly pre-install your corporate OS image for you. There will be an additional cost for doing so but it's usually much less than having your own desktop support staff doing it.
Re:Approach no. 4 - Do nothing (Score:5, Interesting)
I can't imagine how one word of that would be inaccurate.
Re:Approach no. 4 - Do nothing (Score:4, Interesting)
Why does this keep popping up? XP won't even boot under UEFI.
Re:Approach no. 4 - Do nothing (Score:4, Interesting)
Nokia N900 - Commercial, retailed phone, fully open bootloader.
But, your point still stands.
That being said, I fully expect the "unlocked" bios-emulation mode to be around for at least 8 years, if not more - corporate needs XP support. However, the lock would actially be a /good/ thing... if we can install our own keys.
I'm hoping for that sort of support, so corporate IT could sign particular versions of files and/or bootloaders and lock things down. Seems like a step up, there, so long as the accepted key list is editable.
Comment removed (Score:5, Interesting)
Re:Secure Boot won't catch on (Score:4, Interesting)