SUSE Slowly Shows UEFI Secure Boot Plan 190
itwbennett writes "One blog post at a time, SUSE is revealing its plan for getting SUSE Linux Enterprise Server (SLES) to boot on machines with UEFI Secure Boot. The short version: 'For now, it seems, SLES will implement an approach similar to that used by Fedora,' writes Brian Proffitt. '[Director of the SUSE Linux Enterprise Olaf] Kirch's first blog entry on Tuesday merely introduced the problem of UEFI Secure Boot. Today's blog only specified the use of the shim bootloader.' Just dying to know what's next? Tune in to the SUSE blog."
There's a totally open source verified boot (Score:3, Insightful)
running on Chromebooks. All source is there. You can download it and study it and build something good on it.
So what are the "open source OS companies" putting all their effort into? Satisfying a closed, proprietary system designed to lock users in. Very disappointing.
All that fighting for nothing? (Score:4, Insightful)
I don't get it.
So after several decades of fighting for free software (and computer freedom in general), all these distributions are just going to roll over on command for Microsoft?
You know what? Anyone who goes along with this UEFI bullshit is a fucking traitor, a coward, and a goddam disgrace to the open source community.
Playing along here is NOT THE ANSWER. Doing NOTHING is the only appropriate course of action. Why? Simple, because then you're shifting the problem to the hardware manufactures who are going to get shafted in sales because their stuff doesn't run Linux OOTB (not without configuring UEFI first). They're going to realize this mighty fast and either produce cheaper "Linux" versions of their motherboards without UEFI restrictions (or even better, without UEFI at all)- or just drop the whole Secure Boot thing all together.
Again, playing along with this mockery is the WORST POSSIBLE THING anyone could do. It's like letting the Germans into your country during 1945 because they promised they'd only ask for your papers when you're entering or leaving your own city. How long do you think it'll be until they have the same guards stationed everywhere? Train stations, food stores, clothe stores... How long before you're walking down the street in your own community and you're getting stopped for papers, only blocks away from your house?
I'm sick and tired of people saying "it's only the bootloader man, chill". Yeah, it might be today. What about tomorrow, when they drop the ability to manually disable Secure Boot permanently? What then, huh? Well, then Microsoft has the power to revoke your keys and doom your operating system to death. After everything Linux has been for, after everything Linux has stood for- why the fuck would you EVER want to give Microsoft this power?
Fedora, Ubuntu, and SUSE can kiss my fucking ass. All these distributions are a disgrace. A total fucking disgrace. The least they could do is show some goddam balls, stand up and say "No, we're not going to be your bitch". So what if your users have to manually disable Secure Boot for now. At least then they'll realize what is going on here and you might actually educate a few of them as to why CLOSED PLATFORMS ARE BAD.
-AC
Re:Slashdot has gone batsh*t crazy (Score:5, Insightful)
UEFI is not a Microsoft technology. It is an industry standard intended intended to replace the archaic x86 BIOS.
OOXMLz [wikipedia.org] is a standard as well. Your point being?
Secure Boot uses code-signing to defeat boot-time malware. This is the optimal solution and should be full-proof provided (1) the machine is physically secured, and (2) the private keys are secure.
I guess you meant fool-proof. And it is. It is fool-proof against all those fools who want to decide to run their own code on the computer without having to ask permission beforehand.
Secure Boot is not a DRM scheme, nor it is explicitly a tool for Microsoft lock-in.
True, and yet... it can be used as such. Excuse me, I meant it is already being used as such (see Windows 8 on ARM).
Just because the technology can be mis-used is no reason to completely boycott it. For my part, I intend to use Secure Boot when it becomes generally available, but only buy parts that allow me to edit the key database.
You are free to decide what to use. Just tell me: what will you do when the parts that allow you to edit the key database stop being manufactured? What will you do when, say, the graphics cards you want to use require UEFI to protect their HDMI hardware? It will happen, and rather sooner than later.
Remember: it's not paranoia when they are out to get you. And they are, oh how they are.
It might be easy enough for us.... (Score:5, Insightful)
Disabling secure boot, or manually installing a new vendor key, may be easy enough for us. But it adds another large hurdle for joe average user to try another operating system. That alone is reason enough to complain about it and object to it.
As it stands now the UEFI standard doesn't specify how the user can install a custom trusted key.
IMHO, hardware vendors should be required to leave the trusted key set empty from the factory. UEFI should then have a standard prompt to enable secure boot and install a key found on bootable media. If Microsoft were forced to guide the user through the same process that a linux installation would require, this process would get the attention it deserves to make it as user friendly and standardised as possible.
Linux does have a spokeperson (Score:5, Insightful)
It is sad that the Linux distributions are bending over so easily, together they might have been a force to be reckoned with... they better f-well not say "we could not have known..." in a few years time, seriously.
What the linux distro distributors have failed to do, the Linux Kernel folks should pick up the slack
Do not forget, there exists a spokeperson for Linux - Linus Torvalds
It's up to Mr. Torvalds to decide which direction Linux should proceed on this UEFI issue
Re:Slashdot has gone batsh*t crazy (Score:2, Insightful)
But it is paranoia when you assume people are out to get you and ignore the facts of the matter. Facts like:
1. UEFI Secure Boot is only required for Windows 8 Logo certification. It will not affect OEMs selling Linux machines, servers or hobbyist hardware.
2. Linux is now a multi-billion dollar market. Do you really think hardware makers are really going to stop supporting Linux? They'd basically lose all the major enterprises in the world over night.
3. The Secure Boot specification requires that it can be disabled. This isn't just for open source nuts, it's also for Windows admins who want to downgrade an OS or run imaging software or run tests from a USB drive. If OEMs locked down the hardware so those tasks couldn't be completed they would go out of business.
If you think secure boot is going to take over and prevent people from running the software/OS they want, then you are being paranoid.