Linux Foundation Offers Solution for UEFI Secure Boot

Ever since news broke last year that Microsoft would require Windows 8 machines to have UEFI secure boot enabled, there were concerns that it would be used to block the installation of other operating systems, such as Linux distributions. Now, reader dgharmon sends this quote from Ars Technica about a new defense against that outcome: "The Linux Foundation has announced plans to provide a general purpose solution suitable for use by Linux and other non-Microsoft operating systems. The group has produced a minimal bootloader that won't boot any operating system directly. Instead, it will transfer control to any other bootloader — signed or unsigned — so that can boot an operating system." The announcement adds, "The pre-bootloader will employ a 'present user'; test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it."

So why even bother with secure boot

[Anonymous Coward]

As per subject

Re:just let microsoft die

[Anonymous Coward]

cause, no one else except for a small subset of geeks even care

Slave of MS

[Faisal Rehman]

LF became slave of MS and now working under its decisions: "the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader". Bad decision.

The solution is simple

[Anonymous Coward]

The solution is simple. Simply do not purchase ANY computer that requires secure boot, or does not allow you do disable it!

Personally, I think this is a "feature" that is going to come back and bite MS in the derriere.. At least I hope so! :-)

Re:So why even bother with secure boot

[Joce640k]

Exactly. Malware authors can use this.

Not if everything in the startup chain has to be correctly signed ... something which a malware author can't do.

Boot sector viruses? Zero fucks given

[GameboyRMH]

Boot sector viruses are the rarest form of virus, require root permissions to infect, and aren't especially hard to remove. And we've handed over a big chunk of freedom and made things worse for everyone to fight this minor annoyance (yeah right). This is worse than the computer equivalent of the PATRIOT act.

For newbies

[Chemisor]

Your solution of any value mostly to newbies who are incapable of going to the BIOS and typing in a new signing key (yes, all BIOS manufacturers worth buying, like ASUS, offer this option). I, for one, will not purchase any computer without secure boot. I like having a trusted hardware root. I like the fact that no malware can get in the boot process without my consent.

Re:So

[ledow]

Every time it CHANGES. RTFA properly.

Re:So why even bother with secure boot

[Just Brew It!]

RTFA. I think you'd notice if your Windows PC suddenly started displaying a Linux Foundation splash screen and waiting for you to hit Enter before booting the OS.

Re:So

[bonniot]

Yes you'll have to press a key to approve the Linux bootloader, every time it boots. Not kidding, RTFA.

I don't think so. From TFA: "To facilitate repeat booting (and to make the pre-bootloader useful for booting hard disks as well as USB keys or DVDs) the pre-bootloader will also check to see if the platform is booting in Setup Mode and if it is, will ask the user for permission to install the signature of loader.efi into the authorized signatures database. If the user gives permission, the signature will be installed and loader.efi will then boot up without any present user tests on all subsequent occasions even after the platform is placed back into secure boot mode."

Re:So why even bother with secure boot

[bmo]

Because secure boot has never been about securely booting.

--
BMO

Re:So why even bother with secure boot

[Hatta]

And I'd be really fucking pissed off if my Linux PC required a user present at the console to reboot. Seriously, how is this a fix?

Re:just let microsoft die

[Pascal Sartoretti]

Apple is building /their/ product and trying to get everyone to adapt their needs to it. At least MS is trying to make it's product general purpose (if ineptly in some cases), and allow people to have options at every level except the OS. Apple tries to restrict options at ALL levels.

One huge difference between Apple and Microsoft is that nearly nobody is forced to buy or use Apple products : people use it by choice, and are free to use alternatives. Maybe a few persons use a Mac at work because their company enforce it, plus of course the iOS developers.

In contrast, millions (billions?) of persons use Windows and Office because they have to (company policy) or because they need to produce Office documents.

Re:So why even bother with secure boot

[Anonymous Coward]

I want a secure boot, not so corps can lock me out, but so I can lock out malware. The problem is the exact same tool can be used for both situations. You have to take the good with the bad. Like any tool, it can be abused.

I don't see what is making Windows more painful to integrate into other systems. Windows(non-ARM) does not require SecureBoot.

Re:For newbies

[Hatta]

Yeah, that works great until Microsoft deprecates the option for Windows 9 or 10. They've already done so on Windows 8 ARM tablets, why wouldn't they do it on x86 PCs?

Re:Srsly, what is wrong with you people?

[Hatta]

Secure boot is a good thing when the owner of the PC has ultimate control over which signatures are valid. But Microsoft has tipped its hand with Windows 8 ARM tablets, and I see no reason not to expect them to lock down secure boot on x86 PCs in the future.

If this was a vendor neutral initiative, I can see how it would be useful. But this is being done by Microsoft, for Microsoft. This will not end well for open source.

Re:So why even bother with secure boot

[Miamicanes]

>and still find a way to keep the code signed?

With a certificate bearing the same CN as the original? Low, as long as the bootloader realizes that it's never seen anything signed by s0m3hack3r@foo.to, and presents the user with a dialog that says something like, "You have never booted an OS signed by s0m3hack3r@foo.to, and foo.to is not recognized as a known OSS Organization. Click here to boot into your computer's mini-distro and perform an automated legitimacy lookup (internet access required), or (... options that include 'continue if you trust them' and 'cancel'...)

For a side trip, boot into a mini Linux burned into flash that can grab an ip via dhcp or connect to wifi with ssid/key stored in flash or entered now & wget a lookup of the CN from the UEFI bootloader's organization. Known malware CNs would be blacklisted & identified as such, others could be further researched using Lynx before either continuing the boot (optionally remembering the CN for future boots) or aborting.

Re:So why even bother with secure boot

[spike hay]

The average computer user is not going to be monkeying around in the BIOS. This is about making life more difficult for non-MS OSes, and reverting the mistake that was the open x86 platform.

Re:For newbies

[StormReaver]

I like having a trusted hardware root.

The problem is that Restricted Boot (euphemistically known as "Secure Boot") is not there to work in your best interest. It is there to work in Microsoft's best interest. It is just another tool in Microsoft's arsenal to make sure you can't use your computer in any manner not approved by Microsoft.

Restricted Boot is not there to protect you. It is there to protect Microsoft from you leaving Microsoft. Any statement to the contrary is smoke and mirrors to confuse you.

Re:For newbies

[Chemisor]

If motherboard manufacturers (not Microsoft) decide to not provide the option any more, we'll stop buying their boards. At this time this is a purely hypothetical and unlikely event, for that very reason. If and when it happens, we can complain and vote with our wallets; until then you're just spreading unjustified FUD.

Re:So why even bother with secure boot

[Cajun Hell]

Take it easy dude. Let's try to remember what this whole thing is for.

For all the bitching about secureboot, all currently known (yes, this can change) x86 machines which come with it, allow the user to turn it off. Remember the last 4 times you bought a new computer and, in fact, did diddle with stuff in the firmware, maybe to at least check the timings on your expensive Mushkin memory or whatever? Well, then, this whole article and the software it describes, isn't about you because you're going to turn off secure boot, making every aspect fo this boot loader irrelevant. You won't care about pressing enter, because you won't have to press enter.

This is for users who won't do that. This is for people who are dumber or lazier than your grandma's ditzy bridge partner, for which we do not expect them to follow any directions or do anything "extra" prior to using their computer. They're not installing headless servers. They're not "picky" except in the sense that they don't want to have to read or understand anything longer than one sentence. They can, and will, press enter.

The people who are opinionated enough to be "pretty fucking pissed" about pressing enter, will also tend to care enough to do what is needed in order to make pressing enter become unnecessary.

If there are any people left who become furious about pressing enter, but also feel entitled enough to refuse to turn off secureboot, but also feel entitled enough to refuse to install some other secureboot loader, those people can and should go fuck themselves. Or they can go buy a Mac. Or they can boot Windows, and (think about it) they will never notice that they're not running Linux. Just lie to them and tell them Windows 8 is Linux, and they will believe you, and the lie will never have any consequences because behind the blank smile they gave you when you lied, they already forgot what you said.