UEFI Secure Boot Pre-Bootloader Rewritten To Boot All Linux Versions

hypnosec writes "The Linux Foundation's UEFI secure boot pre-bootloader is still in the works, and has been modified substantially so that it allows any Linux version to boot through UEFI secure boot. The reason for modifying the pre-bootloader was that the current version of the loader wouldn't work with Gummiboot, which was designed to boot kernels using BootServices->LoadImage(). Further, the original pre-bootloader had been written using 'PE/Coff link loading to defeat the secure boot checks.' As it stands, anything run by the original pre-bootloader must also be link-loaded to defeat secure boot, and Gummiboot, which is not a link-loader, didn't work in this scenario. This is the reason a re-write of the pre-bootloader was required and now it supports booting of all versions of Linux." Also in UEFI news: Linus Torvalds announced today that the flaw which was bricking some Samsung laptops if booted into Linux has been dealt with.

Re:Microsoft controls compoter booting

[Mike Frett]

I actually sent a very long and detailed letter the DOJ about this and how it constitutes a violation of the Sherman Act. Not Five (5) minutes after sending I received a generic reply about how Microsoft was not in violation of anything.

With all the E-Mail these people receive and the sheer size of my Letter, there is no way in hell the DOJ read my Letter that fast. What they did was see the word 'Microsoft' and instantly reject it.

Next week my lawyer is cutting me a deal to rewrite my letter and send it by other means to the right people, we'll see what happens then. Of course I have no money to fight anybody in court, but at least I am trying to get a response that isn't generic.

Re:Microsoft controls compoter booting

[EvilIdler]

That could potentially be an article of its own. Hope you post it everywhere :)

Samsung UEFI

[Anonymous Coward]

So ... does this mean Windows installs are just as vulnerable to a malicious piece of code poking bits to the wrong memory addresses and bricking the laptop? since it's an UEFI problem, it should be OS-agnostic.

Re:Microsoft controls compoter booting

[sl4shd0rk]

Why in hell did the world give Microsoft control over computer bootup hardware?

The world didnt. Microsoft, along with a handful of major hardware vendors did. This is what monopolies do.

Re:Microsoft controls compoter booting

[mrbluze]

Microsoft is in bed with the US government at high levels so i don't think your letter will go anywhere.

This is significant. What is the difference between having your computer pwned by some kind of boot-time virus that feeds your info to criminals, to having your computer pwned by some kind of government official who is also a criminal?

There is no other way to look at this situation than to accept that it is an abrogation of a basic freedom - to run whatever the hell we want on hardware we paid for

Re:Microsoft controls compoter booting

[Anonymous Coward]

I think you mean if someone manages to fix SSL. The huge number of SSL signing authorities is its biggest weakness IMHO.

Samsung's response?

[harryjohnston]

Has anybody seen confirmation that Samsung will be repairing affected user's machines under warranty? Definitely a design fault, it should be impossible for software to brick hardware.

Re:Alternatives

[Simon Brooke]

Mobos are megacheap for what they do because of the numbers of each model that are built; a custom mobo with classic BIOS to specifically support Linux or other open OSes would cost hundreds of bucks per unit produced in limited quantities. At that point a cost-benefit analysis says "pay the damn Microsoft tax already!"

While in practice the pragmatics of the situation are that you are right, in principal I believe that we should be talking to the anti-trust authorities - both sides of the Atlantic - because this is very clear abuse of monopoly. Unless, of course, Microsoft irrevocably commits to authorise any version of any competing operating system for free, in which case the whole point of secure boot has just vanished.

Re:Microsoft controls compoter booting

[ami.one]

That didn't work because we were developing a thin client type of consumer device on VIA micro boards which had to do network boot with the kernel delivered by the ISP over the network and it was not possible to have a mounted rootfs - so almost everything required was in the kernel. On top of that VIA had notoriously difficult code for its drivers which would get modified by us with almost no knowledge & just trial and error. Good times.

Re:Microsoft controls compoter booting

[ZorinLynx]

Why not allow the owner of the motherboard to sign their own code? This could be done at OS install, then if any malware modifies the code, it won't boot.

Giving control to the manufacturer just sounds wrong.

Samsung didn't follow the standard. Linux did.

[raymorris]

Linux followed the IEFI standard. Samsung did not. Unambiguous foul on samsung.

More specifically, Samsung tried to implement version 2 of the standard and advertised it as version 2, but accidentally left in code which required version 1 behavior. Additionally, if an OS implemented version 2, when Samsung's firmware got confused, it didn't throw the proper error message, but instead returned it's own address to be overwritten. So at least two failures on Samsung's part. Linux simply followed the standard as written.