Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Linux

Linux Foundation's Secure Boot Pre-Bootloader Released 178

hypnosec writes "The Linux Foundation's UEFI Secure Boot pre-bootloader for independent Linux distros and software developers has finally been released. Announcing the release of the secure boot system James Bottomley noted that the signed pre-bootloader was delivered by Microsoft on February 6th. Bottomley has released two validated files: PreLoader.efi and HashTool.efi. Bottomley has also created a bootable mini-USB image that provides 'an EFI shell where the kernel should be and uses Gummiboot to boot.' Just last week the pre-bootloader had to be rewritten to accommodate booting of all versions of Linux."
This discussion has been archived. No new comments can be posted.

Linux Foundation's Secure Boot Pre-Bootloader Released

Comments Filter:
  • What about *BSD? (Score:5, Insightful)

    by ad454 ( 325846 ) on Saturday February 09, 2013 @12:37PM (#42844205) Journal

    This is great news for Linux distributions, and a small victory in the losing battle for openness.

    But in the spirit of openness, hopefully bootloaders for NetBSD, OpenBSD, and FreeBSD will also be eventually signed.

    Everyone should be able to install and run whatever they want on their own computers.

    • Re:What about *BSD? (Score:4, Informative)

      by cupantae ( 1304123 ) <maroneill@gmLAPL ... m minus math_god> on Saturday February 09, 2013 @03:44PM (#42845539)

      the losing battle for openness

      What losing battle? Open source software hasn't been as prevalent as it is now since proprietary software first arose. Linux, in particular, is in the strongest position it's ever been in, and it looks like 2013 will be a very big year for Linux. Sure, there are always setbacks like this, but look: it's been just over 3 months since Windows 8 began to be sold, and the problem is already almost completely solved.

      But in the spirit of openness, hopefully bootloaders for NetBSD, OpenBSD, and FreeBSD will also be eventually signed.

      So you have time to whinge, but none to RTFA:

      A signed pre-bootloader will allow for chain-loading of boot-loader of any other operating system thereby enabling users to install non-signed Linux distros on Windows 8 UEFI hardware.

      Everyone should be able to install and run whatever they want on their own computers.

      Yes, but not everyone should be able to install or run whatever they want on your computer. In fairness, UEFI goes some way towards securing your PC. Microsoft did well for the consumer in that respect. They're also a fairly ruthless company, and they're not going to go out of their way to make sure you can install rival operating systems from day 1. But today, at about day 100, the problem is a long way towards being solved. Get over it.

      • by dissy ( 172727 )

        But today, at about day 100, the problem is a long way towards being solved. Get over it.

        I interpreted it a little differently. Today at about day 100, Microsoft has won it's war against Linux.

        Microsoft started by saying you don't want to use Linux because it's inferior, but they were easily shown to be wrong.

        Then Microsoft turned to saying it was illegal to use Linux because it's a mess of copyrights and patents, as well as infected with a viral license that destroys businesses. It took a lawsuit a decade long with one of this countries top companies (at the time) to finally prove otherwise.

        • Now, today, Microsoft has finished by saying Linux can and will only exist at Microsoft's whim. They hold the keys to the kingdom, and can lock and unlock any OS as they see fit. [...] now we are humbly begging for permission to be allowed to use non-windows on our own computers, while also praying the check clears to buy that capability which should be a natural right. [...] If Microsoft officially claims they have revoked the certificate and thus permission for the Linux preboot loader, then instantly every desktop and server in this country running Linux is in violation of the law. Booting it is a felony.

          I emphasized the bits in your post that were sensational nonsense.
          Microsoft could never revoke the keys for Linux, because it is actually too popular for them to get away with it.

          Signed booting absolutely MUST be controlled at the highest level by the owner of the computer. No one else!

          Agreed.

          This means there should be ZERO keys or certs installed by default, and it should be a very serious crime to try and sneak one in, similar to any other mass scale computer intrusion laws.
          One should be required to learn how it works, why it works, what the advantages of signing your own boot loader would be, and then using that knowledge to enable it and upload your keys.
          If someone can't do that, then clearly they don't need this feature.

          Now I think you're being ridiculous. You can't expect regular end-users to understand the workings of something just to get to use it. It's not the way most people want technology to work, and it doesn't have to be.

          • It's all sensationalistic nonsense until it actually happens. Which seems to be just a matter of time and judicial incompetence. If you want to be optimistic about it, that's your own business, but I am NOT.

            Yes, it makes it more difficult for the end user. But I'm sure somebody has made a quote about convenience and liberty at some point (Ben Franklin?). That's a wholly different argument.

          • by dissy ( 172727 )

            Now, today, Microsoft has finished by saying Linux can and will only exist at Microsoft's whim. They hold the keys to the kingdom, and can lock and unlock any OS as they see fit. [...] now we are humbly begging for permission to be allowed to use non-windows on our own computers, while also praying the check clears to buy that capability which should be a natural right. [...] If Microsoft officially claims they have revoked the certificate and thus permission for the Linux preboot loader, then instantly every desktop and server in this country running Linux is in violation of the law. Booting it is a felony.

            I emphasized the bits in your post that were sensational nonsense.
            Microsoft could never revoke the keys for Linux, because it is actually too popular for them to get away with it.

            Apologies in advance if I miss-copied any emphasized parts above. The editor does not want to cooperate with that.
            But it will be easier to address each, as I do not agree with your assessment. Sensational perhaps, but that doesn't mean I am incorrect or exaggerating the truth.

            Microsoft has finished by saying Linux can and will only exist at Microsoft's whim

            And the past 100-ish days prove that to be correct, as Linux was not yet bootable on these new systems without first blanking the certificates out of

            • Microsoft's power on the matter is strictly economical. It cannot mandate that all PCs, or even all PCs sold with Win8, have UEFI Secure Boot. The requirement comes from Win8 hardware certification program, so it's only necessary if the OEMs want that "Designed for Windows 8" sticker on their hardware.

              Now, Windows having the lion's share of desktop OS market, most OEMs do want the sticker, and so they have to follow the certification guidelines. However, this does not mean that Microsoft is free to put what

        • we are humbly begging for permission to be allowed to use non-windows on our own computers

          You're doing it wrong, just turn secureboot off.

          If Microsoft officially claims they have revoked the certificate and thus permission for the Linux preboot loader, then instantly every desktop and server in this country running Linux is in violation of the law. Booting it is a felony.

          That's an interesting take, how would one revoke a UEFI key? And how would revocation - assuming such a thing exists and is possible - of a key result in permission to load the pre-bootloader being denied? Permission to load the bootloader is granted/denied by the UEFI firmware, which makes the decision based on whether the installed key matches that of the signed bootloader, so what you're saying makes absolutely no sense, it just demonstrates a fundamental m

          • by dissy ( 172727 )

            That's an interesting take, how would one revoke a UEFI key?

            Dunno, doesn't seem possible to me with the current state of hardware. Why do you ask? Seems a bit off topic, since I was discussing permission and not certificates or keys.

            And how would revocation - assuming such a thing exists and is possible - of a key result in permission to load the pre-bootloader being denied?

            Dunno, I never said anything about revoking a key.
            However one revokes permission by using the words "you no longer have permission"

            Permission to load the bootloader is granted/denied by the UEFI firmware, which makes the decision based on whether the installed key matches that of the signed bootloader, so what you're saying makes absolutely no sense, it just demonstrates a fundamental misunderstanding of how secureboot works.

            No, the boot loader only knows if the software being booted was signed by a key that is paired to a key stored in UEFI. It can't possibly know about a legal construct such as permission or about copyright

            • Dunno, doesn't seem possible to me with the current state of hardware. Why do you ask?

              Because the only way to remove permission for the bootloader to boot the OS is to revoke a key, you can tell me i don't have permission all you want, ain't gonna make a shit of difference though, you - like Microsoft - don't have any authority over that.

              Seems a bit off topic, since I was discussing permission and not certificates or keys.

              Seems you fail at reading comprehension on your own post, try reading it again then you won't look so foolish:
              If Microsoft officially claims they have revoked the certificate and thus permission for the Linux preboot loader [slashdot.org]

              Dunno, I never said anything about revoking a key.

              You said 'certificate' as opposed

              • by dissy ( 172727 )

                Well now that you've decided to be all insulting for no good reason, I will too.

                Because the only way to remove permission for the bootloader to boot the OS is to revoke a key, you can tell me i don't have permission all you want, ain't gonna make a shit of difference though, you - like Microsoft - don't have any authority over that.

                Thank you for finally admitting I am right.

                You do as you say, and don't give a shit like you say, then you are violating copyright and the DMCA. You're now a felon. Congrats!

                I'll let You argue with the judges that have ruled and set precident that copyright holders can't dictate who can make a copy of their work, as well as argue with the judge that declared loading a program into ram is copying.

                You are now openly stating you

                • You do as you say, and don't give a shit like you say, then you are violating copyright and the DMCA. You're now a felon. Congrats!

                  But the fact is in doing so you are not violating the DMCA. There is no law against booting Linux, and Microsoft telling you that you don't have permission doesn't change that, even if you so desperately want to bend yourself to Microsoft's will.

      • by AmiMoJo ( 196126 ) * on Saturday February 09, 2013 @06:59PM (#42846747) Homepage Journal

        One issue that never seems to be mentioned but could be potentially huge is that the signed bootloader requires user interaction to boot. It was designed that way to prevent malware using the bootloader to silently root the OS, the very thing SecureBoot was designed to prevent.

        It won't boot until you press a key to continue. Many Linux machines don't have any facility for that, either because they are a tablet with no physical keyboard or because they are a headless server with no-one around to operate them locally.

        • It won't boot until you press a key to continue. Many Linux machines don't have any facility for that, either because they are a tablet with no physical keyboard or because they are a headless server with no-one around to operate them locally.

          Why would you want secureboot on such devices?

      • by jhol13 ( 1087781 )

        "UEFI goes some way towards securing your PC."

        How? What the UEFI does to "secure my PC"? I claim the positive effect is infinitesimal and hugely shadowed by negative effects.

        What UEFI secures is the pre-booloader. Nothing more, it has nothing to do with bootloader, kernel, drivers, system programs or set-up data, user programs or user data. The likely palce for trojan is perhaps the system programs and their settings - as long as a trojan can change your sshd_config you really do not care whether pre-bootlo

      • the losing battle for openness

        What losing battle? Open source software hasn't been as prevalent as it is now since proprietary software first arose. Linux, in particular, is in the strongest position it's ever been in, and it looks like 2013 will be a very big year for Linux. Sure, there are always setbacks like this, but look: it's been just over 3 months since Windows 8 began to be sold, and the problem is already almost completely solved.

        But in the spirit of openness, hopefully bootloaders for NetBSD, OpenBSD, and FreeBSD will also be eventually signed.

        So you have time to whinge, but none to RTFA:

        A signed pre-bootloader will allow for chain-loading of boot-loader of any other operating system thereby enabling users to install non-signed Linux distros on Windows 8 UEFI hardware.

        Everyone should be able to install and run whatever they want on their own computers.

        Yes, but not everyone should be able to install or run whatever they want on your computer. In fairness, UEFI goes some way towards securing your PC. Microsoft did well for the consumer in that respect. They're also a fairly ruthless company, and they're not going to go out of their way to make sure you can install rival operating systems from day 1. But today, at about day 100, the problem is a long way towards being solved. Get over it.

        ===
        Perhaps Linux distributions are lucky because retail sales of W8 are far below expectations. I visited several big box stores, and the space previously allocated to computers is now shared with Tablets (Mainly Android) and Big screen TVs. If W8 end-user sales were significant, we could experience accidental tricks by MS to block all other OSs. And those accidents would happen as a means of protecting market share. Who is to say what MS would not do.

    • by TCM ( 130219 )

      No. In the spirit of openness, hopefully this bullshit will get eaten by the anti-monopoly regulation.

      Giving in to this bullshit was the most stupid thing the Linux guys could do.

      • Why would anti-monopoly guys get involved, seeing as Linux (and other competing OSes) are working on MS-certified hardware with the present arrangement? What's the anti-competition angle here?

        • by TCM ( 130219 )

          I dunno, maybe that the Linux guys have to report to MS to have their stuff working? Duh?

          • For one thing, they don't, since the switch to disable Secure Boot is always there on Intel machines, and can be turned off by any user. This whole thing was about making it so that the users don't even need to do that (but I'd bet that the switch alone is sufficient to alleviate any anti-trust concerns).

            And beyond that, having to "report to MS" is not an issue since it results in a solution that works for everyone. If that were to change - if MS was ever to revoke the keys - then, yes, I'd imagine there wo

    • by tlhIngan ( 30335 )

      This is great news for Linux distributions, and a small victory in the losing battle for openness.

      But in the spirit of openness, hopefully bootloaders for NetBSD, OpenBSD, and FreeBSD will also be eventually signed.

      Everyone should be able to install and run whatever they want on their own computers.

      You still can.

      You see, in order to get that "Windows" logo, a PC (x86/x64) MUST have an option to disable secure boot. In which case, the UEFI will perform a "legacy boot" using the MBR/partition loaders as has b

  • by Anonymous Coward

    Yay! Now I can finally ask Microsoft for permission to boot my Linux machine! I've been eagerly awaiting this for years and years.

    Oh, I can just disable in the EUFI, you say? Yes, I'm fully confident that situation will persist going into the future. Because that's how these things go.

    • You didn't need Microsoft's permission in the first place, and not because you could just disable secure boot.

  • This is bollocks (Score:4, Interesting)

    by Skiron ( 735617 ) on Saturday February 09, 2013 @12:47PM (#42844299)

    All the time Microsoft have control, they will always have control.

    Why don't people LEARN from history from how they operate?

    This will all go horribly wrong, mark my words.

    And I still do not understand how Microsoft get to control this.

    • Re:This is bollocks (Score:5, Informative)

      by EdZ ( 755139 ) on Saturday February 09, 2013 @12:59PM (#42844373)

      And I still do not understand how Microsoft get to control this.

      For anything x86 based; they don't. They expressly require OEMs (and onyone else producing motherboards with a little Windows 8 sticker on the box) to allow the end user to add their own Secure Boot keys, as well as insert Microsoft's key. No end-user modification, no certification.

      So what are various Linux distros getting bootloaders signed by Microsoft? Because they assume users are not competent enough to enter keys manually. Thus, they ask Microsoft (or take advantage of the service Microsoft offers) to sign their bootloader with Microsoft's preloaded key.

      • Re:This is bollocks (Score:5, Informative)

        by Sarten-X ( 1102295 ) on Saturday February 09, 2013 @01:29PM (#42844595) Homepage

        It's not an issue of "competent". It's an issue of "willing".

        A major source of Linux's desktop growth is the use of live CDs. Just drop in a disk at boot, and you've got yourself a working Linux desktop to play with and perhaps even like. You can see the filesystem's different layout, you can see each application's settings saved to plain old files, and you can see the package manager's simple installation of useful software. Perhaps you can even like it and decide to install. If not, there's no changes to your computer.

        That's all changed now. Now, either you your computer must be prepared for Linux first, through some means of adding a new key. While not really beyond the average user's level of competence, it is beyond their level of ambition just to try "that Linux thing". The longstanding promise of "try it without changing anything" that has fueled trials isn't wholly true any more. Supposedly Windows' bootloader will let you boot unsigned CDs, but I've tried that three times with three failures on known-good disks, so I expect there's something screwey hidden in that route, and that doesn't really solve the problem of booting once the installation's complete.

        To make matters worse, there's no standard mechanism for adding the boot key. One option is an BIOS-based tool, which with come with the typical polish [rodsbooks.com] of a motherboard manufacturer we've had on BIOS setups for years. Expect a keyboard-based menu with unique brand-specific names. Another option that might be viable in the future is a Windows tool to add a key, which will inspire Windows to raise scary warnings about compromising security and never starting again, which will do wonders for the user's confidence.

        Microsoft surely knows that Secure Boot won't affect savvy nerds from converting to Linux. They also surely know that Linux is still growing organically, relying on word-of-mouth and firsthand try-before-you-buy experience. By requiring Secure Boot to be user-modifiable, they've thrown a roadblock in the path for Linux's growth, without looking like they're being blatantly nasty. They can keep exaggerating the threat of bootloader rootkits to justify locking everybody out, then point to the key-adding ability to dispel accusations of abusing their monopoly.

        • Enough is enough (Score:4, Insightful)

          by benjymouse ( 756774 ) on Saturday February 09, 2013 @02:11PM (#42844897)

          Microsoft surely knows that Secure Boot won't affect savvy nerds from converting to Linux. They also surely know that Linux is still growing organically, relying on word-of-mouth and firsthand try-before-you-buy experience.

          You are seriously delusional. "Converting" to Linux is not, has never been and will never become a threat to Microsoft. Right now Microsoft is pressured on other fronts, such as desktop PC losing relevance, not being on the boat on mobile and not competing effectively in the tablet game.

          You are trying to wage last decades battle. Microsoft does not feel threatened by Linux on the desktop *at* *all*. Get real. The threats to Microsoft do not come from conversions in the x86 space, the come from vertical players and mobile, like Chromebooks, tablets, smartphones.

          Note how *all* of these emerging platforms have more restricted app models, and especially *boot* models. Microsoft is simply evolving their primary platform to match the features and security (from closed and semi-closed gardens) of the threatening platforms.

          The threat to Microsofts desktop business is *not* Linux. Even though Linux has evolved in that space and on the surface appears to be able to go head-to-head, Microsoft Windows is still *much* more mature than any desktop Linux. Consider for instance group policies, restart manager, volume shadow service, various troubleshooting guides, shims for both application and device compatibility etc. The real threat is that the desktop become irrelevant.

          If the desktop is perceived as less secure than an online counterpart, Microsoft will be losing. They *need* to ensure secure boot. It is not a anti-Linux move at all. You are flattering yourself. And being stupid.

          • Re: (Score:3, Insightful)

            by corvax ( 941506 )
            Even if it wasnt intentional (i doubt it) what this does do is make it just a little bit harder to install linux. And makes microsoft the gatekeeper of YOUR hardware. What happens to ALOT of old windows pc's? They get linux installed on them to give them a few more years of usefulness = a loss of revenue for microsoft. Even if it is a small percentage its not enough microsoft would be much happier if the percentage was ZERO......
          • Re:Enough is enough (Score:4, Informative)

            by Anonymous Coward on Saturday February 09, 2013 @03:26PM (#42845425)

            I agree with most of your points, however I feel Microsoft is its own biggest threat. Them fucking around with all sorts of shit in Windows is going to drive people away. I number of changes since WinXP have irritated me, but I have stuck with Windows until now.

            I recently bought a new laptop (Lenovo x230). I upgraded the storage myself - to use an mSATA SSD for the operating systems. After spending hours trying to get Win8 installed (no OS DVD provided) I gave up, it was the last straw. The UEFI stuff was a pain in the ass, but managed to get Arch Linux up and running comapartively easily.

            I have been tinkering with Linux for a number of years, but it finally took Windows 8 to drive me to Linux full time & I couldn't be happier. This is the first computer I have owned without Windows installed on any partition - it was nerve-wracking at first, but now wish I had made the move sooner.

          • Re:Enough is enough (Score:5, Informative)

            by nzac ( 1822298 ) on Saturday February 09, 2013 @05:10PM (#42846045)

            Consider for instance group policies, restart manager, volume shadow service, various troubleshooting guides, shims for both application and device compatibility

            I don't think Linux has a nice "clicky" interface to any of these things but to suggest that it does not have solid equivalents to the first 3 (the rest appear to assume Linux has the same problems as Windows).
            Group polices are probably difficult to fully replicate on Linux but its due to flaws in windows that it even needs a restart manager. Maybe SSV is more permission friendly than LVM also.
            You are just another windows user who assumes that a proper OS should function the same Windows. There are better lists than this for things Linux is missing on the desktop but the one is the lack of third party applications.

            • What are these group policies that Linux can't replicate? I'm curious: I looked it up on google, but the descriptions are fairly high level and seems like they'd translate reasonably well.

              Also, a restart manager?

              • by nzac ( 1822298 )

                What are these group policies that Linux can't replicate? I'm curious: I looked it up on google, but the descriptions are fairly high level and seems like they'd translate reasonably well.

                I said difficult, not that you could not. There's probably some context based permissions that benjy is referring to.

                Restart Manager is and installer api for restarting services while updating files to prevent restarting the whole OS. Linux deb/rpm installers can just call syscontrol and restart the service using the same call as the user.

          • by AmiMoJo ( 196126 ) *

            Note how *all* of these emerging platforms have more restricted app models, and especially *boot* models.

            Chromebooks will boot anything you like, including Linux and Windows. Android devices from Google have unlocked bootloaders that will boot anything, including Ubuntu for phones, and the OS itself allows installation of apps from any source without any signing requirement at all.

            Android is also the most popular mobile OS. Google learned the lessons from history that others did not: the most open platform usually wins. Betamax vs. VHS. MiniDisc vs. CD-R. MemoryStick vs. SD card. Amiga/Atari/Sinclair/Amstrad v

          • I noticed you mentioned Chromebooks...

            Those are x86 systems based on Linux (though not really a "Linux distro" thank goodness). ChromeOS is really starting to gain traction now, and it could reinvent the PC the way iOS/Android reinvented the smartphone and tablet.

            The important thing about ChromeOS and Android and the moribund Linux desktop distro class is not that they use Linux or FOSS but that they are things that MS doesn't own, yet they can run on standard x86 hardware. The issue is whether any non-MS O

            • by epyT-R ( 613989 )

              ChromeOS is really starting to gain traction now, and it could reinvent the PC the way iOS/Android reinvented the smartphone and tablet.

              Yeah just what users who need desktops want: a system where all the software is a remote connection away from failure/locked in upgrade treadmills, and whose functionality can change any time.

              If the choice becomes chromeOS or a tablet, I'm done with computing.

          • by epyT-R ( 613989 )

            Sounds like to me you're just using windows as an 'objective' barometer to measure capability.

            1. restart manager? proper business systems only need to be restarted when absolutely necessary.. needing a 'manager' to handle it suggests inferior design, not superior. It's truly amazing what a process microsoft has made out of copying files from an archive to directories on the system drive.
            2. group policies? Ever heard of LDAP? I believe microsoft's embrace/extend name for that is called active directory.

        • by robsku ( 1381635 )

          Too bad I don't have mod points to +1 you - or -1 the bollocks you got as a result. Anyone claiming total UEFI lockdown on ARM is for security and has nada to do with blocking OtherOS is deluded - and anyone thinking MS wouldn't love to do just that with x86 but took slightly more moderate route because they are a monopoly at x86 desktop, and it would just be nasty for them if they had gone that way, is deluded.

          What you describe is what's happening with the plan they had to settle with.

      • Would you check the details on that? As I understood it, and I might be wrong, the Microsoft standard doesn't require OEMs provide the ability for the end user to add their own keys - that's up to the OEM. What it does do is require the OEMs provide the user with the option to disable secure boot entirely, and that this can only by done by someone physically present at the machine (The 'press F1 to enter setup' program).

        • Re:This is bollocks (Score:5, Informative)

          by EdZ ( 755139 ) on Saturday February 09, 2013 @03:16PM (#42845355)
          From the horse's mouth itself [microsoft.com] (the Windows 8 certification guidelines, specifically System.Fundamentals.Firmware.UEFISecureBoot para.17):

          Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following: It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.

          Separately (Para.18):

          Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv.

    • Re: (Score:3, Informative)

      by darkHanzz ( 2579493 )

      And I still do not understand how Microsoft get to control this.

      They talk directly to manufacturers, since windows is still installed by default. So the swing they have on the whole laptop market just became a bit more visible, it's always been there, however.

    • Its NOT Microsoft (Score:4, Interesting)

      by ArchieBunker ( 132337 ) on Saturday February 09, 2013 @03:33PM (#42845477)

      Nobody ever brings this up but me. Guess who else is in the UEFI group?

      AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde Software, Intel, Lenovo, Microsoft, and Phoenix Technologies

    • by Burz ( 138833 )

      And I still do not understand how Microsoft get to control this.

      It seems like MS took the initiative on this, while the Linux camp assumed their users would expertly guard their systems and wouldn't have a need for runtime code signing. But most computer users aren't experts, and even many experts would rather have the code they run automatically verified by signatures, too, if its available.

      But I don't understand why the Linux Foundation expects their OS to be an exception to secure boot (or something like it)... and that's what this signed pre-bootloader is, an except

    • And I still do not understand how Microsoft get to control this.

      Secure Boot became part of the UEFI spec in 2008-2009. (Rev 2.2)

      The spec is managed by the UEFI Forum --- representing AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde Software, Intel, Lenovo, Microsoft, and Phoenix Technologies. Unified EFI Forum [wikipedia.org]

      The Linux Foundation posted a "Power Point" presentation in October 2011: Making UEFI Secure Boot Work With Open Platforms [linuxfoundation.org]

      It comes down to this:

      To successfully implement hardware level security in a mass market consumer product, it has to be enabled by d

  • Will dell systems be able to use this or will MS try to block this on dell that they now own a part of?

    • by gtall ( 79522 )

      In a sense, they do not own a piece of Dell. From what I understand, they contributed some dough as a loan and I have not heard they will have anyone on the board. Dell cannot live on the desktop market, in the server market they cannot ignore Linux.

      This doesn't stop MS from using its usual bag of dirty tricks, but if Dell has any sense and balls, he'll keep MS away from actually running the business.

  • Requiring a prompt does cripple the bootloader when compared to others that are somehow exempt from it.

    • It can't be promptless. The only ones that can be promptless are ones that assert a check on the kernel being loaded.

  • by UltraZelda64 ( 2309504 ) on Saturday February 09, 2013 @01:23PM (#42844553)

    Seriously, when Microsoft is paid for the key and they own the key into our computers, we've lost. Simple solution: Avoid ARM-based machines as long as Microsoft requires that no way exists to disable Secure Boot. By buying into this shit, we're just setting ourselves up to be fucked in the ass by Microsoft. I can't say anything good about the Linux Foundation for playing ball with these assholes either. Pre-bootloader, my ass--more like pre-pre-boot-extra-complexity-nightmare, thanks to Microsoft. Having to use this would be a disgrace; that alone should be enough to get people to buy more compatible hardware (but won't be).

    • This does nothing for ARM machines. Microsoft won't sign anything other than their own software to boot on certified Windows RT devices.

    • by Kjella ( 173770 ) on Saturday February 09, 2013 @03:35PM (#42845491) Homepage

      Seriously, when Microsoft is paid for the key and they own the key into our computers, we've lost. Simple solution: Avoid ARM-based machines as long as Microsoft requires that no way exists to disable Secure Boot.

      Uhh this isn't about ARM, Microsoft doesn't allow any third party OS on their ARM machines period. This is if you want any x86 machine shipping with Windows 8 and the "Designed for Windows 8" label to boot any other OS without finding the obscure and non-standard way to disable Secure Boot in UEFI (the new BIOS). At least in this incarnation you can always disable it yourself (again, only on x86), but I smell a Darth Vader quote coming as in "I'm altering the deal. Pray that I do not alter it further." But there's really no way to boycott Secure Boot without boycotting all machines with Win8 preinstalled, which has a snowball's chance in hell of working. What you'd really want is Linux preinstalled laptops, but they're still very few and far between. Desktops are less of an issue because you can always build from parts, or have one built for you.

      • Clarification: Windows plus ARM. I could have sworn that after all the times I typed Microsoft the point would be clear, but apparently not. I did not intend to point all the blame on ARM, which again leads back to why my wording was focused so much on Microsoft. People still seem to fail to get the point.

        As it is, the most we can do is not buy computers that meet both of these specifications: Windows RT running on an ARM processor. By doing so we are effectively surrendering and increasing their (again

        • As it is, the most we can do is not buy computers that meet both of these specifications: Windows RT running on an ARM processor. By doing so we are effectively surrendering and increasing their (again, Microsoft's) power to further destroy our freedom in the future

          It's the same deal with iOS isn't it? Even with Android phones you need to work to root them. Same thing for Tivos, TVs, consumer linux routers, etc; the device and software are sold as a single package. Hardly a new evil Microsoft thing, and not even controversial outside of the FSF.

          But I agree 100% that if you don't like it don't buy it.

          • It's somewhat "new" for Microsoft and the main line of Windows though. DOS and the original Windows line for x86 has traditionally never been this locked down. Microsoft makes it big with an open architecture, then locks down heavily the first chance they get of getting on a new processor. What good is a processor if it will only run code that the OS' author says it can?

  • by QuietLagoon ( 813062 ) on Saturday February 09, 2013 @02:11PM (#42844901)
    ... why Microsoft is the gatekeeper for what OS's are allowed to boot on the computers I buy.
    • To quote Wikipedia "The board of directors includes representatives from eleven "Promoter" companies: AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde Software, Intel, Lenovo, Microsoft, and Phoenix Technologies."

      No its not just Microsoft.

  • Whatever was the problem with the standard BIOS that we've had for decades? Having the PC's most "hardware-near" firmware locked down only to run code permitted by a third party seems like an extremely bad idea. The whole point of a computer is that it obeys MY instructions blindly and perfectly.

    I know, I've heard the argument for security, but has anyone ever even seen real, actual BIOS malware? As far as I'm concerned, that only exists in theory.

    • As I understood it, the reason for uefi was being able to boot from big harddisks, having prettier hardware-setting-screens, having a builtin network stack for remote maintenance, and so on. It is questionable whether it was necessary to specify pretty much a complete operating system including cli, just to run another OS, and the recent samsung brick fun, is a good hint that manufacturers will need a few years to iron even the bigger kinks out of their implementation, but uefi itself is in theory not witho

You can not win the game, and you are not allowed to stop playing. -- The Third Law Of Thermodynamics

Working...