Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 34

Thread: UEFI Secure Boot Still A Big Problem For Linux

  1. #11
    Join Date
    Jan 2010
    Location
    Ghent
    Posts
    198

    Default

    Quote Originally Posted by Qaridarium View Post
    you sound like: "oh yes microsoft hurt me i like it its a feature for me i make the best ever out of it give me more of it oo yeess..."
    I don't care one sh*t about MS (either way - I just don't care) and I have not had anything to do with them for many years. Thanks to Linux I run relatively old computers so the UEFI will not hit me in a long while. The secure boot feature is however something that also lots of Linux people actually want Fundamentally, it is a good technology - with the huge bug that it can be abused by the dominant player (MS) and its control over the OEMs. Personally I think that regulators (EU, US etc) need to keep an eye on this technology shift and make sure that installing optional operating systems are easy on all OEM machines sold (including ARM ones).

    For the major distros, they can probably go for signed kernels and run on bare hardware, but for the hobbyist or someone running a less usual distro or alternative open source OS (*BSD, illumos, Plan9 ...), an alternative solution would have to be found - for example a signed microkernel handing over control to the guest OS as soon as possible.

  2. #12
    Join Date
    Nov 2008
    Location
    Germany
    Posts
    5,411

    Default

    Quote Originally Posted by staalmannen View Post
    I don't care one sh*t about MS (either way - I just don't care) and I have not had anything to do with them for many years. Thanks to Linux I run relatively old computers so the UEFI will not hit me in a long while. The secure boot feature is however something that also lots of Linux people actually want Fundamentally, it is a good technology - with the huge bug that it can be abused by the dominant player (MS) and its control over the OEMs. Personally I think that regulators (EU, US etc) need to keep an eye on this technology shift and make sure that installing optional operating systems are easy on all OEM machines sold (including ARM ones).

    For the major distros, they can probably go for signed kernels and run on bare hardware, but for the hobbyist or someone running a less usual distro or alternative open source OS (*BSD, illumos, Plan9 ...), an alternative solution would have to be found - for example a signed microkernel handing over control to the guest OS as soon as possible.
    This is economic war there is no peaceful (read: spend money to hurt the enemy) solution at all.

    The only way is do it like Microsoft: pay people to use linux and force them by contract to never use Windows again.

    where do you get the money for it?

    Do it Like Microsoft only a Monopole can do it! Germany for example you are forced by law to send Microsoft money because the official tax paying software is windows based and you are forced by law to use this software!

    This means you just need a new LAW for it! this means in the future every tax payer have to pay the linux tax to force the people by contract to never use windows again!

    This is a great solution! Do it like Microsoft and learn to WIN!

  3. #13
    Join Date
    Apr 2011
    Location
    Sofia, Bulgaria
    Posts
    74

    Default

    From article: "Signed Linux kernels must refuse to load any unsigned kernel modules."

    Why? Secure Boot requires a signed kernel (or isn't it, rather, a signed boot loader?) but the kernel can do anything after boot. Yes, it defies the idea that you should only run trusted code but that can be a boot option or, as someone wrote above, the out of tree projects can provide signed modules.

  4. #14
    Join Date
    Aug 2009
    Location
    Russe, Bulgaria
    Posts
    484

    Default

    I really this whole sh*t will boost coreboot development. And after all, one of the motherboard companies will make coreboot at least an option. I am eager to hear about the first laptop with coreboot support on FOSDEM after 2 weeks.
    http://fosdem.org/2012/schedule/event/coreboot_laptops

  5. #15
    Join Date
    Dec 2007
    Posts
    139

    Default What if you build your own?

    I currently build all my own desktops. I have built several with UEFI, but without secure boot. Are manufactures of computer parts suddenly out of business? What about all the computer parts stores worldwide? If I bought a stack of bits and went home to build a Windows 8 machine for someone, would I still be allowed. Will part of the install involve ringing Microsoft to unlock something? But if you cannot boot from a DVD, how do you install an OS, even Windows, in the first place?

    Lots of questions, lots of conjecture, not many straight answers. Surely the purveyors of motherboards will have to supply them with unlocked secure boot, even the ARM ones. And Microsoft have confirmed that that is the case otherwise no one will be able to do a new install of 2000 - Windows7. What about HDD failure? Run down to the shop, pick up a nice new 2tB drive and plug it in and the UEFI has a hissy fit when you try and reinstall. Each Windows install disk would have to be absolutely locked to one piece of hardware. All Windows8 would have to be use once OEM, no more own your own boxed editions. I can guess that the install will generate a key that then has to be entered into the BIOS and then a reboot before Windows 8 will fully function.

    Notebooks, on the other hand, are more easily controlled. There are not many build your own notebooks.

    I do not care about Windows installs for home builds, but answering these questions will go a long way to knowing what will happen to Linux home builds.

    5 - 10 years from now. What happens to Internet Banking or any online commerce? No secure boot no transaction. Maybe.
    Last edited by grege; 01-18-2012 at 04:29 AM.

  6. #16
    Join Date
    Oct 2009
    Posts
    1,987

    Default

    We're already dealing with the problems of secure chain booting on ARM chips. Barnes and noble NOOK TABLET uses an OMAP4430, which does a sig check on xloader. Then xloader does a sig check on uboot, and uboot does a sig check on the boot partition. Got lucky in that the stupid uboot didn't verify the load addresses in RAM before running the sig check, so dumping a new (no sig check) uboot over the evil one in RAM and suddenly its happy to load an unsigned kernel.

    Note that the secure boot problem doesn't just enforce BS-OS (balmer-soft, or bull-shit if you prefer), it will just get in the way of the user owning their own hardware regardless of what the vendor puts on it.

    I find this secure boot thing to be criminal.

  7. #17
    Join Date
    Mar 2007
    Location
    DG, IL, USA
    Posts
    192

    Default

    Seems like MS finally found a way to start enforcing that little part of it's Eula that once you install MS your computer belongs to them...
    Win 8 cloud initiative..I'd imagine by Win 9 You'll be required to leave your computer and internet connection on at all times so corporations can use your unused computer cycles, bandwidth and electricity
    for their own..or find your Windows functionality cut to Windows basic. Not too far fetched since I thought I read about that possibility tied in to some "free" donated computers to a 3rd world country(in Africa?).
    Those who would give up Essential Liberty to purchase a little Temporary Safety,deserve neither Liberty nor Safety.
    Ben Franklin 1755

  8. #18
    Join Date
    Apr 2011
    Posts
    113

    Default

    Quote Originally Posted by kobblestown View Post
    From article: "Signed Linux kernels must refuse to load any unsigned kernel modules."

    Why? Secure Boot requires a signed kernel (or isn't it, rather, a signed boot loader?) but the kernel can do anything after boot. Yes, it defies the idea that you should only run trusted code but that can be a boot option or, as someone wrote above, the out of tree projects can provide signed modules.
    If your kernel loads unsigned kernel modules then it also permits you to backdoor Windows, which means that Microsoft would blacklist it.

  9. #19
    Join Date
    Aug 2007
    Posts
    6,598

    Default

    What about the initrd, is it secured by tpm?

  10. #20

    Default A solution

    The best solution, according to the post, would be a standard and predictable way for users to install a key: presumably something that could be highly automated by an installer. But the UEFI standard doesn't offer this and it's too late to change that.
    Perhaps the solution is for the community of minority OSs to come up with a mini OS whose entire purpose is to provide this missing functionality, and get the key for this special purpose OS included by vendors .. difficult, but perhaps easier than other solutions.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •