Wubi Is Likely To Wobble Back In Ubuntu

[phoronix]

Phoronix: Wubi Is Likely To Wobble Back In Ubuntu

Brought up on the Ubuntu development list yesterday was a proposal to disable Wubi installations from Ubuntu 12.04...

http://www.phoronix.com/vr.php?view=MTA3NDQ

[DaemonFC]

"Also complicating matters is Microsoft's Windows 8. With Microsoft's Windows 8 to be released by year's end, the boot system is expected to see an overhaul, at which point Wubi may not work."

Well, they were proposing at one point to implement a system that wouldn't boot anything but Vista 8 and to not allow the user to turn it off under the pretense of security.

Apparently they changed that and made it a requirement for a physically present user to go into the uEFI firmware and disable that malicious feature, but they still misleadingly call it security so that people will have second thoughts about turning it off.

Other than them throwing around the proposal to lock everything else out, including older versions of Windows, what else have they changed?

It's my understanding that NTLDR will work much like it does now on any system with a BIOS and that "Malicious BIOS" (uEFI) will not actually need a boot loader on the file system, but rather handles it internally and will execute EFI executables on the file system that are there to load the OS (assuming you've turned restricted boot off or your EFI program is signed with a key that the criminals behind uEFI recognize).

In this case, what you'd end up needing to do is... Make Grub look like an EFI program, tell the "Malicious BIOS" (uEFI) firmware to load it, and then once you're there, Grub can chainload NTLDR or boot into another OS.

It's ugly and it borders on a violation of the uEFI "Malicious Firmware" spec, but that spec was written by criminals at Microsoft and Apple and Intel, so what can you expect?

[WorBlux]

"Also complicating matters is Microsoft's Windows 8. With Microsoft's Windows 8 to be released by year's end, the boot system is expected to see an overhaul, at which point Wubi may not work."

Well, they were proposing at one point to implement a system that wouldn't boot anything but Vista 8 and to not allow the user to turn it off under the pretense of security.

Apparently they changed that and made it a requirement for a physically present user to go into the uEFI firmware and disable that malicious feature, but they still misleadingly call it security so that people will have second thoughts about turning it off.

Other than them throwing around the proposal to lock everything else out, including older versions of Windows, what else have they changed?

It's my understanding that NTLDR will work much like it does now on any system with a BIOS and that "Malicious BIOS" (uEFI) will not actually need a boot loader on the file system, but rather handles it internally and will execute EFI executables on the file system that are there to load the OS (assuming you've turned restricted boot off or your EFI program is signed with a key that the criminals behind uEFI recognize).

In this case, what you'd end up needing to do is... Make Grub look like an EFI program, tell the "Malicious BIOS" (uEFI) firmware to load it, and then once you're there, Grub can chainload NTLDR or boot into another OS.

It's ugly and it borders on a violation of the uEFI "Malicious Firmware" spec, but that spec was written by criminals at Microsoft and Apple and Intel, so what can you expect?

Secure boot does provide an integrity check of the initial loaded binary. It doesn't cure all security ill's but does do this. If the user can control the platform key it's not in any way malicious. We'll just have to wait and see to know which vendors are our friends, and which ones are not.

As of 3.3 Linux kernels can be compiled with an EFI stub option which should allow a lot faster boots with a simpler boot path. The kernel is once again it's own loader.

[DaemonFC]

Secure boot does provide an integrity check of the initial loaded binary. It doesn't cure all security ill's but does do this. If the user can control the platform key it's not in any way malicious. We'll just have to wait and see to know which vendors are our friends, and which ones are not.

As of 3.3 Linux kernels can be compiled with an EFI stub option which should allow a lot faster boots with a simpler boot path. The kernel is once again it's own loader.

There's only two real reasons it's going in there.

1. To put an end to hacked bootloaders that "activate" Windows.

2. To frustrate attempts to install other operating systems.

Malware is an excuse to stuff in "Malicious Firmware" and "Restricted Boot". The actual bootkits Microsoft cares about are the ones that cost it money, not the many hundreds of thousands of pieces of Windows malware that send your credit card, passwords, and bank account info to Russia. When they speak of "malware" they mean "stuff that lets you use Windows without paying them", not things that attack the user.

Edit: The ability for Linux to be its own bootloader already exists, it's called Coreboot, which is free and open source software that doesn't put malware in charge of the boot process nor spy on the user and implement DRM outside of the OS like EFI does.

[DaemonFC]

The BIOS being a big blob of proprietary bug-ridden crap that stays persistently loaded is already a problem, but its primitive nature and severe limitations also prevent it from being malicious to the extremes that EFI/uEFI have the potential to be.

Once the power for them to fuck the user over is there, they all will.

We'll get AMD people like John Bridgman saying "Oh sorry we're fucking you so hard but Intel does it too!"

Look at what's going on with other hardware that is designed primarily to restrict the user, such as AMD and Nvidia graphics cards. You can't tell me this isn't coming. Microsoft, Apple, and Hollywood are already salivating over this EFI thing.

[WorBlux]

There's only two real reasons it's going in there.

1. To put an end to hacked bootloaders that "activate" Windows.

2. To frustrate attempts to install other operating systems.

Malware is an excuse to stuff in "Malicious Firmware" and "Restricted Boot". The actual bootkits Microsoft cares about are the ones that cost it money, not the many hundreds of thousands of pieces of Windows malware that send your credit card, passwords, and bank account info to Russia. When they speak of "malware" they mean "stuff that lets you use Windows without paying them", not things that attack the user.

Edit: The ability for Linux to be its own bootloader already exists, it's called Coreboot, which is free and open source software that doesn't put malware in charge of the boot process nor spy on the user and implement DRM outside of the OS like EFI does.

1. It actually doesn't do this, at least not unless paired with a TPM, and desktop systems are so price-competitive that nobody bothers with adding one to consumer grade hardware. Secondly windows eight does not reqiure secure boot in order to boot (it's only required if you want to put a windows 8 certified sticker on the computer) Thirdly the secure boot status is reported via a single variable. You can turn it off, load a program to change the value from a 0 to a 1, and then chainload into windows. Secure boot cannot implement any sort of DRM control on it's own.

2. Windows does have a problem with pre-boot malware. If you can verify all the binaries that run at a privledged level you can make sure that scan results malware scanner are actually accurate. In addition there is a legal environment that is increasing the standard for reasonable care with respect to security vulnerabilities in software. While your allegation is certainly a fruitful side effect I doubt it will be a huge defect in practice. Platform owners will have to sign the KEK's on many Linux foundation members for driver purposes, some of which could be used to sign the kernels of popular distros. Only really a problem for people that want custom kernels or kernel modules, but such people should be more than able to find a flip a switch in the BIOS to disable secure boot.

3. Yes coreboot is better in just about every way, with two exceptions. UEFI is actually used in mainstream systems., and windows is often a necessary tool in the cyber tool-chest of people and corporations, and I don't see Microsoft of adapting it's kernel to the multiboot standard. As such you would likely end up running tianocore as the payload (to get the windows certified sticker, or even for best compatibility), which includes most of the bugs and drawbacks of a full uefi stack, or seaBIOS (which is a BIOS and therefore completly sucks even though it may be one of the better BIOS implementations that ever existed.

Tiano the reference implemenation of UEFI is also mostly under a BSD license. It is only the platfrom-specific drivers and the PIE (pre-initialization enviroment) that tends to be closed.

Unless or until someone gets $500,000 to throw are the coreboot project and puts it in at the ground floor on a consumer device, it's not really an option for the sort of system I'm looking to buy next (an ultrabook or ultrathin laptop). Given my practical choices I'll gladly accept UEFI over BIOS.

[Ansla]

Only really a problem for people that want custom kernels or kernel modules, but such people should be more than able to find a flip a switch in the BIOS to disable secure boot.

I pretty much agree with your points, except that maybe you are not aware that all proprietary graphics drivers (almost all nVidia users and many of the AMD users) rely on custom kernel modules, so they will all have to disable Secure Boot unless AMD and nVidia open up the kernel part of their driver and include it upstream.

And you are correct, that for the foreseeable time, while Microsoft's Windows remains the dominant OS for PCs, no major OEM will offer computers or even motherboards with anything else but UEFI.

However, if coreboot starts working on a wider range of consumer grade hardware and offers some significant advantages over UEFI (that means if UEFI fails badly to stay out of the users way, as there's not much a firmware can do), and a large enough percentage of users start tinkering with the firmware themselves replacing UEFI with coreboot, the OEMs will probably notice this and advertise "open platform based" like major networking companies (Netgear, Linksys) do for home routers.