Ubuntu's Plans To Implement UEFI SecureBoot: No GRUB2

[Kristian Joensen]

Ahh, okay. I should have paid attention to how old that was. Thanks again. Interesting.

[Kano]

@AdamW

I doubt that secure boot prevents privacy because you can run win even without serial and rearm it 2 times. If win8 reset counter code is done the oem activation way is not needed.

As you refer to bootloader hacks, which basically use grub4dos with a special hack that loads an encrypted file with a signature into the memory then loads the real win bootloader it is clear that this will not work if uefi is a requirement (because g4d only works in bios mode). But i think there are already hacks that use uefi bootloaders with emulation, so if needed somebody would emulate secure boot as well.

The most invasive change is definitely not secure boot but the requirement to use a unique key for each system instead of 1 key for 1 oem (which is not even vendor locked yet). This is basically enough to fight back oem activation hacks. If the rearm counter is attacked then all ms can do is to search for well known hack tools with the integrated virus scanner (like defender) and does not allow the execution in first place. But the counter attack is already known: encrypte the binary with a random key.

Basically ms can only lose this battle, but they should not suffer so much that they will become backrupt.

Also why is it such a tragic to change one setup option to disable secure boot or use the csm to boot in bios mode to use linux? that option must be there.

[linux5850]

when i get some UEFI hardware I will put my own key on it. Then I can run whatever I want. And I can be sure it will only run stuff I signed. Sounds pretty handy for me. (Though as I am unlikely to audit all the code that I'd sign then i am probably not much more secure than currently)

Of course most folk don't want to mess around in their BIOS, so i am glad that the major distros work with the default keys.

(If someone makes some hardware where i cannot change the key then I would not buy it.)

That might be a good idea if UEFI was about security but it's to appease the MPAA mafia.

[smitty3268]

That's a fairly old thread, and several things have changed in the spec and the Microsoft requirements since then, I believe. The post which really started this brouhaha - http://mjg59.dreamwidth.org/12368.html - explicitly mentions user enrolment of keys - "The first is for a user to generate their own key and enrol it in their system firmware." - and I'm pretty sure Matthew has talked in more detail about it in the comments to that post and newer ones. Maybe check through those, rather than posts from last year.

Do you know if manufacturer's have to follow all the requirements to be Win8 certified, or is it going to be like ACPI where people just get Windows running by adding Secure Boot and don't bother supporting other OS's with the full spec?

Also, last i heard, manufacturers had to allow adding keys OR turning it off, not both. Has that changed?

[lucky9]

I think it will end up being both. I doubt very seriously that any manufacturer will ship with only added keys. And as far as I know the ability to turn off UEFI is not an option. It's the spec.

[AdamW]

kano: for people like us, not tragic at all. It'll take us thirty seconds when we buy a new PC to turn off Secure Boot and then we'll forget about it. That's certainly what I'll do.

The reason Fedora and Ubuntu are taking trouble to work even with what a 'stock' config will look in, oh, a year's time - Secure Boot enabled, Microsoft key present - is because we as projects think it's still very important to be as accessible as possible to at least _some_ people who aren't comfortable poking around in the system firmware, or turning off items with 'secure' in their names. For Ubuntu's target audience the case for this is obvious. For Fedora's it's slightly less obvious, but we _do_ target fairly 'non-technical' users in some ways; our avowed target audience is 'people who may contribute back to Fedora', but that's still a pretty wide net in a way. For instance, someone who likes to draw is a potential member of our 'target audience', as design is certainly something that you can contribute to Fedora; such a person isn't necessarily 'technical' enough to be happy poking around in the firmware.

smitty: As I understand it, at least in theory, you have to comply with all the requirements to be certified (and therefore to qualify for OEM preloads). You can't implement Secure Boot but leave out a mechanism for turning it off, and still expect to pass certification. Of course, we'll only know _for sure_ how Microsoft will handle this when the rubber hits the road, but that's how I understand it at present. I don't feel qualified to comment on the 'or / and' question, I don't know the licensing requirements in enough detail; I'd rather defer to Matthew on that one, try asking him. I _thought_ it was an AND situation, but I'm always entirely prepared for the possibility that I'm wrong at any given time.

[blackiwid]

but if you use it, you aprove it, you legitimise it...

I see here a problem, so if maybe ubuntu as only distribution would go this way ok... but anybody who installes something else than ubuntu is a geek anyway... because its the standard distribution right know... shurely after the unity-debacel that maybe slightly changed... but fedora is still only used by people who did install anoter distribution before that...


Maybe I think to strong about that... but if all major distros supports this, some day microsoft will say, see its no problem now in acpi 5.0 we enforce that there is no off switch... and then good arguments against it are gone...

[mhenriday]

how will this affect our ability to run multiple-boots ? I've been using the various GRUB versions to do this for the last six years or so and by and large have been satisifed with the function (OK, getting GRUB back after doing an MS re-install can be a pain, but if one is forewarned, one takes the necessary precautions), but what will I have to do if, on a future main box, I want to run, say, Ubuntu, Fedora, and Win8 ? Can I simply turn off the so-called SecureBoot key and then install the current GRUB2 version or are there still other hoops through which I have to be prepared to jump ?...

Henri

[Kano]

First of all grub2 does not detect efi windows installs using os-prober. But i have got a tiny custom.cfg that would find em with grub 2.00. grub 1.99 is not optimal for that, but i dont know why there is not even an experimental debian package with 2.00. Basically you do not necessary need grub, you can use the integrated bootmanager in the setup, then you use just quick boot selection and start the os you like. You just dont get a menu all the time, only when you press the quick boot selection key.

[mhenriday]

First of all grub2 does not detect efi windows installs using os-prober. But i have got a tiny custom.cfg that would find em with grub 2.00. grub 1.99 is not optimal for that, but i dont know why there is not even an experimental debian package with 2.00. Basically you do not necessary need grub, you can use the integrated bootmanager in the setup, then you use just quick boot selection and start the os you like. You just dont get a menu all the time, only when you press the quick boot selection key.

Thanks for your speedy reply Kano (嘉納 ?) ! Alas, I'm not familiar with «the integrated bootmanager in the setup» to which you refer and which you say would allow me to use «quick boot selection and start the [OS desired]». Could I prevail upon you to point me to more information on this matter ? I'm currently running 64-bit Ubuntu 12.04 LTS and thus have GRUB1.99 installed....

Henri