The State Of Linux Distributions Handling SecureBoot

**phoronix** · 12-28-2012, 10:40 AM

Phoronix: The State Of Linux Distributions Handling SecureBoot

For those of you curious about the state of available Linux distributions that can handle UEFI SecureBoot on modern PCs certified for Microsoft Windows 8, here's a run-down of the most common Linux environments and their SecureBoot friendliness...

http://www.phoronix.com/vr.php?view=MTI2MzI

**duby229** · 12-28-2012, 11:17 AM

So if I read that correctly it more or less states that MS gets to decide which linux distros can boot on your shiny new computer..... can I say thats fucked up?

**Rexilion** · 12-28-2012, 11:26 AM

Isn't the signing only about the bootloader? I mean, do the bootloaders require the kernel to be signed as well? Maybe that can be turned off or something. I read some stuff about this, but it's unclear from there to me...

If the answer is yes, then I foresee no more problems.

If the answer is no, I hope the EU will file lawsuits against whoever is forcing this insanity upon us. Free market? Yeah whatever...

'Some are more equal than others' (George Orwell, Animal Farm) springs to mind...

Ow and umm, did anyone ever encounter a virus that works it's way in through the bootloader/kernel? Most stuff I encounter is because of a leak in a browser plugin :/ . Or is SecureBoot just the beginning? Eventually everything has to be signed and verified?

**mjg59** · 12-28-2012, 11:52 AM

Originally Posted by Rexilion

Isn't the signing only about the bootloader? I mean, do the bootloaders require the kernel to be signed as well? Maybe that can be turned off or something. I read some stuff about this, but it's unclear from there to me...

Define "require". There's no additional security if you permit unsigned kernels, and if your bootloader is signed by Microsoft then it may be considered a violation of the agreement that you signed with them. You're certainly at risk of having your signature blacklisted. If you require explicit user intervention before booting unsigned kernels, then that's fine.

Ow and umm, did anyone ever encounter a virus that works it's way in through the bootloader/kernel? Most stuff I encounter is because of a leak in a browser plugin :/ . Or is SecureBoot just the beginning? Eventually everything has to be signed and verified?

The bootloader's not an avenue of initial compromise, but it makes it possible to make the compromise persistent and almost impossible to remove.

**duby229** · 12-28-2012, 12:08 PM

MS needs to worry about IE's vulnerabilities before they need to worry about the linux kernels vulnerabilities. This secureboot shit is assinine. I'll never use win8 just because of this crap.

**mjg59** · 12-28-2012, 12:14 PM

Originally Posted by duby229

MS needs to worry about IE's vulnerabilities before they need to worry about the linux kernels vulnerabilities. This secureboot shit is assinine. I'll never use win8 just because of this crap.

They're not worried about the Linux kernel's vulnerabilities.

**duby229** · 12-28-2012, 12:18 PM

So then stop fuckin with our shit then.

**mjg59** · 12-28-2012, 12:23 PM

Originally Posted by duby229

So then stop fuckin with our shit then.

What's the difference between an unsigned Linux kernel and an unsigned trojaned Windows bootloader?

**duby229** · 12-28-2012, 12:24 PM

MS's problem not ours.

**mjg59** · 12-28-2012, 12:31 PM

Originally Posted by duby229

MS's problem not ours.

And a problem they've solved in the only way that it's possible to solve it.

Thread: The State Of Linux Distributions Handling SecureBoot

Thread Tools

Search Thread

Display

The State Of Linux Distributions Handling SecureBoot

Posting Permissions