Results 1 to 10 of 11

Thread: Linux Foundation Releases Secure Boot System

Hybrid View

  1. #1
    Join Date
    Jan 2007
    Posts
    14,369

    Default Linux Foundation Releases Secure Boot System

    Phoronix: Linux Foundation Releases Secure Boot System

    The Linux Foundation has finally released its UEFI Secure Boot system that's intended for independent Linux distributions and software developers to more easily have access to a signed boot shim...

    http://www.phoronix.com/vr.php?view=MTI5NzQ

  2. #2
    Join Date
    Aug 2007
    Posts
    6,607

    Default

    This preloader is simpler to use as it works with unsigned efi binaries as well. Shim does not allow that - at least that was what i noticed. Why shim is allowed to add a key (i.e. MOK.cer) and this loader not is a bit weird. The error that MS most likely found is there with hashes as well - i see no way to reset those when they have been added. Try yourself you have got a board with Secure Boot - preferred do a backup of your firmware before (you can use flashrom for some boards).

  3. #3
    Join Date
    Jan 2012
    Posts
    179

    Default

    It is outright criminal that we have to endure such crap as this secure boot. The idea is good, i give them that. But the implementation, it sucks big time.

    The only feature one would need is for the UEFI firmware to be able to import the MD5 hash of the bootloader/kernel. This way anything short of hash collision / firmware reflash would not allow for compromising the boot process and all inconvenience to the user would be skipped.

    They should learn how chrome os does it and implement that to secureboot 2.

  4. #4
    Join Date
    Aug 2007
    Posts
    6,607

    Default

    Well with physical access secure boot was useless since the first 3rd party binary was signed You can enroll any hash/key you want. With phyiscal access you usally could disable Secure Boot anyway, so you lose nothing. It is just simpler for noobs to boot Linux without changing firmware settings when the loader is signed. Some loaders enforce signed kernels and the kernel itself could be patched as well to disable loading of unsigned kernel modules. The problem there is that you can just exchange the bootloader. It would be even more fun when somebody finds a way to modify the key db inside Linux.

  5. #5

    Default

    This sounded like a bad idea from the beginning. The Linux Foundation being beholden to Microsoft now? I never thought I'd see this.

    Linux distros are better off using Google and Intel's open source solutions.

  6. #6
    Join Date
    Aug 2007
    Posts
    6,607

    Default

    And where do you see signed preloaders from Google or Intel that can be used for systems with Win 8 logo which have Secure Boot (+fast boot) enabled? It is tricky enough to start from usb key when fastboot disables keyboard input on bootup. Now you need at least basic Win 8 knowledge to boot Linux. Hint: hold down SHIFT when you select reboot (Win+I as shortcut for that menu).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •