Linux Foundation Releases Secure Boot System

[phoronix]

Phoronix: Linux Foundation Releases Secure Boot System

The Linux Foundation has finally released its UEFI Secure Boot system that's intended for independent Linux distributions and software developers to more easily have access to a signed boot shim...

http://www.phoronix.com/vr.php?view=MTI5NzQ

[Kano]

This preloader is simpler to use as it works with unsigned efi binaries as well. Shim does not allow that - at least that was what i noticed. Why shim is allowed to add a key (i.e. MOK.cer) and this loader not is a bit weird. The error that MS most likely found is there with hashes as well - i see no way to reset those when they have been added. Try yourself you have got a board with Secure Boot - preferred do a backup of your firmware before (you can use flashrom for some boards).

[varikonniemi]

It is outright criminal that we have to endure such crap as this secure boot. The idea is good, i give them that. But the implementation, it sucks big time.

The only feature one would need is for the UEFI firmware to be able to import the MD5 hash of the bootloader/kernel. This way anything short of hash collision / firmware reflash would not allow for compromising the boot process and all inconvenience to the user would be skipped.

They should learn how chrome os does it and implement that to secureboot 2.

[Kano]

Well with physical access secure boot was useless since the first 3rd party binary was signed You can enroll any hash/key you want. With phyiscal access you usally could disable Secure Boot anyway, so you lose nothing. It is just simpler for noobs to boot Linux without changing firmware settings when the loader is signed. Some loaders enforce signed kernels and the kernel itself could be patched as well to disable loading of unsigned kernel modules. The problem there is that you can just exchange the bootloader. It would be even more fun when somebody finds a way to modify the key db inside Linux.

[Krysto]

This sounded like a bad idea from the beginning. The Linux Foundation being beholden to Microsoft now? I never thought I'd see this.

Linux distros are better off using Google and Intel's open source solutions.

[Kano]

And where do you see signed preloaders from Google or Intel that can be used for systems with Win 8 logo which have Secure Boot (+fast boot) enabled? It is tricky enough to start from usb key when fastboot disables keyboard input on bootup. Now you need at least basic Win 8 knowledge to boot Linux. Hint: hold down SHIFT when you select reboot (Win+I as shortcut for that menu).

[blackout23]

Why do we need this again? I have not missed it on my PCs for the last 17 years.

[blackiwid]

yes and that explains why rms was pissed getting a linux foundation award... he said it like it would be a obi wan kinobi award for luke sky walker or something like that.

Ok thats another point... but in generell I understand a bit more why RMS really hard fights opensource movement, and why he sees it basicly as a danger and he strongly points to the differences and dont sees it as one movement with small misunderstandings... I found that sometimes a bit to radical or so... but I more and more understand that its no small differences or missunderstandings...

lets take the kernel... now you can say ok its only gpl2 and gpl3 has only a few small stuff that goes further... but there will be more freedom steeling things in the future, and there will someday come a gplv4 that targets this... and then the kernel will stay still gpl2 till ever... the difference between real software-freedom and what linux offers will grow over time...

and with windows 8 and arm it gets even more unfree (no really free grafics drivers for any arm hardware)... and now even arm bought sparc or something (the arch the laptop of rms has) and will shut that down, too...

the future is darker not brighter... and yes for me its not all about softwarefreedom... its about freedom at all.. and yes gpl even if all software would be use this lisense would make free peoples... but its one aspect of ride to hell we are doing...

To give a hint what I mean with other stuff, is that a basic income grant could change the whole system so that bad people who wants to get rich, would not find so easy people that today take every job, because they basicly are forced... to hurt themself by doing stuff they dont want to do and hurting other people/environment.

[oneonesip]

when i try in my local host, it still could not work, so i could not test the security one

[moilami]

Why do we need this again? I have not missed it on my PCs for the last 17 years.

Redmond & co wants ur $$$ really bad. U don't pay them enough.