Slashdot Mirror
Will Secure Boot Cripple Linux Compatibility?
MojoMax writes "The advent of Windows 8 is drawing ever nearer and recently we have learned that ARM devices installed with Windows 8 will not be able to disable the UEFI secure boot feature that many of us are deeply concerned about. However, UEFI is still a very real danger to Linux and the freedom to use whichever OS you chose. Regardless of information for OEMs to enable customers to install their own keys, such as that published by the Linux Foundation, there are still very serious and as yet unresolved issues with using secure boot and Linux. These issues are best summarized quoting Matthew Garrett: 'Signing the kernel isn't enough. Signed Linux kernels must refuse to load any unsigned kernel modules. Virtualbox on Linux? Dead. Nvidia binary driver on Linux? Dead. All out of tree kernel modules? Utterly, utterly dead. Building an updated driver locally? Not going to happen. That's going to make some people fairly unhappy.'"
GreatBunzinni has been posting anonymous accusations listing a whole bunch of Slashdot accounts as being part of a marketing campaign for Microsoft, without any evidence. GreatBunzinni has accidentally outed himself as this anonymous poster. Half the accounts he attacks don't even post pro-Microsoft rhetoric. The one thing they appear to have in common is that they have been critical of Google in the past. GreatBunzinni has been using multiple accounts to post these "shill" accusations, such as Galestar, NicknameOne, and flurp.
That's not the problem. The problem is that moderators gave him +5 Informative and are now modding down the accused, even for legitimate posts. Metamoderation is supposed to address this by filtering out the bad moderators, but clearly it's not working.
This "shill" crap that has been flying around lately has to stop. It's restricting a variety of viewpoints from participating on the site and creating an echo chamber.
Would someone interested in Linux on these particular tablets be able to order one from a vendor with Linux (or no operating system) pre-installed? I couldn't find information on whether or not OEMs are restricted from selling pre-installed Linux versions of the tablet. The SoftwareFreedom website says "any ARM device that ships with Windows 8 will never run another operating system, unless it is signed with a preloaded key or a security exploit is found that enables users to circumvent secure boot." The phrase there is "ships with Windows 8," which suggests to me that Custom Boot-enabled versions could ship without Windows. Admittedly, I have a hard time seeing it as a freedom issue, as these are just tech gadgets at the end of the day. I'd rather it was framed as an inconvenience argument, not a freedom one.
This will be the last story we post today until 6pm EST in protest of SOPA... or not..
Don't purchase any of these ARM powered devices which run Windows 8.
It Will.
"What do you mean I can't put Linux on this Commodore Vic 20?!?! I'm outraged!!!!!"
get over yourself.
When the incompatible hardware doesn't sell, the OEMs will hear you loud and clear.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
It seems to me this only affects a subset of devices that don't even yet exist. If what you want to do is run linux with virtual box and other assorted unsigned kernel modules then why would you be buying a 'Designed for Windows 8' ARM device? You wouldn't, just like you wouldn't buy an iPad to do those things. You would buy an x86 device, or an Android device, or an ARM device that is not 'Designed for Windows 8'.
Just an uniformed question, but wouldn’t the OS varies allow unsigned loading of binaries but prompt the user or inform them in some way? This is how it is handled for most systems in which you are developing new drivers. By default only trusted sources are loaded but if you want to enable other signed binaries the user has to specifically allow it, what is wrong with this approach?
Simple as that !! I don't want to see any "ooooh, but windows comes on everything good" crap !! Don't buy those !!
The solution (yeah, as if that will ever happen) is to boycott any and all devices that come with Windows 8 pre-installed, including x86 systems. Microsoft has to be made to understand that they are NOT the only shark in the water.
Sometimes, real fast is almost as good as real-time.
There's a chance, however slight, that this will lead a bigger push for keeping modules in the kernel tree.
Everything that reduces the necessity to dumb down Linux (see Unity) for end users (who do not care if they use Linux or Windows) is applauded by me.
I don't care what runs the ssh client to connect to my Linux servers.
I'm not lawyer, but it seems like it could be.
Microsoft conspiring with hardware makers is no different than Standard Oil conspiring with the railroads.
Consider this, demand for second-hand devices of this sort is going to be VERY weak. I'd not buy one myself.
...supplying open source hardware.
Just wait until Windows 8 and Apple IOS suffer their first major hack. The resulting panic will be unbelievable.
How's it going, GreatBunzinni!
Right now, the ARM architecture equates to tablets and phones for many, maybe most people.
However, a number of companies (Qualcomm, NVIDIA, and others) have announced that they are developing ARM processors to challenge Intel in laptops and desktop systems. Probably they are going with ARM because Intel is being somewhat uncooperative (and maybe anticompetitive) by not letting them have licenses that would allow them to produce x86 compatible systems.
For these companies, having Windows on their ARM systems is vital. However, we shouldn't be short-sighted - restricting the ability for ARM systems to boot anything but Windows will (in the long run) benefit Intel, AMD, Via, etc. as much as it will benefit Microsoft by restricting which operating systems the upcoming ARM based systems can boot. They will either run Windows or they will run everything else, depending on the boot ROM in the system. Guess which most will chose.
Unfortunately, most complete hardware systems tend to come paired with software (i.e. the OS). The only people who get to choose their OS are people who build their own PCs. If this becomes too common, the only way will be if it's possible to build your own (much as people do with x86 PCs today). Of course, that still sucks for anyone who wants a mobile device, or who has old (eventually) equipment, doesn't want to build them selves, etc.
Excuse for why is your room always messy?
Don't buy a product that won't do what you want it to and call it a boycott. And it can all be accomplished without leaving the couch.
So we are now seeing top-down control of executable computer code.
The last remnants of user-programmable computing have been swept away forever. Fear will keep the local systems in line... Fear of key revokation!
:(
Isn't Microsoft treading on thin waters with a monopoly?
You are comparing Apples(tm) and Windows(tm). What OS does Apple sell? What computer models does Microsoft sell? See the difference?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
knoppix and other testing / recovery tools also need secure boot.
Does networking booting work with secure boot?
Ghost?
Hard Drive Diagnostics tools (self booting ones)
Dell Diagnostics tools (self booting ones)?
Acronis True Image
clonezilla?
Memtest86+ (better and more to the hardware then the windows memory test tool)
There is alot of stuff some still dos based that is need out side of windows.
Why can't you? You have the source code, and there are 8 bit versions of it for microcontrollers already, that don't have or need a VMM. Yes, it is requires a Herculian effort to do so, but you can, which is the whole point here.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
You buy a screwdriver and use the handle to pound in nails when they stop making hammers because Microsoft uses their monopoly to drive hammer makers out of the market.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
There will be a "jailbreak" or somesuch available for these within a matter of hours from when they hit the street.
is why isn't anyone up in arms that Microsoft is going to heavily subsidize Windows 8 Tablet & phone sales. Isn't that an Anti-Trust violation? I'm pretty sure Walmart did the same thing with cosmetics and got in all sorts of trouble...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I was all set to build my next gaming rig around Nvidia's rumored ARM chips - after being locked out from making Intel compatible chipsets, rumor had it they first considered building an x86 processor in house, then decided to build an ARM chip because they could be more awesome.
Well, shit, what now?
Buy an AMD/ATI box? maybe, but Bulldozer kinda sucks.
Hope Intel can pull their head out of their ass regarding graphics? Not holding my breath.
Nvidia's ARM on Nvidia chipset? Actually, that sounds kinda exciting.
but hey, GUESS WHAT?!
Thanks, Micro$oft.
Of course Microsoft didn't want linux on the Xbox or Xbox360 but that hasn't stopped it from happening. History teaches us that if linux hackers want linux on something and it's possible then it will eventually be done.
As I understand it this is about what the firmware loads having to be signed. It then trusts that program to do the right thing and apply tests to ensure that other operating systems or modues are correctly signed before loading them. Ie a chain of trust.
How long do you think it will be before a signed version of GRUB (that will happily load anything) appears on an FTP site somewhere ? Either by someone cracking the signing key, or someone working late at night at an office somewhere where they have the ability to generate signed binaries and doing a bit of unrecorded extra work. There is a good chance that whoever does it will not be caught ... just pass the binary down a chain of contacts the last of which puts it up somewhere.
Revoking a key will take a lot of work, it might not be possible to do on kit that is already out in the field. They might make using this signed GRUB illegal, but on what gounds ? They would need new laws.
What man can do - man can break.
I've been known to piss on requirements in specifications from time to time because they subvert my interests or they have effects I believe to be more harmful than helpful.
All secure boot does is give the computer some assurance whatever it is handing off control to can be trusted.
There is no technical way for UEFI or anything else to enforce signed drivers in the form of modules loaded dynamically at runtime. If the kernel is blessed by the computer these "requirements" are simply empty words on a page that can and will be ignored with impunity.
I'm really confused by Matthew Garrett's assertion that secure boot creates problems for virtualbox, OS device drivers, and other kernel modules. UEFI secure boot only applies to UEFI executables (basically UEFI device drivers and bootloaders). Only the bootloader hands off control to the OS, UEFI secure boot's job is done. It's up to the OS bootloader to decide if it wants to check a signature on the OS. And from there, its up to the OS to decide if it wants to verify signature on other kernel modules, including drivers. If the Linux folks aren't worried about malicious device drivers acting as rootkits, they don't need to verify device drivers. It's just that simple.
And maybe if Matthew and the FOSS community are that concerned about standardized key formats for UEFI they should actually join the UEFI Forum. Red Hat and Canonical have certainly been invited to the table, but they instead choose to criticize from the outside rather than be part of the solution. Microsoft has gone out of their way to try to placate the FOSS folks here, at least on x86 (I agree that the situation on ARM is a bit different). MS will sign other bootloaders, if someone will submit one, allowing Linux folks to take partial advantage of UEFI secure boot. MS is requiring user-configurable trust anchors on x86, which is exactly what Red Hat and Canonical asked for.
I really don't understand Matthew here. He got what he wanted on x86. I can understand him not being happy with the requirements for ARM systems, but he should be ecstatic with Microsoft's new draft requirements for x86 systems.
That's the begining of the implementation of that "Right to Read" stuff. We tought it was averted at the 90's, but it was just delayed.
One thing is certain, if this thing goes forward (what is not granted yet) the organization (company, country, whatever) that somehow avoids Microsoft will have a huge competitive edge.
Rethinking email
Yep, that's true. Any bootloader, including bootloaders on boot CD/DVDs, will need to be signed when UEFI secure boot is enabled. You'll probably need to disable UEFI secure boot when using old add-in cards, like discrete video cards, too. At least, I think you''ll have to if you want to be able to be able to use your monitor in the preboot environment.
That actually raises an interesting question though... If you have a motherboard with UEFI secure boot enabled by default, and you try to use an old video card that doesn't have a signed UEFI device driver, how would you even go into the BIOS settings to turn off secure boot?
SOPA PIPA, the "return" of public-domain artefacts to the status of "intellectual property", "secure" boot.
My .sig is no joke. If the elite in the US and Europe were told "make the choice between keeping Corporate Capitalism or Republican Government?
I think you know that the last vestiges of the old republic would be swept away... in a twinkling.
GET THIS STRAIGHT! Democracy is MORE IMPORTANT than mere COMMERCE!
But it's too late, isn't it? Now, it's all over - except the shouting.
"Flyin' in just a sweet place,
Never been known to fail..."
The bonch account, together with bonch, Overly Critical Guy and SharkLaser accounts, are sockpuppet accounts employed to astroturf slashdot with corporate-friendly PR and karmawhore through fluff posts.
They are so heavily invested in pumping slashdot discussions with PR speak that they repeatedly post messages cut/pasted from the same PR script, as pointed out in this post.
They also engage in coordinated campaigns to steer discussions and attack users who post messages which are unfriendly to their sponsor corporation or threaten their karma, as pointed out in this discussion
So, mod this astroturfing account accordingly.
Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
I would think there will be some kind of vga / vesa fall back or some kind of basic UEFI video driver. Any ways it's not like BIOS needs a 3d driver and no video till os boot makes it seem like the video card is bad.
ATI and NVIDIA are too big to be locked out.
also how many raid cards have UEFI?
Microsoft is threatened by Linux being able to boot other OSs means that folks could boot Linux, and when running in Linux they could run WINE and then access x86 applications that Windows 8 ARM cannot. Besides the potential compatibility I am sure MS is going to face tough competition on a slim hardware platform where Linux/Android and other open OSs can out-innovate on it as a community better then MS can (think kinect there).
MS knows the Win8 ARM is going to be a tough sell and they don't want their low-end hardware ARM (converted to Linux, operating as a more robust OS) devices to compete with the more lucrative win8 x86/64 devices because even if it is not well received consumers (lets not use the term customers, locking the device to a single OS makes the devices throw-away) will have no choice to buy a better unit, and hopefully it will be a full power Win8 tablet, notebook or desktop.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
"We" already have a way around this....not to worry...it's no big friggin' deal.......WTF
RAID cards were usually the thing I pointed to when people were worried you weren't going to be able to turn off UEFI secure boot. I fully expect you'll need a signed UEFI device driver for your RAID card if you want to boot off of it.
Hopefully you're right about a basic UEFI device driver, otherwise I think people will have problems before UEFI-compatible add-in cards become pervasive. But, in a UEFI world I don't think you have the same concerns about no video until OS boot. UEFI systems running Windows 8 will boot much faster than today's systems, making the time before the OS device driver kicks in much less.
I'm sure they don't realize what they are doing... but they will in time. They (unlike apple) don't sell the hardware their software runs on. Therefore.. it's not under their control how many devices are in the market that can run an OS that is so locked down. At first there may be many... but those choices will taper off as sales of linux based devices will always be less expensive. That and people don't like windows on non desktop platforms and I seriously doubt they have done enough right with the next iteration of Windows to change that perception. So in the end.. this will resemble yet another failed Microsoft mobile platform and less like the next desktop OS for the future. In the mean time.. they will continue to shed 3rd party developers as this slow motion train wreck unfolds.
Every normal man must be tempted, at times, to spit on his hands, hoist the black flag, and begin slitting throats. -HLM
You still need video for that and you don't want that to be OS tied or to be on the HDD. Also I think OS install / windows recovery stuff on the install disk may need some kind of basic video driver. You can't count on intel GMA 2013-2014 or ATI 8XXX drivers to be on the install disk. You can load raid drivers in install but not video.
What about dos / bios flashing as well? What if you need to pre boot to flash the raid card to UEFI?
mouse and keyboard / speaker sound / USB drives have basic divers / cd dvd boot (part of ide / sata drivers) as well. And most keyboard and mouses are to dumb to have any kind of secure chip.
uh, yeah it does. that's the free market. you try to crush the other guy. survival of the fittest
google is the one using monopoly revenues to pump a new market with a free product, just like microsoft did with IE. if this is an abuse of monopolistic powers, than so is Android
Do not buy these pieces of sh*t... Who wants something as buggy as Windows on any device you depend on... The Navy tried Windows on one of it's Destroyers and it died in the middle of combat when it exceeded 1024 items it needed to track. So it was a sitting duck... Follow the Navy and don't touch this POS with a ten-foot pole...
Sigh, it sounds like it's time to prosecute Microsoft for being a monopoly AGAIN. How come those fucks aren't in JAIL already anyway, huh???
All the supporters of the truly free operating systems and distributions of them are saying now "we told you blobmatists so".
It's interesting that Microsoft has long been strong-arming hardware vendors into REQUIRING that they sell their machines with an OS(oh, any OS is fine *wink* *wink*). Now apparently they want to make sure you can't take Windows off of the device. This isn't so different from encrypted bootloaders on android devices.
Now that these mobile devices have advanced to being full blown computers in every sense of the word, they are still not referred to as such. They are not even referred to and single-purpose/special-purpose computers. They are referred to as consumer electronic devices or mobile phones. People are used to consumer electronics and mobile phones being proprietary devices, this is normal and accepted. There is still the pervasive idea that with desktop computer or a notebook computer that the machine is the PROPERTY of the OWNER of the machine. "This is my machine and you can't tell me what I can or can't put on it."
They idea of buying a laptop computer that you cannot, WILL NOT, run anything but the operating system shipped with it is just weird. If people aren't thinking of the device as a computer, but merely a telephone or a gadget, this idea doesn't seem weird at all.
Couldn't loading Linux (or other systems) be worked around by writing a "Linux loader devide driver" or such for windows 8, and getting it properly signed to work on Windows 8, etc.?
"Video bona proboque; deteriora sequor." -- Ovid
There is a market for linux-boxes. Therefore someone will produce them. And they will be incompatible with windwows and will come with no windows pre-installed. About time, I really don't understand why i have to sponsor microsoft every time i buy a new pc.
Does nobody see the irony of the people blasting Microsoft in preference for Android, which is (ultimately) a closed system, mostly installed on locked-down hardware and unrootable installs?
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I feel like you are missing the point. I believe the critical point about what is going on right now is not about tablets but rather ARM based desktop machines. I am ready to accept that tablets are turnkey devices, appliances, that are pretty much what they are. I know some people want to hack them and I think they should be able to, but I want to get back to the desktop for a moment. So far we haven't seen any major activity with ARM on the desktop, but the ARM cores have come a long way, and some day soon we may see a massive core desktop machines that is ARM, and then we will very much want the freedom to run Linux on it because it will be a powerful little HPC. A very serious desktop. Whether you want it for gaming, or you just want a runs like lightening machine to program on... When that day comes, I really don't want to hear that I can only use it with Windows. Because if we have learned anything about Microsoft over the years, it is that they can write terribly sluggish operating systems that ALWAYS use up most of the computing power before the user gets to run anything. I have said it before and I will say it again now. Computers are a thousand times faster than they were when Windows first came out. They also have a thousand times more memory, and a thousand times more hard disk. But they don't run all that much faster than Windows 3.1 did, and I think we are owed an explanation. But getting back to the ARM on the desktop. The Microsoft certification guidelines for ARM based equipment specified that the SECURE BOOTING will run in STANDARD MODE ONLY and not CUSTOM MODE. EVER. Unless Microsoft wants to pay for all the development going into these platforms, who are they to mandate that only their software can run on them? The other point I want to make, is that their excuse for all this is keeping the systems secure, but it is their system (Windows) that has all the terrible problems with viruses. I am not saying Windows is the only platform that can be pwned, but it is easily a million times worse off than the OS's that they are trying to suppress. As far as national productivity is concerned, if the US wants to get it's competitive edge back, a ten year plan, not for alternative energy, but rather a ten year plan to get us off Windows and onto ANYTHING ELSE, hopefully *nix based, would be a great start. IMHO
What is required from the OSS community is a counter-attack project..a "UEFI Killer" / "Secure-Boot Killer" like project which helps in disabling (i don't think so that only bypassing would be feasible and/or possible.. what would be required is actually separating that F**KN feature off the grid.. *snuff*) the feature :) :D
hmm..OMFG what did i just typed..
Peace off~
echo9
There are no drivers in a BIOS. A BIOS is an embedded program in a motherboard with basic functionality for system configuration. Anyways, UEFI is a replacement for BIOS, there will be no BIOS anymore. And for BIOS or UEFI, it doesn't matter what video card you use because they occur before Windows starts. The secure boot/signed code issue comes up when Windows starts booting.
Right now it would seem that you're dreaming - there's a very good chance that we'll never see anything comparable on ARM, simply because the devices will all be locked down.
Have you ever seen anything like this on a previous ARM tablet? What makes you think the Windows-based ones will be any different?
Stop whining about compatibility with windows and start putting your money where your mouth is, to economy of linux ...
With the purchase of a new computer come windows pre-installed. $200 dollars wasted for window 7 ultimate to only be replaced by GNU/Linux {Red Hat}. Most people who dont want windows still have to pay the M$crosoft tax.
You forgot how it all started out: home computing at first was a DIY activity. It gradually but steadily gained popularity until businesses jumped in and until the Big Blue took note and created first "serious" PC as we know it. We can get back and reinvent it all. Unlike back then, today we have ready Linux. I predict that next big surprise (for those not already following the hacker/maker subculture) will be strong fervent community of competing open gadgets of different flavors, something like colorful mixture the 8bit microcomputing/home computing scene of the '80s was. Today, relatively powerful 32bit microcontrollers and high-resolution color LCD's are ubiquitous components and it is not impossible that soon we will be making, or buying kits, or even assembled open design Linux tablets from e-bay.
Really, it's getting really old, SecureBoot will not lock down Linux or any other of your favourites hippie operating systems, there has been tons of this shitty articles on /., just stop with this lie, good grief
You idiots don't know how to moderate and should turn in your geek cards immediately. I strongly believe everything I said below including the bits about fucking oneself. Don't tell me what to do, what I should believe, or to be happy with the fucking that electronics manufacturers try to give us. Isn't this supposed to be news for nerds? Nobody who would just give up and say "that's unauthorized" deserves to be permitted to read this site, let alone to moderate.
Guess the moderators work for Microsoft, though, convicted criminals.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
My post on this 2 days ago was deleted. As I am sure this one will be too. I am a MS engineer. I think the locking of their vendors like is not cool. Make me hate my job even more.
First, we just have a terminology difference. I use "BIOS" as a fairly generic term for the boot firmware on the motherboard that executes at power-on. UEFI isn't really the right term for that, because UEFI is just a standard set of interfaces that UEFI-compatible boot firmware can implement. If its important to distinguish between old and new, I'll usually write "legacy BIOS" or "UEFI BIOS".
Second, there definitely are drivers for BIOS. In the legacy BIOS world they're called Option ROMs. In the UEFI world, they're called device drivers. You need those if you want to use a device in the preboot environment. Not every device needs an option ROM. You're not going to need to use, say, a TV tuner in preboot. But, you do want to use SATA/IDE controllers do you can boot of a drive, or maybe you want to use a network card to boot off a network server using PXE. Video is certainly important in preboot too, since you might want to go into the configuration settings and change stuff around. The only question is if you can use some sort of generic UEFI device driver, or if you need a card-specific one.
Third, secure boot ENDS when Windows starts booting. Mainly, UEFI secure boot verifies signatures on UEFI device drivers and the bootloader. Once the bootloader runs, UEFI secure boot is essentially over. The UEFI BIOS is no longer in control of the system, and its up to the bootloader and the OS to check signatures at that point.
Why hasn't the FTC stopped this stupidity in its tracks? The skeptic in me thinks it may be that the regulatory agencies in the former USA are populated with people who formerly worked for the companies that they are now "regulating." Anyone at FDA want to comment on that?
That actually raises an interesting question though... If you have a motherboard with UEFI secure boot enabled by default, and you try to use an old video card that doesn't have a signed UEFI device driver, how would you even go into the BIOS settings to turn off secure boot?
Good point, a mobo jumper would be useful for this. I think those of us who aren't scared of technology will just have to do without the secure boot feature, turn it off and never turn it back on.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Easy. Re-flash the bios with a non protected one. This might involve physically replacing the bios chip, or perhaps using a jtag in some cases though.
Hopefully.... hopefully we can just avoid all of this UEFI bunk by purchasing open hardware. Unfortunately, Microsoft has a tight grip on the throats of many PC vendors. And it seems, once again Microsoft needs and wants to control how users actually use their hardware. Year after year, bandaids and patches are put on things to help to try and secure Windows, but it just makes Windows more bloated and now we have to deal with these silly hardware changes. I don't think this will have too much of an impact, Intel based hardware will still be fine which is where most of the user base is anyway.
UEFI is another killbit for Windows Vista Revisited.
Has secure anything ever stopped anyone from doing anything ever?
Even if the bios is from read-only memory, it has to execute some code to verify that the software to be next loaded is valid. That software, be it grub or the Windows loader, has a signature. All that is necessary is to have a software that provides the correct signature and the boot sequence will continue.l
Alternatively, you let Windows Boot, and use Windows software to reload the alternative,
There is always a way to use your own software. The best way is to just not purchase windows ARM based products.
Leslie Satenstein Montreal Quebec Canada
More question mark abuse, I see. Mod submitter overrated. Or maybe Garrett got confused about what he was talking about.
There are three(!) totally seperate issues here, all being conflated as though they were the same thing:
Many people are flaming Microsoft here. Fine. Fuck Microsoft. Now, that aside...
When Garrett starts saying things like "Signing the kernel isn't enough. Signed Linux kernels must refuse to load any unsigned kernel modules," he isn't talking about Microsoft or UEFI specs. He's talking about actual security -- how he thinks Linux ought to work, in order to protect users from running unknown kernel-mode code. He's not talking about Secure Boot (TM), he's talking about secure boot^H^H^H^H operation. Once your kernel has booted, UEFI specs are irrelevant, because you're not interacting with UEFI anymore and control of the machine is in the hands of the kernel, to protect or lose.
Once you've got your kernel signed and UEFI trusts the signer and it boots, you have solved the big UEFI interoperability problem that everyone is complaining about, and the kernel loading unsigned drivers doesn't change that a bit. At that point, you've got your machine working, and Linux is "secure boot compatible."
Refusing to load unsigned drivers is a way to take advantage of what UEFI secure boot ostensibly intends to offer users, as opposed to sacrificing the security which Secure Boot may offer by treating it merely as a compatibility obstacle.
BTW, I hope this whole signed kernel module issue makes people think back to Torvalds-vs-Tanenbaum. We all know who won, but are you still sure who was right?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
In theory yes, but in practice my hovercraft is full of eels.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I fully intend to keep UEFI secure boot turned on whenever possible. It's a very useful security feature. We're already seeing some malware that modifies the Windows bootloader to get around 64-bit Windows code signing checks.
Say What?
Who runs the signing service is the _entire_ point. Saying that is like saying "forgetting the death and distruction for a moment" in the second paragraph on your "what is wrong with nuclear weapons" paper.
Nobody has _any_ problems wiht signed boot loaders if the people who OWN THE COMPUTER have are the people who get to sign the code.
The problem is that the people who make the bios are the ones who get to sign the code.
So forgetting who will have the keys to your car, and house, you can just sleep tight with only being able to start your car or enter or exit your home with express permissions from the on-star lady okay?
That's not hyperbole. The "we own the keys to your computer" would be very like requiring you to have a body scan before you can enter your car or house so that it is known that you are not carying contraband (say that copy of [your religious text here] or any person who isn't on the "approved rider or resident" list maintianed by General Motors).
The "who gets to decide these things for you" is the only and entire problem.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
If you have a problme with the MAFIAA you don't fix your problem by then _joining_ the MAFIAA.
Quite frankly the problem with UEFI is that it is broken in it's _founding_ _assumptions_. Namly it assumes that the hardware manufacturer or BIOS writer is the "correct" person to have the boot-keys to the device. That is, it assumes that the computer shoudl not be controlled by its rightful owner.
If the system were even in the correct neighborhood of "correct" the system would require that the root key would be constructed by the owner of each device and that said owner would then have a means to exclusively sign the boot loaders of their choice. This would not be hard to do in any technological way.
Once this was done, then when _I_, as the owner of my device, were to buy Windows 8, or Red Hat, or build-my-own loader for some other purpose, or add memtest86+ to my box, I would use my key to sign my installs to prevent tampering.
The UEFI assumption is that I souldn't be able to sign my system to prevent tampering by, say, Micorosoft by securing my system with my own keys and then running Windows as I see fit.
So yea, I don't see why Red Hat should "join" (e.g. buy in with a hefty cash bribe) UEFI for the right to be one of the anti-user "decider" guys when they beleive the apprach is broken by design.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
So, would having frog gits get the fuck out of slashdot have your nipples explode with delight ?
If the technical brilliance involved with the wonders of Jailbroken iOS devices, OSX86 and countless other 'enabling' projects is any indication - any attempt to really stop people from running other OSes will only slow people down from trying other software. It will similarly propel others to try even harder. Regardless, geeks like to tinker and play around with various options. An operating system that provides as much openness as Linux or BSD will always be in sufficient demand to wage a battle to circumvent silly security technologies designed to impair the fundamential functionality of the hardware platform.
Anyway, whatever, if Microsoft wants to give us more fodder and employ some security nuts, I'm fine with it. It won't really change anything in the big picture.