Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ubuntu Lays Plans For Getting Past UEFI SecureBoot

Posted by timothy on from the first-you-fake-an-injury dept.

An anonymous reader writes "Canonical has laid out their plans for handling UEFI SecureBoot on Ubuntu Linux. Similar to Red Hat paying Microsoft to get past UEFI restrictions, Canonical does have a private UEFI key. Beyond that they will also be switching from GRUB to the more liberal efilinux bootloader, and only require bootloader binaries be signed — and they want to setup their own signing infrastructure separate from Microsoft."

9 of 393 comments (clear)

  1. UEFI SecureBoot is a catastrophy by Anonymous Coward · · Score: 5, Insightful

    Along with draconian DRM and anti privacy laws, UEFI SecureBoot is crippling the computer as a tool.

    It will take generations and countless wars to undo the damage that is currently being done.

    1. Re:UEFI SecureBoot is a catastrophy by cdwiegand · · Score: 5, Insightful

      Because Apple doesn't care if you load Linux - they're a hardware company (well, user experience company, but anyways). You've already bought their hardware and software. But Microsoft, which has the x86/x64 non-Mac world by its balls, is a software company, so they will do things that strategically make non-Windows software harder. So a similarly-capable Acer, as an example, is going to be more locked down than your Mac.

      Hence, I'm slowly finding myself thinking of buying Mac hardware again, even given the higher-than-I-need quality (and price).

      --
      . Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
  2. Next -- compilers by Anonymous Coward · · Score: 5, Insightful

    The next step should be requiring a background check in order to have access to a compiler. Compilers are a subversive tool that is essential to creating malware, the cyberspace equivalent of a chemistry lab. Just as having an unauthorized chemistry lab should automatically make one suspect for creating drugs, explosives or chemical weapons, posession of an unauthorized compiler and of a machine that does not have a secure boot should make one suspect of cyberterrorism.

    Of course, this is impossible right now, just as fifty years ago nobody would have taken such a dire view on chemistry. However, the next generation of people raised in fear of pedophiles and terrorists will work hard to make this a reality. And the generation after that will be the blessing of knowing that things have always been like this, since all authorized books will be in electronic format, periodically updated with the best and most recent knowledge about the past.

  3. Re:Why not ignore UEFI? by oakgrove · · Score: 4, Insightful

    How do you presume they build their own laptops and x86 tablets?

    --
    The soylentnews experiment has been a dismal failure.
  4. Re:How much of the 'operating system' needs to sig by kav2k · · Score: 4, Insightful

    There are, however, easy-to-use piracy tools for Windows that do exactly that. I'm pretty sure it's a big chunk of MS motivation for the whole mess.

  5. Re:How much of the 'operating system' needs to sig by Sloppy · · Score: 4, Insightful

    That's what I like about it. They're not even paying lip service to that bullshit official purpose. Red Hat made it sound like they have drank some of the Koolaide, with all their worrying about how the person who owns the computer might abuse an unsigned module to take control of their computer.

    Once you're running your bootloader, then the issue is over. There is no need to further check for any other signatures or try to guarantee that the owner can't run their own code. You have satisfied the requirement and thereby gotten the computer to work.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  6. Re:How much of the 'operating system' needs to sig by blueg3 · · Score: 5, Insightful

    The point isn't to protect against bootloader infections, per se. The problem is that if you use a protection mechanism based on one layer being signed (say, signed application code), then it's made irrelevant by attacking one layer lower. So you need to sign from the bottom-most layer all the way up. That means either a signed BIOS or one that can't be changed in software, a signed bootloader, a signed kernel, signed drivers, and signed application code. The purpose of the signed bootloader isn't to protect against bootloader malware that exists now, but to protect against the bootloader malware that would appear if you started relying on a signed kernel.

    I'd rather take my chances with the malware than have the liberties of doing what I want with my computer taken away.

    So turn off UEFI Secure Boot.

  7. Re:Chain loading from "secure" boot to libre boot by Anonymous Coward · · Score: 5, Insightful

    And also Windows malware that does exactly the same thing. At which point the Canonical key will be revoked, and all Linux distributions that relied on it will cease to function.

  8. Re:How much of the 'operating system' needs to sig by psm321 · · Score: 4, Insightful

    And how long before Microsoft and/or the OEMs start saying you can't do that?

    Not very. And I don't have much hope given the hordes of people on the last article that honestly believed that Microsoft was being altruistic in this and that anyone questioning their motives was a conspiracy theorist/had a low IQ.