Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ubuntu Lays Plans For Getting Past UEFI SecureBoot

Posted by timothy on from the first-you-fake-an-injury dept.

An anonymous reader writes "Canonical has laid out their plans for handling UEFI SecureBoot on Ubuntu Linux. Similar to Red Hat paying Microsoft to get past UEFI restrictions, Canonical does have a private UEFI key. Beyond that they will also be switching from GRUB to the more liberal efilinux bootloader, and only require bootloader binaries be signed — and they want to setup their own signing infrastructure separate from Microsoft."

5 of 393 comments (clear)

  1. UEFI SecureBoot is a catastrophy by Anonymous Coward · · Score: 5, Insightful

    Along with draconian DRM and anti privacy laws, UEFI SecureBoot is crippling the computer as a tool.

    It will take generations and countless wars to undo the damage that is currently being done.

    1. Re:UEFI SecureBoot is a catastrophy by cdwiegand · · Score: 5, Insightful

      Because Apple doesn't care if you load Linux - they're a hardware company (well, user experience company, but anyways). You've already bought their hardware and software. But Microsoft, which has the x86/x64 non-Mac world by its balls, is a software company, so they will do things that strategically make non-Windows software harder. So a similarly-capable Acer, as an example, is going to be more locked down than your Mac.

      Hence, I'm slowly finding myself thinking of buying Mac hardware again, even given the higher-than-I-need quality (and price).

      --
      . Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
  2. Next -- compilers by Anonymous Coward · · Score: 5, Insightful

    The next step should be requiring a background check in order to have access to a compiler. Compilers are a subversive tool that is essential to creating malware, the cyberspace equivalent of a chemistry lab. Just as having an unauthorized chemistry lab should automatically make one suspect for creating drugs, explosives or chemical weapons, posession of an unauthorized compiler and of a machine that does not have a secure boot should make one suspect of cyberterrorism.

    Of course, this is impossible right now, just as fifty years ago nobody would have taken such a dire view on chemistry. However, the next generation of people raised in fear of pedophiles and terrorists will work hard to make this a reality. And the generation after that will be the blessing of knowing that things have always been like this, since all authorized books will be in electronic format, periodically updated with the best and most recent knowledge about the past.

  3. Re:How much of the 'operating system' needs to sig by blueg3 · · Score: 5, Insightful

    The point isn't to protect against bootloader infections, per se. The problem is that if you use a protection mechanism based on one layer being signed (say, signed application code), then it's made irrelevant by attacking one layer lower. So you need to sign from the bottom-most layer all the way up. That means either a signed BIOS or one that can't be changed in software, a signed bootloader, a signed kernel, signed drivers, and signed application code. The purpose of the signed bootloader isn't to protect against bootloader malware that exists now, but to protect against the bootloader malware that would appear if you started relying on a signed kernel.

    I'd rather take my chances with the malware than have the liberties of doing what I want with my computer taken away.

    So turn off UEFI Secure Boot.

  4. Re:Chain loading from "secure" boot to libre boot by Anonymous Coward · · Score: 5, Insightful

    And also Windows malware that does exactly the same thing. At which point the Canonical key will be revoked, and all Linux distributions that relied on it will cease to function.