Slashdot Mirror
Ubuntu Lays Plans For Getting Past UEFI SecureBoot
An anonymous reader writes "Canonical has laid out their plans for handling UEFI SecureBoot on Ubuntu Linux. Similar to Red Hat paying Microsoft to get past UEFI restrictions, Canonical does have a private UEFI key. Beyond that they will also be switching from GRUB to the more liberal efilinux bootloader, and only require bootloader binaries be signed — and they want to setup their own signing infrastructure separate from Microsoft."
Does only the kernel need signing or is there more to it than that for Linux?
The soylentnews experiment has been a dismal failure.
Along with draconian DRM and anti privacy laws, UEFI SecureBoot is crippling the computer as a tool.
It will take generations and countless wars to undo the damage that is currently being done.
Shouldn't I be able to load my own private key (or that of my distribution of choice) in the UEFI interface and then sign the bootloader I want with it (or use that of said distribution)? Ideally changing the key would only be possible while a jumper on the board is set.
If I trust Ubuntu, then my computer would reject the Windows bootloader and vice versa. Isn't that how it should be?
Seems like this leaves things open for an MS rootkit. A rootkit that happens to have an entry point resembling a linux kernel seems a likely scenario.
Also surprised with efilinux. It can load from block devices only, which omits network boot. I understand that grub2 GPL3 concerns make sense, but you would think they might go with elilo. It may be less 'active', but it is capable of doing more than efilinux, notably network deployment.
XML is like violence. If it doesn't solve the problem, use more.
It is the bootloader that needs signing. The problem is that any bootloader capable of loading more than one (signed) kernel would defeat the purpose of secureboot. I mean the official purpose, protection against rootkits, not the actual purpose.
The next step should be requiring a background check in order to have access to a compiler. Compilers are a subversive tool that is essential to creating malware, the cyberspace equivalent of a chemistry lab. Just as having an unauthorized chemistry lab should automatically make one suspect for creating drugs, explosives or chemical weapons, posession of an unauthorized compiler and of a machine that does not have a secure boot should make one suspect of cyberterrorism.
Of course, this is impossible right now, just as fifty years ago nobody would have taken such a dire view on chemistry. However, the next generation of people raised in fear of pedophiles and terrorists will work hard to make this a reality. And the generation after that will be the blessing of knowing that things have always been like this, since all authorized books will be in electronic format, periodically updated with the best and most recent knowledge about the past.
This smells of the war against terror. There are actually very few pieces of malware out in circulation which rely on rootkits invoked by the bootloader. It's something which we haven't really seen much of since the viruses of the DOS days. I'd rather take my chances with the malware than have the liberties of doing what I want with my computer taken away.
If the kernel is not signed, the rootkit would just infect the kernel instead of the bootloader.
The next step should be requiring a background check in order to have access to a compiler.
Microsoft, Nintendo, and Sony already require this for software that runs on their video game consoles.
In order to compete with Microsoft, they have to beg Microsoft to sign their bootloader? UEFI's secure boot was dubious idea at best, and Microsoft has just hijacked it into a way to greatly inconvenience all the competition under the excuse of security against a threat that barely exists. Red Hat and Fedora might be able to jump through these hoops and beg Microsoft for permission to compete (Which I sure will involve a hefty signing fee for 'administrative costs') but how are the hundreds of smaller distros and niche distros supposed to exist? Right now the only concession made to them is that Microsoft generously permits for secure boot to be disabled (though only on x86, not ARM) - and who here trusts them not to reverse that policy in a few years?
How do you presume they build their own laptops and x86 tablets?
The soylentnews experiment has been a dismal failure.
I have no problem with security features being put in the bios. But if they could potentially make given OS's incompatible then it has to be something you can turn off.
And if you can turn it off then everyone gets what they want.
MS gets a little security on their malware plagued OS. And everyone else can just shut it off.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
There are, however, easy-to-use piracy tools for Windows that do exactly that. I'm pretty sure it's a big chunk of MS motivation for the whole mess.
That's what I like about it. They're not even paying lip service to that bullshit official purpose. Red Hat made it sound like they have drank some of the Koolaide, with all their worrying about how the person who owns the computer might abuse an unsigned module to take control of their computer.
Once you're running your bootloader, then the issue is over. There is no need to further check for any other signatures or try to guarantee that the owner can't run their own code. You have satisfied the requirement and thereby gotten the computer to work.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I have multipl issues wih this whole uefi secureboot shebang.
How can it happen that one company (however large) can seemingly make most of the manufacturers to comply with their crazy ideas? The option to easily disable uefi secureboot _should_ be there on every and each motherboard (desktop, server or laptop). It should not be the manufacturer (and indirectly Microsoft) who decides what kernel and drivers (regardless f the operating system) a user or developer uses. How would anyone make custom kernels and/or modules (Linux) and/or drivers (e.g. Windows) if signing everything through a 3rd party signing service would be required every time? This is crazy.
Second, I don't like where Fedora/RH and Ubuntu are going with this. Aligning with MS on this issue is definitely not the right way to go and most people start to see this. Yet, nobody seems to want to find a way out, most seem to even have stopped protesting, or asking for mandatory secureboot disable options. There are not only 2 distros out there, there are a lot more of them, and most of them will not go along with MS-signing kernels and drivers. Also, if Ubuntu goes for a secureboot lockdown scheme, they might be good from the enterprise side, moving away from the average users, and that just might be what they want to do.
Some still say this whole thing is a non-issue and too much fuss about nothing, but if it were so, then please, for crying out loud, why is there so much smoke around about the planned existance or non-existance of a secureboot disable option? If manufacturers would just say disabling will be there always, this whole issue would just go away.
The biggest problem still is that most average users can't see the point in all this, simply don't care, thus unwillingly participating in making it worse for those, who do.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
x86 Android tablets shouldn't have this problem. As for laptops, I guess MS is pushing people to buy Macs?
I'm kidding, of course, purists are already buying from System76 or the like, which is why GP says "or steer clear of any large OEM that wants Windows 8." Everyone else will deal with this as RH and Canonical are.
Seriously... I read the article the FIRST time this UEFI news was posted from http://mjg59.dreamwidth.org/12368.html, when it was regarding Red Hat, and the edit was already made back then. The money does not go to Microsoft! Why are people still saying this?
It is very misleading to write "Similar to Red Hat paying Microsoft to get past UEFI restrictions" when it is really not the truth.
"Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access edit: The $99 goes to Verisign, not Microsoft - further edit: once paid you can sign as many binaries as you want)"
my bias: I have Linux on all of my systems, no MS OS around here. Please, stop the inaccuracies and write what is true.
That sounds plausible.
I want to boot whatever software I want, not what you gracely will allow me.
Hardware is MINE, not yours!
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
Except that it *isn't* for DoD stuff or mainframes or even virtual machines (Where it'd be utterly useless anyway, as the host could twiddle whatever bits it wanted in the VM memory at any time). Microsoft are mandating that Secure Boot be available and enabled by default on all Windows 8 OEM machines, including those sold to people for home use.
Couldn't the buyer of an OEM PC with Windows just flash their UEFI with one allowing disabling the Secure Boot?
This would add just one step to the alternative OS setup!
Nobody is saying secure boot is an inherently bad idea that I see. They're saying they should be able to sign their own stuff and load their keys. I want to but a computer and not some glorified appliance so I happen to agree. I also think its a bit shady that other vendors are in a position where for practical purposes they have to pay Microsoft to get signed.
The soylentnews experiment has been a dismal failure.
But no, instead they'll institute this ludicrous dance of keys which will impair the end user's boot experience (which is what UEFI should really be all about) without adding a gram of security (loadable modules at runtime = zero advantage from using "secure" boot).
In the context of a system administrator running a company there are no issues with the feature, In terms of a home market where some users may want to dable in linux etc... There is an issue. Believe it or not not every software hobbyist is also a hardware hobbyest. Not everyone who toys with linux has the choice of what hardware they purchase (say teenagers for instance). Now in business class machines, yes lock them down, set them so that without an administrator key they can only run windows, and microsoft office. The issue is will OEMs provide their customers with the key to allow them to even run linux.
Absolutely, 100%, this. In doing this, M$ is looking out for its bottom line; it is only tangentially interested in your data security, and then only insofar as it affects said bottom line. The only rootkits "in the wild" that M$ is even remotely concerned about are the ones which circumvent its own activation and policing systems.
I would say further then that, I started on linux when I was 13. At that point I didn't have the budget to purchase my own computer parts, heck I wasn't even using the main system for it (If I recall it was an older moved past it's usefulness dell I used). This hurts the next generation, linux has been working in strides to become more user friendly. Currently linux has moved to the point where I could easily hand my mother a linux mint disk, tell her to boot it up and follow the on screen directions, and her have it installed and fully usable in an hour. Now we are talking a new hurdle involving diving into the bios, entering in a certain password (Provided of course the manufacturer actually provides this password, they might not). With steam being ported to linux in the very near future, webapps starting to replace regular programs etc... it is actually reaching a time where linux may truely be viable for the common folk. The OS matters less and less every day.
Hi Guys & Gals,
before you all get worked up, please remember that Ubuntu was founded by Mark Shuttleworth. Mark became a billionaire by running Thawte. Thawte is a certificate authority for X.509 certificates.
My take is he knows a thing or two about such infrastructures and I also think he is a positive influence for the free software world.
have a good day!
All of a sudden, a genuine reason to buy Raspberry Pi! Sparc/PowerPC workstations and laptops back in demand as being "better for business/medicine/science" when consumer x86 hardware is restricted to tablet touchscreen OS! PC vendors pissed off by Surface offer custom desktops/laptops for running Linux and FreeBSD and without Windows 8 support!
I for one welcome our new diverse hardware overlords.
Nobody is saying secure boot is an inherently bad idea that I see. They're saying they should be able to sign their own stuff and load their keys... I also think its a bit shady that other vendors are in a position where for practical purposes they have to pay Microsoft to get signed.
"Paying Microsoft" actually goes entirely to Verisign, as RedHat clarified previously. But besides that, they definitely don't have to - as Ubuntu is talking about doing, they can always run their own key server. Or load their key manually. Or disable the feature on x86 systems.
"Booting our CDs will rely on a loader image signed by Microsoft's WinQual key, for much the same reasons as Fedora: it's a key that, realistically, more or less every off-the-shelf system is going to have,...
So that means if my bootcd's that I create or the ones that I have like Hiren's boot cd, bartpe or any other won't work anymore if its not signed by MS ? That means the IT world will get a kick in the balls with this... like Hiren's will pay for the key
Besides, Microsoft made it clear that arm computers which is loaded with windows 8 will make it impossible to disable the UEFI. in other words, no other OS will be possible. Is it me or it's a very bad idea for all of us...except Microsoft which is clear what their intent is with this crap.
I work in a lab where we often need to make a custom build machine. There is no way we will accept any kind of UEFI OS restrictions, nor will we pay an extra fee for their removal. If they wish to do business with us and our partners, then we must have the option to install whatever we like.
This smells of the war against terror. There are actually very few pieces of malware out in circulation which rely on rootkits invoked by the bootloader.
Whether or not the reasons they gave are bogus, THIS isnt true. There are TONS of rootkits out there that screw with the bootloader, which is why MBRCheck should be a standard part of everyone's rootkit removal kit. If you ever see a machine with a virus, you must assume the bootloader has been tampered with.
Off the top of my head, Sinowal and TDSS come to mind.
The point isn't to protect against bootloader infections, per se. The problem is that if you use a protection mechanism based on one layer being signed (say, signed application code), then it's made irrelevant by attacking one layer lower. So you need to sign from the bottom-most layer all the way up. That means either a signed BIOS or one that can't be changed in software, a signed bootloader, a signed kernel, signed drivers, and signed application code. The purpose of the signed bootloader isn't to protect against bootloader malware that exists now, but to protect against the bootloader malware that would appear if you started relying on a signed kernel.
I'd rather take my chances with the malware than have the liberties of doing what I want with my computer taken away.
So turn off UEFI Secure Boot.
I meant for Microsoft to add that capability to its OWN OS. Obviously it could not enforce such a restriction in Linux; I would think there, if there were a need for such protection, someone could write a kernel module that did the same thing and was an optional component for hardened installations.
What Im saying is that rather than doing this at an EFI level and crippling all OSes, each OS maker should be responsible themselves for making sure that the MBR is untampered with.
Nobody said you can't sign with your own keys. However, doing so (and updating UEFI to accept your keys) is not trivial, and is something the vast majority of the users are not going to want to do. If you are trying to convince people to use your distribution (ie Ubuntu) it is up to you to make it easy, whether that means paying Verisign to sign your stuff or convincing hardware manufacturers to load your key for you.
So what do you propose as an alternative - make the manufacturers ship in non-secure mode, and require the vast majority of users who want to run in secure mode to go through the hassle of enabling it?
Windows 9 will require you to insert your genitals between its spinning blades during the boot process...
From a quick read of this, it sounds like Canonical is basically trying to build a signed chain loader that will make a transition from a Microsoft-signed boot environment to a libre boot environment. Seems to me as if this will be useful not just for Ubuntu, but for pretty much anyone who wants to boot Linux on a Microsoft-encumbered computer.
If that's the case, we'll eventually start to see Debian, Mint, etc. distributions that make use of the Ubuntu boot loader to get the system up and running.
Tired of FB/Google censorship? Visit UNCENSORED!
Make it drop dead easy (think Apples's bootcamp) for consumers to go into "Custom" mode. Also make the interface for this standard so it can be documented as part of the install instructions from the various distros. That's one possibility that springs to mind. I'm sure there are others.
The soylentnews experiment has been a dismal failure.
Don't you worry, the secure boot system is anyway totally compromised to begin with. Anyone with a fake ID and 90 USD will be able to buy a trusted key from Microsoft. This is even more silly than the current CA system.
What you have to understand here, is that Ubuntu is only adding yet another layer of vendor lock. It's not better than the one from Microsoft.
The only REAL and TRUE freedom and equality would have been to ask all users to first type a fingerprint before they can use their computer for the first time. Having keys already installed in the BIOS by default is a pure travesty.
And don't tell me that too hard to do for the average user. There's in fact only 2 categories for which it is the case: blind people and those who shouldn't ever touch a computer anyway.
The MBR lock actually only works for OSs that go through the BIOS calls. That means DOS and... well, that means DOS. The MBR-infecting viruses dated from the DOS days and spread via infected floppy. Leave one in your drive when you turn on the computer and it'd write to your MBR, and then to any floppy inserted.
Your suggestion would [...] require them to figure out how to resize partitions without anybody noticing it.
Because of rounding, statistically nobody is going to notice losing 100 MB of a 500 GB partition.
What's more why the fuck would you use immutable files if you're intention is to use it to hijack the system.
One wouldn't use FreeBSD immutable files to hijack Windows. I was referring to using FreeBSD or Linux to hijack Windows, not to hijacking FreeBSD or Linux.
"So turn off UEFI Secure Boot."
And how long before Microsoft and/or the OEMs start saying you can't do that?
It isn't just plausible its pretty damned obvious. Go to TPB and you'll see they have "Windows 7 all versions pre-activated" DVD which will give you ANY version from Basic to Ultimate and they all get full Windows Updates using the bootloader hack. Since the hack involves using legit OEM bootloaders to shut it down they'd have to blacklist so many OEM desktops and laptops it'd be chaos so they might as well consider Win 7 a total wash when it comes to piracy.
As someone who works in a little PC shop if anybody at MSFT with any clout reads this? i have the solution to Windows piracy without any secureboot crap, ready? Win HP at $50, Win HP family packs at $100. I saw guys who had NEVER had a legit version of Windows buy when you had Win 7 HP at $50, in fact while that was going on I don't remember seeing a pirate version around, they were all legit HP. You jacked up the price and now Craigslist is filled with $100 PCs with $300 copies of Win 7 Ultimate on them.
so take a lesson from valve MSFT, the carrot don't work. Are you forgetting what happened with Vista? You made it originally pretty damned pirate proof, even having a kill switch, remember? it BOMBED because its those same guys that actually know how to pirate that support your ass by telling their families what to buy and supporting them. lets face it you've never made your big money at retail anyway, so selling Win HP at $50 isn't gonna kill you but it WILL turn a lot of pirates into actual paying customers because at $50 frankly it isn't worth the hassle to pirate. I'll be the first to admit the reason my family is running Win 7 HP is the family packs and if it wasn't for the 3 for $100 deal they'd be running hacked pro, paying $100+ a machine for HP when the machines themselves cost $250-$350 a kit? Not worth it. there is a sweet spot MSFT, and I'd argue its Starter at $35, HP at $50, Pro and the family packs at $100.
ACs don't waste your time replying, your posts are never seen by me.
The MBR lock is useless. The fact that dd is able to clone and overwrite the MBR-- the fact that dd even exists-- should answer the question of "why is it useless".
Something like a config option - 'Enable OS installation for one boot cycle.'
If the purpose of secureboot were just to secure the boot process, that's all it'd take. The whole system of key signing is a rather obvious attempt to squeeze all the little players out of the game so the big boys can seize more power and profits.
And how long before Microsoft and/or the OEMs start saying you can't do that?
Not very. And I don't have much hope given the hordes of people on the last article that honestly believed that Microsoft was being altruistic in this and that anyone questioning their motives was a conspiracy theorist/had a low IQ.
And the incentive for anybody to do that is what, exactly? If Microsoft, Red Hat and SuSE sign their stuff, the vast majority of corporate desktops are covered. If Microsoft, Fedora, and Ubuntu sign their stuff, the vast majority of consumers are covered. All without the users having to do anything. The hardware manufacturers don't have to do anything special either, except maybe install a few keys. You are asking the hardware manufacturers to design and implement a standard just to make things easy for a tiny, tiny set of their customers. Ain't gonna happen.
Nobody is saying secure boot is an inherently bad idea that I see.
Secure boot is an inherently bad idea.
It flies in the face of the concept of the machine as a general-purpose reprogrammable computer.
General purpose means user control of all software right down to the firmware.
The line that secure boot is intended to protect against bad guys on the internet is a lie. The way to do that is to harden network connectivity & all applications that access the network.
The line that secure boot is there to protect against other attack vectors such as the insertion of a USB drive with a virus or a virus on a DVD is also a lie. Physical access is total access. The way to protect against these attack vectors is to physically secure the machine.
The intended target of secure boot is the user.
friends don't let friends teleport drunk
Something like a config option - 'Enable OS installation for one boot cycle.'
If the purpose of secureboot were just to secure the boot process, that's all it'd take.
That limitation isn't possible, because the UEFI/BIOS is not a hypervisor. Once something else is running in ring 0 there is no way to prevent it from doing whatever it wants. Implementing those kind of hardware locks would entail a much more serious change to many parts of the PC architecture.
The whole system of key signing is a rather obvious attempt to squeeze all the little players out of the game so the big boys can seize more power and profits.
Despite the above, this statement is probably quite accurate, though. It's certainly a convenient side-effect.
For systems based on one popular architecture, about 6 months ago.
For other architectures, as soon as they think they can get away with it.
Welcome to the Panopticon. Used to be a prison, now it's your home.
$50 windows 7 HP, $100 family pack and I'll upgrade ALL of my machines to Win7 from XP. So, I concur.
If you were me, you'd be good lookin'. - six string samurai
Jesus christ if they dropped a family pack version to $100 I'd buy it in a heartbeat! I've got three personal machines running Windows and I haven't bought a single license because Home Premium is $200. Never mind that I occasionally use something like XP Mode so having Ultimate was helpful. Actually right now a new Win7 HP license on Newegg is $100, presumably due a price drop in the wake of Win8. On the other hand, Win7 HP upgrade (from Vista or XP) is still $120.
It will take generations and countless wars to undo the damage that is currently being done.
Or it will take a signed bootloader that let you then load whatever you want.
That's what Canonical is paying for:
they get EFILinux signed.
EFILinux in turn can load pretty much any kernel you want.
- Either an official distro provided one.
- Or your own compiled linux kernel
- Or another system's kernel (*BSD, ReactOS, etc.)
- Or even a better/bigger bootloader like GRUB's stage2.
What we need now is the legislative framework so Microsoft can't revoke the bootloader without attracting a shitstorm of antimonopoly antitrust suits.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Also surprised with efilinux. It can load from block devices only, which omits network boot. I understand that grub2 GPL3 concerns make sense, but you would think they might go with elilo. It may be less 'active', but it is capable of doing more than efilinux, notably network deployment.
Canonical specifically stated that EFILinux could be used to a non-signed Grub2 (or maybe they could even sign it through their own infrastrucutre if they can make it GPLv3 compliant). On non-SecureUEFI machine, this is supposed to be the default behaviour they want to do (if EFILinux detects that Secure is disabled, it chains straight to Grub2).
The idea is to load the smallest possible bootloader in signed mode and then do everything else you want from that point onward.
Once EFILinux has chained to Grub2, you can do all the crazy cool stuff you want here.
Just think of EFILinux as a special type of stage1 that is compliant for SecureUEFI devices. (Well technically, the UEFI firmware is the stage1, but you got the idea).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
This is trusted computing all over again...
http://en.wikipedia.org/wiki/Trusted_computing
I can't wait for the day I'll have to pay to some company to sign the bash scripts I wrote so I can run them on my own machine...
So, assuming the UEFI loads a signed bootloader, the bootloader can run anything it wants.
Yup, and if you read the phoronix blurb, that's their plan.
Have efilinux run either official canonical kernels, or any custom kernel compiled by the user, or even Grub2 for a more complex boot behaviour (the default behaviour if SecureUEFI is not detected to be active).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
If that's the case, we'll eventually start to see Debian, Mint, etc. distributions that make use of the Ubuntu boot loader to get the system up and running.
...and according to the phoronix blurb even Grub2. (For more complex booting option beyond the small capabilities of efilinux itself).
Just get the EU legal whatdogs involved to hit microsoft with a big legal anti-monopoly hammer, if they ever try to put a "sony-linux" and suddenly decide to revoke the bootloader.
Also, other big players with money (Novell Suse ?) could join the trend and signs other similar boot loaders (elilo got mentionned) to give more such options.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Yeah, I thought about that. There are interesting wrinkles, though.
1) Most of those Ubuntu users would be uneffected. The revocation can only happen if you perform a Windows update. If you never go out of your way to run MS code, they can't damage your computer's operation by revoking your permission to run Ubuntu.
But some people do dual-boot, or may wish to install Ubuntu on a used computer which previously had run Windows plus an update. Here is where it gets really fun.
2) The revocation will have been done by Ubuntu's commercial competitor. Furthermore, Ubuntu paid to have their software certified, and regardless of whatever happened, Ubuntu's bootloader isn't the malware, so Ubuntu has likely not violated any terms. Ubuntu now has a claim against whoever (Microsoft) is maliciously transmitting revocations against harmeless bootloaders. I smell action. OTOH, if these signatures are only offered by signing something saying you won't ever sue if Microsoft for misconduct, then proceed to step 4, below.
3) Furthermore, a user whose computer was damaged by the update, has a claim against MS. For those who run Windows or otherwise get bound by the EULA, the new arbitration thing adds an interesting wrinkle, but not everyone who is harmed by Microsoft will be a Windows user or ever clicked an "I agree" so courts could still get involved.
4) Microsoft has to be offering this cheap ($99) signing service to deal with antitrust fears. If they start revoking competitor's certs for reasons as frivilous as the example you gave, they might as well have faced the antitrust risk head-on.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
First off, this isn't going to effect corporate users at all. This system is not going to be implemented for servers and corporate IT departments will control their own systems (and certainly sign them with they own keys).
As for consumers, the largest current Linux distro is Mint. Unfortunately, according to Fedora, keys will only work with the core distro and not with distros based on that core. This means that Ubuntu, Lubuntu, Kubuntu, Mint, etc. will each need their own keys. Which, in turn, means that the majority of consumer Linux users will not be covered unless each of the largest distros and the large distros based on them receive keys.
The real concern here is not that hardcore Linux users won't be able to circumvent the system, the concern is that it will become more difficult to convert new users to Linux, BSD, etc. in the consumer space.
Personally, I don't think a simple, standardized interface that allows a person to turn off, on and customize their UEFI secure boot would not be too onerous of a requirement for hardware manufacturers.
Secure boot is a fine concept. It just needs to be carried out in a way that no OS maker can possibly exclude another.
Here's a link for an Office license for $0: http://www.libreoffice.org/
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
I don't think malware protection is the main driver of trusted computing. The main driver is allowing others to trust you. For instance, before a site streams a movie to you it can request that your PC attest that it is running a trusted software stack, to ensure that you have not modified the system to enable you to capture the stream on disk. Or before you are allowed access to a sensitive database at your work they can insure that your access is only by approved software.
In order for that goal to be met, there must be remote attestation as to the state of your software. If there is any break in the chain, from boot to application, the remote attestation will fail. That is what secure boot gets you.
Go to TPB and you'll see they have "Windows 7 all versions pre-activated" DVD which will give you ANY version from Basic to Ultimate and they all get full Windows Updates using the bootloader hack.
Just a heads-up for anyone considering going to TPB or any other torrent site and downloading one of these things to install:
Welcome to the botnet.
Every single one of them is infected. The ones that scan clean have simply not had their rootkits entered into the malware databases yet, and it takes a good while for it to happen. Some people download these because they are pre-trimmed and degoobered. Microsoft has its own trimmed down Windows versions, like WinFLP which is spectacularly good for VMs. Use those instead.
Any and all Windowses you acquire should match the MD5 sums available at Microsoft. If it doesn't match, then it's garbage.
It's not difficult to install the loader yourself on a clean copy.
Or you can just forego all the above and install Linux and never have to worry about that bullshit again.
--
BMO
Since the certification requirements for Win8 (on x86) mandate that Secure Boot can be disabled, I predict that the instructions for the Win8 version of Windows Loader (or whatever it is the kids use these days) will be roughly:
1. Disable Secure Boot.
2. Run program, click OK
I also predict that for Win9 MS will change that requirement to its opposite, due to the "overwhelming success of the programme" or somesuch, citing the fact that even Linux vendors have signed on as a "see, we're not evil" argument.
I wonder what's next in the piracy race. A signed Linux kernel, with a small initrd that loads a VM? A signed Linux kernel which executes the loader via kexec? Somehow, I don't think technological solutions to piracy will ever work. As long as people want to pirate, they will find a way to do so. After all, there's no shortage of people who find cracking a new copy protection too good a challenge to pass up.
Proud member of the Ferengi Socialist Party.