Slashdot Mirror
UEFI Secure Boot and Linux: Where Things Stand
itwbennett writes "Assuming that Microsoft doesn't choose to implement Secure Boot in the ways that the Linux Foundation says would work with Linux, there 'will be no easy way to run Linux on Windows 8 PCs,' writes Steven Vaughan-Nichols. Instead, we're faced with three different, highly imperfect approaches: Approach #1: Create UEFI Secure Boot keys for your particular distribution, like Canonical is doing with Ubuntu. Approach #2: work with Microsoft's key signing service to create a Windows 8 system compatible UEFI secure boot key, like Red Hat is doing with Fedora."
itwbennet finishes with: "Approach #3: Use open hardware with open source software, an approach favored by ZaReason CEO Cathy Malmrose." When you can't even use a GPLv3 licensed bootloader to boot your system, you might have a problem. Why is everyone so quick to accept the corpse of TCPA in new clothes?
Just wait for a while. System admins will find it very difficult to install Enterprise Licensed Windows licenses. MS will be forced to cave in, and provide easy mechanisms to do that for early adapters. Just use whatever technique the local PC vendor guy recommends.
If you keep throwing chairs, one day you'll break windows....
Nonsense. People care so long as there is money to be made.
In this case, there isn't much to be made. MS & Canonical have written off the desktop market, and who knows what Apple will be doing next. As such, the lockdowns will continue while the tech sector undergoes decay, up until someone has a brilliant idea that forces the various players to reassess. Since many of them have consulted their crystal balls which say tablets and cell phones are the way of the future, this change is highly unlikely.
I am John Hurt.
There are a lot of people who care. Unfortunately there are not enough people making purchasing decisions based on that.
Modify ntldr to boot to grub automatically and and remove all unnecessary windows components
Lawsuit?
i prefer option 3 too, but...
microsoft wont go out of business but they could very easily marginalize themselves to the point that they are no longer the 800 pound gorilla of the desktop PC market, and more than likely Apple and Linux will grab more userbase, i prefer old school distros like debian & slackware so apple wont be getting any of my money
Politics is Treachery, Religion is Brainwashing
It seems like the obvious way to block this type of stuff is to pass legislation requiring government agencies to only purchase PCs that are free from such encumbrances. The state and taxpayers benefit from keeping their OS options open on new computer hardware and more importantly they represent a large enough percent of total sales to actually get a proper response from manufacturers.
Approach #4: ignore UEFI Secure Boot. It's a blunt solution to an obscure problem. More importantly, it's such a huge pain in the ass, not just for Linux but for ALL system integrators, that anyone actually preventing the user from disabling Secure Boot will end up limiting their own marketability. Two things will happen:
1. It will be relegated to tiny niches where security trumps usability
2. It will be cracked
This is not an either/or. Both things will happen. This whole fiasco is nothing but a huge waste of time for everyone involved.
-Billco, Fnarg.com
(Too many #4 here already, so I'll skip the numbering)
What about clustering all Linux enthusiasts' computers together and cracking Microsoft's signing key, SETI-style? I'm not sure about the mathematics there (taking longer than the galaxy will exist, etc.), but maybe it's possible. Or maybe somebody made a mistake and the key is much weaker than it is thought at the moment (see PS3).
Disable secure boot.
From http://msdn.microsoft.com/en-US/library/windows/hardware/jj128256:
"Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows Server may also disable Secure Boot remotely using a strongly authenticated (preferably public-key based) out-of-band management connection, such as to a baseboard management controller or service processor. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure Boot must not be possible on ARM systems."
They made disabling secure boot required for the Windows logo on x86 (while probably worried about the threat of an antitrust investigation).
They don't try to make better products, they just try to kill the competition. I see ads for their crap with cool songs, a lizard, and neat apps everywhere but the actual thing doesn't work. Even they can't work it right, as shown by several demos they have done. They seem to recognize it but instead of dealing with it, they just try to eliminate everyone else. Linux has a MUCH better programming environment than anything Microsoft can offer. Even its overall usability (I use Ubuntu) is more intuitive. So Microsoft tries this shit. It's not secure and it's not user-friendly. It's just meant to make Linux harder to install. And I can't support a company that takes this approach. Fuck them. It's a good thing their company is dying. Hopefully more OEMs see this and start offering Linux PC's, but I kind of doubt it.
> Why is everyone so quick to accept the corpse of TCPA in new clothes?
Only softies and people who don't know any better do. Pointing at Apple and saying they lock their phones and tablets too ignores the fact that what they do is also wrong. It's like Timmy beating up Bobby on the playground, and when you beat up Bobby, you point at Timmy and say "well, he was doing it too!"
The rest of us want to punch people in the face for even suggesting TCPA 2.0
--
BMO
We already have hacked BIOSes for far more irrelevant reasons than this. I expect it to become a common thing to just wipe secure boot from the system entirely if this is a problem.
Great Intellect...
1. It will be relegated to tiny niches where security trumps usability
God forbid in this day of malware, server breaches, and root kits, someone should be triumphing that over usability.
People are going to use Windows 8?
um, grub is a bootloader not an operating system, and windows 8 is a operating system (the operating part is disputable) not a bootloader. the windows bootloader can't boot any operating systems other than other versions of windows. your comment does not make any since.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
And what if I want to run my own bootloader and kernel, on a machine I own?
Either (a) you don't treat an ARM tablet as a computer, or (b) you didn't read the ARM part.
Democracy is for the people; you only vote once per season and we'll do the rest of the work for you don't have to.
Mobile devices are where a majority of computing dollars are going (in the consumer world).
I think it may be where it's going soon in the corporate world too, especially with BYOD. If so, Ubuntu may be on to something with their Ububtu for Android kit.
It lets you run your phone/tablet as a portable device, then as a full desktop OS once it's docked with a monitor, mouse and other external peripherals. In the video, they're even showing it running Citrix for some legacy applications.
http://www.ubuntu.com/devices/android
http://en.wikipedia.org/wiki/Ubuntu_for_Android
http://www.youtube.com/watch?v=wzc0uMXGFBY
"I've got more toys than Teruhisa Kitahara."
If this is not an example of Microsoft's monopolistic practices i don't know what is.
Seems to me that this is a very serious violation of the spirit of the antitrust rulings when MS killed netscape. Why aren't our consumer protection agencies stepping in to forbid MS from doing this?
The MS specs require any MS-certified firmware to allow the user to load their own keys. So, if you want to install linux, just generate your own keypair, use it to sign any OSes you want to boot, and install it as a trusted key in your firmware.
Viola, you can still use secure boot, and you can boot whatever you want, and as a bonus not even MS can install something on your hard drive and have it be bootable.
Or you can just disable secure boot.
Distros should just make it easy for users to sign their bootloaders. This should be easy for distros that have the user manually install grub/etc. Or the distro could just supply a pre-signed bootloader and a key for the user to load into their firmware.
Both my wife and my sister have very nice laptops ca. 2009-2010. I used to do an ongoing and significant amount of Windows tech support for both of them.
Nothing in about 2 years. What they have in common: both have iPhones.
I don't live with my sister, so I don't know whether this is absolutely true in her case, but my wife hasn't even opened her laptop in months. I regularly see her using her iPhone for web browsing, Facebook, email, etc. (As in, for several hours a day.) And I have recently done iPhone-related tech support for both (sister: how to upgrade iOS 4 -> iOS 5 to install an app that she needed; wife: replace an iPhone battery that she basically wore out).
I do know that my sister is active on Facebook and she does communicate with me via email, so I'm making the assumption that she and my wife followed basically the same path: get an iPhone and never really use the computer again.
STOP . AMERICA . NOW
If you purchase something purely based on price you are one stupid user. Freedom matters and just because the majority don't understand the issue doesn't mean it doesn't mean the lack of freedom isn't harming them.
The lack of freedom causes so many problems. It prevents competition, it prevents compatibility, it prevents upgradability, it makes common applications obsensely and abusively exspensive.
Now I'm not saying you shouldn't pay the developers. You should contribute. For most people payment is how one contributes. While selling free software may not work terribly well for developers due to the lack of understanding of what free software is and is not contributory models work fairly well if done right. So do agrements between companies supporting free software like ThinkPenguin and Trisquel. Or Google and distributions/web applications. There are other agrements as well. Such as CDs and merchandise. All of these have value and can and do fund free software development.
Then install your own key or disable secure boot. What else could you possibly expect to do? Secureboot isn't an issue for anyone running their own bootloader and kernel.
Forgotten in all of this is that there is no actual value added for the user in all this.
When it's all said and done, from the user's point of view, it's a step backward in usability and utility without providing ANY extra security for the user's data.
Think about it: for an actual boot-sector virus to work, it have to break into your computer already. Well since it's already broken in, why does it need the boot sector? It can just break back in using the same mechanism it used in the first place. Secure boot gets you no extra security.
Notice that Windows had to mandate this, is there any clamor from the user base for computers that are more difficult to use?
Windows 8 is not going enterprise and OEM's need to not lock out XP / Windows 7 as they will lose the enterprise market if they do so.
the MB makers likely will not want to go windows 8 only.
I am very close to buying a laptop from a company that manufactures laptops designed to run linux. Either ZaReason or System76. I am currently using an early 2007 Macbook Pro, which has been a fairly nice machine. However I don't like the way consumer computing is going, and I feel the need to stand up for my right to run a Turing complete computing device. And $800 or so for a laptop isn't too much for me to plop down.
This and no other is the root from which a tyrant springs; when first he appears as a protector - Plato (423 to 327 BC)
I've installed Ubuntu and Mint for a variety of end users -- from football jocks to the elderly to the moderately PC-illiterate. The only time any of them ran into an issue was when they wanted to run Windows software, and even then, I was able to give them a Linux equivalent, and they were fine.
So anyone who says Linux is not "average user" ready, you're just plain wrong. My tech support record flies in the face of that.
There are a few things people forget when they compare sales numbers of desktops vs mobile devices.
A) Most houses have 1 or 2 desktops (shared by the family), but most people have their own smartphone or laptop (since they take it with them to work/school/etc).
B) Desktops tend not to be replaced as often, partially due to them being more powerful/dollar in the first place, and partly because they are SO MUCH easier to upgrade.
C) Desktops cost a LOT less (unless you get a screaming gaming rig) than any other computing device out there, so comparing the *amount* people spend on desktops vs mobiles is pointless.
D) A lot of people that build gaming machines (and even some that don't), build there computers 1 piece at a time, and thus don't get counted as "PC Sales", almost NOBODY does this with laptops, cellphones or tablets.
Mobile devices may be on the rise, but I doubt desktops will dissapear any time soon, at least not until they stop being half the price of a less powerfull laptop!
Unrelated Note: Why won't slashdot's comment boxes resize horizontally in Firefox?
Long ago, towards the end of the last century, desktop computers were BYOD and Visicalc was the killer app. That was the extinction event of the dinosaurs. Now, with new smaller BYODs, the desktop computer is precariously balanced on the edge of its extinction event.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Ever install Vista or Win7?
Yes. I bought this laptop I'm using a couple of months ago. It dual-boots Win7 and openSUSE 12.1, both of which I installed myself.
Boot the disk, answer a couple of questions, the installer does the rest...
First question: Does it have all your device drivers?
essentially imaging the system to a clean install for a computer that doesn't have Windows installed.
With none of those applications you go on about.
Linux in orders of magnitude more difficult to install...
With apologies to any equines who may be in the audience, that's complete and utter horseshit. To quote your own fine self, installing a modern Linux distro is a case of "Boot the disk, answer a couple of questions, the installer does the rest".
...not to mention all the 0.x unfinished apps for supposed Windows app substitutes.
What Windows apps? You mean the apps *for* Windows that don't actually *come* with Windows that you have to find (and possibly *buy*) and install separately? As opposed to the hundreds (thousands?) of perfectly usable apps available in any halfway respectable Linux distro that you can load as part of the OS installation?
BTW, the installation of Windows 7 Pro and about a dozen applications which had to be obtained and installed separately (following the OS installation) took almost exactly *twice* as long as as the openSUSE installation, which provided *everything* I need for both personal and work use with just 2 exceptions--Skype, and a proprietary app we use at work.
Oh, and let's not forget cost: the Windows 7 Pro OEM DVD (English) ran me about 1350 SEK (call it US$200); the blank CD on which I burned the Linux network installer was about a dollar and a half (~10 SEK).
TL;DR: Windows took twice as much time to install, cost me 200 times as much money, and provided about 10% of the software.
So... You are badly misinformed, deluded, or just plain lying. I'd say it's a bit of all 3.
What is it with you guys, anyway, that you find Linux so threatening that you have to resort to spewing garbage like this about it?
Il n'y a pas de Planet B.
You can either use the gnome/KDE settings or /etc/network/interfaces if you use both it tends to stuff up your system, also the network init.d script is obsolete and it says so when you run it.
null
Why does this piss you off? And is it the locking out of other OS's from Apple's hardware, or the fact that no one seemed to care, that's upset you?
When Apple licensed the Mac OS back in the 90's it hurt what little business Apple did have. Apple is, and has always been, a system provider, meaning hardware+software. While selling the Mac OS to run on non-Mac hardware has been tossed around for years, it will never happen since Apple wouldn't sell enough copies to stay in business by selling hardware that can be replaced with a cheap PC.
If you want to run a non-Apple OS on a Mac, that's been possible since 2006.
Nitewing '98
Everything works...in theory.
You make some good points. However consider your "retraining" statement, then look at Windows 8 vs Windows XP. I work at a Fortune 100, and they still deploy new machines downgraded to Windows XP. They're just starting to use Windows 7 and that's because it breaks a lot of things to make that change. Moving from XP to 7, and from Office 2003 to Office 2010 requires massive retraining - so Microsoft no longer has an advantage in saying "you won't have to retrain".
The funny thing about Apple having lost the business sector, it's edging its way back in. In half the meetings I go, people are asking how they can see this or that on their iPads. Our IT department has no choice but to support it.
One strategy to overcome the problem of investment in custom applications is virtualization. WINE may suck for a lot of apps, but full virtualziation works great and many "old school" apps can be delivered via citrix. Once you do that, then everyone with their shiny new ipads can still run all the old software they had before. In fact I manage an app that's delivered this way. As long as they have an OS that the citrix client runs on, then they can use the app I manage (Access 2007 on SQL 2008).
So while more and more of the business users are using iPads or whatevers, more and more apps are being run through systems like citrix or being refactored as web apps.
Now, as a "hacker" I generally like desktops because of all the things you can do with them. But even so, my last 3 "computers" have been laptops/netbooks. But then what do you call the NAS I installed? It runs Linux (or BSD) and is essentially a special-purpose computer. And the media device for getting Netflix and streaming media off my NAS is is just another special-purpose computer. As I'm starting a graduate science program, I am already thinking about how my next "large computer" will be something I will build myself and install in the garage - and I'll access it remotely with my laptop, netbook, or even phone.
The desktop will still be around for a while, but it's a market that will continue to decline. For their computing needs people (and businesses) will be turning more and more to mobile devices and purpose-built computers. Businesses will also have server class machines.
Think about what most people do on computers and there's no longer a need to be chained to a desk in the back room to do those things.
Microsoft will be around even longer than the desktop and you'll still have a job. Indeed while I don't agree with their past business practices I still use some of their products. In fact I have Windows XP running in a virtual computer as I type, so that I can run Office 2007 to do the things that require that. It doesn't even matter what my host OS (it happens to be Linux) because those kinds of details will be come less and less relevant.
However it seems clear to me the that the desktop as a common way of doing computing, is on the way out. It had a good run. I just hope kids in 10 years have a way to experiment with building and modifying their own computing power like I did.
Mod parent up. Of /course/ Desktop sales are on the decline - a P4 is "usable" still, and a C2D is a perfectly good main system.
With computers lasting for a number of years, and there being no reason to upgrade...
Of course, mobile devices may be on the rise, but it's sort of a "comlimentary" device, not a replacement. Sure, some can use it to fully replace their desktop, but those are the people who could be switched to a shiny Linux distro as well.
Except for the fact that it never works.
When I still had an XP machine here, I would use it to search my main machine over the network, because it was faster and actually found things.
Now I use an app called Everything.
haha. Apple has made that frivolous. What jury (be it a judge or real jury) would find Microsoft has a monopoly these days? Apple keeps reminding us how they are the number one now.
Oh and btw, doesn't Apple also restrict what boots and how? to make sure you ONLY buy Apple hardware? Yep, MS keeps 90% of the market, can and WILL dictate to the OEMs how to build their machines, and there is nothing anyone can do about it, thanks to Apple's efforts.
And top it off, MS is getting more into the hardware market, and controlling the software sales channels, they want to be just like Apple. I can't wait to see how it comes out. My guess is both MS and Apple will end up being losers, and guess what, linux will still be a loser also. Something new will come along, dictated by ATT and the Olympic comittee, and the 99% will still be whining about how the 1% controls everything. Nothing will change.
slashdot troll = you make a compelling argument I do not like the implications of.
Well first off most people capable of a server install will be capable of disabling UEFI or self signing so my inclination is no. Right now this is mainly being pushed as a desktop feature. On the other hand once implemented there is no reason that it couldn't be a server feature. Servers are always going to be more diverse hardware and server installs always more complex so people who make server class hardware are likely to offer better instructions for over riding.
I honestly think the Linux desktop people are too worried here.
Linux is completely unusable to the average computer user, so I dont think there is much loss here. Suffering from the same fragmentation as Android and lack of support for so many software companies. No one wants to find stupid workaround back-ass-wards ways to just get they're damn computer working.
Feeding the troll, I know, but still.
Last week I attempted to rescue my friend’s laptop. Some sort of low-end Lenovo. Not even a factory reset made it recognize its own battery, play sound without distortion, or work without staggering for 20 seconds every few minutes. She needs Windows for work, so she set off to buy a new laptop.
I loaded Bodhi Linux on the faulty laptop just to see if the problem was in Windows and related software, or if it was in fact in hardware (as the laptop had worked normally prior to the instant where all of the above problems occurred). Lo and behold, everything works in Linux. And even though Enlightenment is not the most user-friendly of desktop environments, she took to it immediately. She’s amazed with its looks, its speed, and its reliability. And it is now her secondary machine, and not a paperweight.
There are a few details that could and should be polished, but unless you need Windows-specific software, you’ll do just fine with Linux.
Ignore this signature. By order.
I've got nothing? You mean like the thing that you didn't address, but keep throwing fits about, "A PC in every home, running Windows?" You're like a little kid who thinks it cannot be seen because it has the eyes covered -- just because you are unable or unwilling to, you know, catch up, doesn't mean I don't know what I know.
It just means it's STILL waiting there to be addressed by you, if you could just stop crying for a second :D
First off Apple's share of the desktop market in the USA is 8-12% which is about where it was when Microsoft was considered a monopoly. Microsoft's defense at this point might be the existence of a tablet market where they have no presence. But even if one does include tablets Windows still far outsells iOS and OSX combined. Apple targets profitable customers not marketshare.
As for Apple restricting boot. No they don't. In fact they produce and support a multi-platform bootloader for their computers: http://www.apple.com/support/bootcamp/
They also work with parallels and VMware to help people load virtual images of windows.
Apple doesn't mind in the slightest if you buy their hardware and then run someone else's OS on it.
On their iOS devices, iTunes allows you to put any BIOS image in you want.
Apple doesn't lock other OSes from Apple hardware. They in fact write a multi OS bootloader (Bootcamp) and give it away free to make it easy for people to install other OSes. They work with VMWare and Parallels for people who want to run OSes in VMs.
None of what you are saying is true.
First off, learn manners.
Now for lurkers:
start iTunes on your Mac and hold home- and on/off-button on the iphone. connect mac and iphone and keep holding the buttons on the iphone.
the iphone boots in restore-mode, itunes opens up the restore dialog. release the two buttos on the iphone.
hold option-key on the mac and then press "restore" in iTunes. Dialog pops up asking for the firmware to use then point to the new file and you are set.
_________
And of course Apple lets you install apps on iOS without their approval. They don't let you distribute them widely without their approval. But you can install anything you want using iTunes.
What us? Who the fuck is us? There is no us. Microsoft has a voluntary & optional program for putting MS logo on your product.
There is nothing "voluntary" in commerce.
Oh, and monopoly maintenance is illegal even by US corporate-criminal-friendly standards.
And stop with the "poor oss developers" angle. It is a flat out lie. Billions of dollars has been poured into linux development to get it to its current state from the pathetic state it was a few decades ago.
That does not mean, everyone now has to pay for the privilege of not having a great public resource destroyed.
If all the big Linux based services companies can't spend some money so that a simple cryptographic key is included in the UEFI based motherboards so that THEIR CUSTOMERS can have an easy way to install THEIR PRODUCT,
The "big Linux based services companies" are not the only people affected by this. I am a Linux developer, and my ability to contribute to Linux development depends on my access to those keys. Obviously, no amount of money I (or any company that I work for) would pay to Microsoft will ever convince them to trust me with such a key, so I will never be able to do any development on locked-down ARM devices.
they they are just fucking parasites. But maggots like you are useful to them.. keep dancing you little bitch..
Now I want to BRING EVERYONE'S ATTENTION to the quote above. Microsoft shills claim that we, Linux developers and distributors, people who work for the benefit of everyone, are parasites because we don't pay for their masters' extortion scheme, and Microsoft's attempts to control all hardware manufacturers worldwide are somehow justified.
This is the kind of propaganda they are going to flood the media with, and with enough effort it will work. They must be stopped, and the only way to stop them is to destroy their company. We shouldn't care what they will produce, and if any of that will ever become usable, superior or inferior to any other option. This shows their real face, their real goals, their real methods. The whole mankind is their intended victim, and they are an enemy of everyone but themselves.
Contrary to the popular belief, there indeed is no God.