Slashdot Mirror
UEFI Secure Boot and Linux: Where Things Stand
itwbennett writes "Assuming that Microsoft doesn't choose to implement Secure Boot in the ways that the Linux Foundation says would work with Linux, there 'will be no easy way to run Linux on Windows 8 PCs,' writes Steven Vaughan-Nichols. Instead, we're faced with three different, highly imperfect approaches: Approach #1: Create UEFI Secure Boot keys for your particular distribution, like Canonical is doing with Ubuntu. Approach #2: work with Microsoft's key signing service to create a Windows 8 system compatible UEFI secure boot key, like Red Hat is doing with Fedora."
itwbennet finishes with: "Approach #3: Use open hardware with open source software, an approach favored by ZaReason CEO Cathy Malmrose." When you can't even use a GPLv3 licensed bootloader to boot your system, you might have a problem. Why is everyone so quick to accept the corpse of TCPA in new clothes?
Modify ntldr to boot to grub automatically and and remove all unnecessary windows components
Lawsuit?
i prefer option 3 too, but...
microsoft wont go out of business but they could very easily marginalize themselves to the point that they are no longer the 800 pound gorilla of the desktop PC market, and more than likely Apple and Linux will grab more userbase, i prefer old school distros like debian & slackware so apple wont be getting any of my money
Politics is Treachery, Religion is Brainwashing
It seems like the obvious way to block this type of stuff is to pass legislation requiring government agencies to only purchase PCs that are free from such encumbrances. The state and taxpayers benefit from keeping their OS options open on new computer hardware and more importantly they represent a large enough percent of total sales to actually get a proper response from manufacturers.
Approach #4: ignore UEFI Secure Boot. It's a blunt solution to an obscure problem. More importantly, it's such a huge pain in the ass, not just for Linux but for ALL system integrators, that anyone actually preventing the user from disabling Secure Boot will end up limiting their own marketability. Two things will happen:
1. It will be relegated to tiny niches where security trumps usability
2. It will be cracked
This is not an either/or. Both things will happen. This whole fiasco is nothing but a huge waste of time for everyone involved.
-Billco, Fnarg.com
(Too many #4 here already, so I'll skip the numbering)
What about clustering all Linux enthusiasts' computers together and cracking Microsoft's signing key, SETI-style? I'm not sure about the mathematics there (taking longer than the galaxy will exist, etc.), but maybe it's possible. Or maybe somebody made a mistake and the key is much weaker than it is thought at the moment (see PS3).
Disable secure boot.
From http://msdn.microsoft.com/en-US/library/windows/hardware/jj128256:
"Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows Server may also disable Secure Boot remotely using a strongly authenticated (preferably public-key based) out-of-band management connection, such as to a baseboard management controller or service processor. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure Boot must not be possible on ARM systems."
They made disabling secure boot required for the Windows logo on x86 (while probably worried about the threat of an antitrust investigation).
They don't try to make better products, they just try to kill the competition. I see ads for their crap with cool songs, a lizard, and neat apps everywhere but the actual thing doesn't work. Even they can't work it right, as shown by several demos they have done. They seem to recognize it but instead of dealing with it, they just try to eliminate everyone else. Linux has a MUCH better programming environment than anything Microsoft can offer. Even its overall usability (I use Ubuntu) is more intuitive. So Microsoft tries this shit. It's not secure and it's not user-friendly. It's just meant to make Linux harder to install. And I can't support a company that takes this approach. Fuck them. It's a good thing their company is dying. Hopefully more OEMs see this and start offering Linux PC's, but I kind of doubt it.
More than XP, I am thinking different flavours of Windows 8. System admins need to wipe off the OEM stuff and install their Enterprise License stuff on new kit. That could be a different flavour of 8 or earlier versions of the OS as well. If they can't do it, they will simply ignore Windows 8 and wait for the next version that removes the restriction of Secure Boot.
If you keep throwing chairs, one day you'll break windows....
We already have hacked BIOSes for far more irrelevant reasons than this. I expect it to become a common thing to just wipe secure boot from the system entirely if this is a problem.
Great Intellect...
WHAT?!? Secure Boot will do nothing to impede enterprise Windows users. You'll either use Windows8/2012 and have a signed boot loader or use 2008R2/7 and disable secure boot. Btw it would also do nothing to impede enterprise Linux users either, they'd either use a commercial signed distribution or build their own and have the build process install their keys into the TPM chip (trust me, enterprises already deal with crypto from internal PKI to external SSL to drive encryption).
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
System admins need to wipe off the OEM stuff and install their Enterprise License stuff on new kit.
Most corporate desktop admins are far happier if the machine can be deployed with less mucking around. Just unboxing 1200 new machines is a pain in the ass... if they also have to reimage and reconfigure each new machine (actually easier and more streamlined than unboxing these days, but nonetheless, extra time, extra money they'd rather not spend), they'll not be so joyous, and everything slows down.
If they can't do it, they will simply ignore Windows 8 and wait for the next version
Half right... because this, basically, is wise. The other half is they will harden what they have. Microsoft early adopters and fanbois notwithstanding, Microsoft has done nothing to increase the productivity of the office worker since XP/Server 2003/Office 2003. The pitfalls of XP are well known and huge incident databases have been built: nothing can break that doesn't have an immediate fix. Seven and even Vista is still in the early stages of figuring out all the solutions of all that can and does go wrong. I think any large or medium sized corporations still on the 2003 paradigm are fine and well under the budget expendature of those idiots that needlessly and irrationally raced to upgrade as long as they are in a rotation of reimaging every XP machine every 4-6 months... if their network infrastructure is resilient to the trouble users can get into, they may never need to upgrade these to new systems until the physical machines and their components cease to function.
Mobile devices are where a majority of computing dollars are going (in the consumer world).
I think it may be where it's going soon in the corporate world too, especially with BYOD. If so, Ubuntu may be on to something with their Ububtu for Android kit.
It lets you run your phone/tablet as a portable device, then as a full desktop OS once it's docked with a monitor, mouse and other external peripherals. In the video, they're even showing it running Citrix for some legacy applications.
http://www.ubuntu.com/devices/android
http://en.wikipedia.org/wiki/Ubuntu_for_Android
http://www.youtube.com/watch?v=wzc0uMXGFBY
"I've got more toys than Teruhisa Kitahara."
If this is not an example of Microsoft's monopolistic practices i don't know what is.
Seems to me that this is a very serious violation of the spirit of the antitrust rulings when MS killed netscape. Why aren't our consumer protection agencies stepping in to forbid MS from doing this?
If you purchase something purely based on price you are one stupid user. Freedom matters and just because the majority don't understand the issue doesn't mean it doesn't mean the lack of freedom isn't harming them.
The lack of freedom causes so many problems. It prevents competition, it prevents compatibility, it prevents upgradability, it makes common applications obsensely and abusively exspensive.
Now I'm not saying you shouldn't pay the developers. You should contribute. For most people payment is how one contributes. While selling free software may not work terribly well for developers due to the lack of understanding of what free software is and is not contributory models work fairly well if done right. So do agrements between companies supporting free software like ThinkPenguin and Trisquel. Or Google and distributions/web applications. There are other agrements as well. Such as CDs and merchandise. All of these have value and can and do fund free software development.
Windows 8 is not going enterprise and OEM's need to not lock out XP / Windows 7 as they will lose the enterprise market if they do so.
the MB makers likely will not want to go windows 8 only.
Most corporate desktop admins are far happier if the machine can be deployed with less mucking around. Just unboxing 1200 new machines is a pain in the ass... if they also have to reimage and reconfigure each new machine (actually easier and more streamlined than unboxing these days, but nonetheless, extra time, extra money they'd rather not spend), they'll not be so joyous, and everything slows down.
If you are deploying 1200 new machines Dell or HP or whoever will most likely gladly pre-install your corporate OS image for you. There will be an additional cost for doing so but it's usually much less than having your own desktop support staff doing it.
Any insufficiently advanced magic is indistinguishable from technology.
There are a few things people forget when they compare sales numbers of desktops vs mobile devices.
A) Most houses have 1 or 2 desktops (shared by the family), but most people have their own smartphone or laptop (since they take it with them to work/school/etc).
B) Desktops tend not to be replaced as often, partially due to them being more powerful/dollar in the first place, and partly because they are SO MUCH easier to upgrade.
C) Desktops cost a LOT less (unless you get a screaming gaming rig) than any other computing device out there, so comparing the *amount* people spend on desktops vs mobiles is pointless.
D) A lot of people that build gaming machines (and even some that don't), build there computers 1 piece at a time, and thus don't get counted as "PC Sales", almost NOBODY does this with laptops, cellphones or tablets.
Mobile devices may be on the rise, but I doubt desktops will dissapear any time soon, at least not until they stop being half the price of a less powerfull laptop!
Unrelated Note: Why won't slashdot's comment boxes resize horizontally in Firefox?
Actually, if it is 6 or more machines, Dell doesn't even charge for doing that. You just give Dell a preloaded HDD and they use that to image all the machines on your order.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Your future prediction is unrealistic. Where there's a demand, there's a product. One of the major motherboard manufacturers will release a linux-capable board without all this locked down bullshit loaded onto it. You ever hear of these things called cell phones? The makers unlock them so damn fast when their carrier exclusivity contract runs out, it's insane. So with a limited number of boards, then Linux devs will only have a worry about a very narrow amount of drivers to support, which will be a huge improvement over the situation right now. Linux will vastly improve in performance because of it, MS will probably have multiple glitches that lock itself out of booting, viruses will infect the MBR anyway (or whatever this was allegedly supposed to prevent) and Linux will take over the world.
I can't imagine how one word of that would be inaccurate.
Why does this keep popping up? XP won't even boot under UEFI.
DATABASE WOW WOW
People are not as productive with XP/2003 and I dispute that claim. When you have computers that take 8 minutes to be responsive to start up, or inactive for 3 hours every Tuesday due to McCrappy doing a scan limiting 1 app open at a time, can't find files in a share with 10,000 files, help desk putting out fired with rootkits and viruses all day that eats up into productivity.
Sure your friendly beancounter accountant only looks at cost but it is always assumed workers are just as productive regardless of time and equipment.
A modern Windows 7 environment you have instant search and can find things like Acme corp sales distribtion 2008 within seconds! The calls for malware go down in half. Your systems do not have Windows rot and get all sluggish. To boot your computers go into sleep mode and you can save millions or at least hundreds of thousands in energy costs.
Your workers can use more functions in Office they didn't know where there either. Sorry ribbon haters but studies show otherwise and after 1 month of using it you will not want to go back. I can just use my keyboard now with Win 7/Office 2010 and hardly use the mouse as much with instant search and the using the numbering shortcuts with the ribbons. It rocks on a laptop too.
Your workers will be spending more time working and getting things down. You really need to sell yourself better at work rather than kiss up with the cost accountants.
http://saveie6.com/
Ever install Vista or Win7?
Yes. I bought this laptop I'm using a couple of months ago. It dual-boots Win7 and openSUSE 12.1, both of which I installed myself.
Boot the disk, answer a couple of questions, the installer does the rest...
First question: Does it have all your device drivers?
essentially imaging the system to a clean install for a computer that doesn't have Windows installed.
With none of those applications you go on about.
Linux in orders of magnitude more difficult to install...
With apologies to any equines who may be in the audience, that's complete and utter horseshit. To quote your own fine self, installing a modern Linux distro is a case of "Boot the disk, answer a couple of questions, the installer does the rest".
...not to mention all the 0.x unfinished apps for supposed Windows app substitutes.
What Windows apps? You mean the apps *for* Windows that don't actually *come* with Windows that you have to find (and possibly *buy*) and install separately? As opposed to the hundreds (thousands?) of perfectly usable apps available in any halfway respectable Linux distro that you can load as part of the OS installation?
BTW, the installation of Windows 7 Pro and about a dozen applications which had to be obtained and installed separately (following the OS installation) took almost exactly *twice* as long as as the openSUSE installation, which provided *everything* I need for both personal and work use with just 2 exceptions--Skype, and a proprietary app we use at work.
Oh, and let's not forget cost: the Windows 7 Pro OEM DVD (English) ran me about 1350 SEK (call it US$200); the blank CD on which I burned the Linux network installer was about a dollar and a half (~10 SEK).
TL;DR: Windows took twice as much time to install, cost me 200 times as much money, and provided about 10% of the software.
So... You are badly misinformed, deluded, or just plain lying. I'd say it's a bit of all 3.
What is it with you guys, anyway, that you find Linux so threatening that you have to resort to spewing garbage like this about it?
Il n'y a pas de Planet B.
Nice try, but the breaching of the kernel.org website had no bearing on the integrity of the kernel sources.
Il n'y a pas de Planet B.
Nokia N900 - Commercial, retailed phone, fully open bootloader.
But, your point still stands.
That being said, I fully expect the "unlocked" bios-emulation mode to be around for at least 8 years, if not more - corporate needs XP support. However, the lock would actially be a /good/ thing... if we can install our own keys.
I'm hoping for that sort of support, so corporate IT could sign particular versions of files and/or bootloaders and lock things down. Seems like a step up, there, so long as the accepted key list is editable.
haha. Apple has made that frivolous. What jury (be it a judge or real jury) would find Microsoft has a monopoly these days? Apple keeps reminding us how they are the number one now.
Oh and btw, doesn't Apple also restrict what boots and how? to make sure you ONLY buy Apple hardware? Yep, MS keeps 90% of the market, can and WILL dictate to the OEMs how to build their machines, and there is nothing anyone can do about it, thanks to Apple's efforts.
And top it off, MS is getting more into the hardware market, and controlling the software sales channels, they want to be just like Apple. I can't wait to see how it comes out. My guess is both MS and Apple will end up being losers, and guess what, linux will still be a loser also. Something new will come along, dictated by ATT and the Olympic comittee, and the 99% will still be whining about how the 1% controls everything. Nothing will change.
slashdot troll = you make a compelling argument I do not like the implications of.
Damn you had it right and then you had to go and throw in the ribbon LOL!
You are right about win 7 as I've had my business customers on it since 2010 and it took me on average 20 minutes to show them the new features and then they were off to the races. the improvements over XP are so many when I'm forced to work on an XP machine it feels like going back to Win95, its just painful. You have 64bit with great driver support so you can have the machines loaded with memory, superfetch actually puts that memory to use by having their programs preloaded into RAM and ready to go, breadcrumbs and jumplists make getting back to where you were the day before a breeze, its just a better OS.
Now you are wrong about the ribbon, only because you are not taking into account office jocks have been using office for over a decade and know it like the back of their hand. The ribbon blows muscle memory all to shit and I've watched as people that could fly on 2K3 were brought to a screeching halt thanks to the ribbon. Sure its great if you've never used office before, but that isn't their biggest demographic is it? IMHO they should have had a switch at install that let the user choose which layout to have along with a GPO so it could be deployed across the network in whichever config the IT dept wanted.
As for TFA, everyone is worried about this...why exactly? Its win 8, aka "LOL I iz a cell phone LOL" OS, this thing is gonna go over about as well as Michael Richards at an NAACP luncheon. if you don't want Secureboot in X86 its a simple switch away, and nobody is gonna buy WOA unless they find it on Woot! at 80% off. Just look at the numbers or lack thereof for WinPhone 7, If they crack higher than 6% on ARM I'll frankly be shocked. Finally let us not forget the EU doesn't like MSFT anyway so if they try to lock X86 they are gonna get hit with so many fines they won't know what hit them.
ACs don't waste your time replying, your posts are never seen by me.
Most corporate desktop admins are far happier if the machine can be deployed with less mucking around. Just unboxing 1200 new machines is a pain in the ass... if they also have to reimage and reconfigure each new machine (actually easier and more streamlined than unboxing these days, but nonetheless, extra time, extra money they'd rather not spend), they'll not be so joyous, and everything slows down.
This isn't even slightly true. Already every corporate re-images every desktop they get because they all come with Windows 7 and their 12 year old Line of Business apps are all certified for Windows XP only. I know for each of our 15000 or so desktops, every one of them gets attached to the network and the first thing that happens is a tech hits F12 and whacks in the provisioning admin credentials to kick off the otherwise completely zero-touch imaging process. I don't know where you get the idea that it's extra time or that configuration is necessary. Deploying Windows over the network can be done with zero intervention.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
If you're turning off UEFI, why are you worried about secure boot?
DATABASE WOW WOW
That type of rootkit was common years ago and still is. Typically they target one of the low level OS components such as the SATA driver, which is loaded before any security stuff and has full access to the entire memory space.
At first anti-virus software couldn't even detect it because the rooted OS was prevented from seeing the file in directory listings or accessing it directly. Eventually they figured out how to get around that, but still couldn't remove the file. Then they figured out how to remove the file when booted into a different OS (i.e. take the HDD out and put it in another machine) but of course that deleted the SATA driver so a XP refresh install was required. That was where I left it when I stopped working in that business.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
First off Apple's share of the desktop market in the USA is 8-12% which is about where it was when Microsoft was considered a monopoly. Microsoft's defense at this point might be the existence of a tablet market where they have no presence. But even if one does include tablets Windows still far outsells iOS and OSX combined. Apple targets profitable customers not marketshare.
As for Apple restricting boot. No they don't. In fact they produce and support a multi-platform bootloader for their computers: http://www.apple.com/support/bootcamp/
They also work with parallels and VMware to help people load virtual images of windows.
Apple doesn't mind in the slightest if you buy their hardware and then run someone else's OS on it.
On their iOS devices, iTunes allows you to put any BIOS image in you want.
They didn't have to crawl or beg, they just asked and Microsoft said yes. Microsoft was anxious to support Ubuntu since they don't want a repeat of the paranoia that surrounded Palladium.
It'd be a lot easier to accept if the task were granted to a company with no stake in the OS market, like Intel.
Most likely there are going to be about 6 signing authorities on the BIOS that ship. Microsoft, someone like Verisign, a few Asian ones, maybe the hardware vendors themselves (i.e. Dell signs for UEFI in Dell's and collects the check). There is no reason to believe Intel, Western Digital (which has played for open standards for decades) or someone unexpected like NVidia won't step forward. I could see IBM who is much more trusted by the Linux community doing it.
First off, learn manners.
Now for lurkers:
start iTunes on your Mac and hold home- and on/off-button on the iphone. connect mac and iphone and keep holding the buttons on the iphone.
the iphone boots in restore-mode, itunes opens up the restore dialog. release the two buttos on the iphone.
hold option-key on the mac and then press "restore" in iTunes. Dialog pops up asking for the firmware to use then point to the new file and you are set.
_________
And of course Apple lets you install apps on iOS without their approval. They don't let you distribute them widely without their approval. But you can install anything you want using iTunes.