UEFI Secure Boot and Linux: Where Things Stand

itwbennett writes "Assuming that Microsoft doesn't choose to implement Secure Boot in the ways that the Linux Foundation says would work with Linux, there 'will be no easy way to run Linux on Windows 8 PCs,' writes Steven Vaughan-Nichols. Instead, we're faced with three different, highly imperfect approaches: Approach #1: Create UEFI Secure Boot keys for your particular distribution, like Canonical is doing with Ubuntu. Approach #2: work with Microsoft's key signing service to create a Windows 8 system compatible UEFI secure boot key, like Red Hat is doing with Fedora." itwbennet finishes with: "Approach #3: Use open hardware with open source software, an approach favored by ZaReason CEO Cathy Malmrose." When you can't even use a GPLv3 licensed bootloader to boot your system, you might have a problem. Why is everyone so quick to accept the corpse of TCPA in new clothes?

Secure Boot won't catch on

[billcopc]

Approach #4: ignore UEFI Secure Boot. It's a blunt solution to an obscure problem. More importantly, it's such a huge pain in the ass, not just for Linux but for ALL system integrators, that anyone actually preventing the user from disabling Secure Boot will end up limiting their own marketability. Two things will happen:

1. It will be relegated to tiny niches where security trumps usability
2. It will be cracked

This is not an either/or. Both things will happen. This whole fiasco is nothing but a huge waste of time for everyone involved.

Re:Secure Boot won't catch on

In the past, I would have agreed with you, but hardware DRM is getting pretty good:

PS3s took almost five years to get cracked, and new PS3s are immune to any holes in them that were used by GeoHot to bust the thing open in the first place.

Satellite TV has not seen any cracks since the patch several years back which completely fried any "master key" cards.

The iPhone 4s is barely jailbroken with only userland available. This is with the best minds in the world working on cracking the thing.

Most Android phones still have locked bootloaders, which nobody has yet been able to get. Newer Android phones actually have a daemon that looks for root process signatures then "bricks" the phone if found until the firmware is reflashed... and with some devices, the reflash is not available to the public.

So, even though hardware might be in the user's physical control, it nowhere near belongs to the user.

Re:Secure Boot won't catch on

[FranTaylor]

We used to call them "general purpose computers"

We dropped the "general purpose" part at some point, because it seemed redundant at the time.

Now maybe we need to bring back this term.

These machines you are talking about are not "general purpose" computers at all.

It once again goes to show that the Microsoft slogan is "Where do you want to be taken today"

Re:Approach no. 4 - Do nothing

[jkrise]

More than XP, I am thinking different flavours of Windows 8. System admins need to wipe off the OEM stuff and install their Enterprise License stuff on new kit. That could be a different flavour of 8 or earlier versions of the OS as well. If they can't do it, they will simply ignore Windows 8 and wait for the next version that removes the restriction of Secure Boot.

Re:Approach no. 4 - Do nothing

[afidel]

WHAT?!? Secure Boot will do nothing to impede enterprise Windows users. You'll either use Windows8/2012 and have a signed boot loader or use 2008R2/7 and disable secure boot. Btw it would also do nothing to impede enterprise Linux users either, they'd either use a commercial signed distribution or build their own and have the build process install their keys into the TPM chip (trust me, enterprises already deal with crypto from internal PKI to external SSL to drive encryption).

Re:approach #4

[epyT-R]

if ntldr is modified, it won't pass the hash check and the UEFI loader won't execute it.

Re:Approach no. 4 - Do nothing

System admins need to wipe off the OEM stuff and install their Enterprise License stuff on new kit.

Most corporate desktop admins are far happier if the machine can be deployed with less mucking around. Just unboxing 1200 new machines is a pain in the ass... if they also have to reimage and reconfigure each new machine (actually easier and more streamlined than unboxing these days, but nonetheless, extra time, extra money they'd rather not spend), they'll not be so joyous, and everything slows down.

If they can't do it, they will simply ignore Windows 8 and wait for the next version

Half right... because this, basically, is wise. The other half is they will harden what they have. Microsoft early adopters and fanbois notwithstanding, Microsoft has done nothing to increase the productivity of the office worker since XP/Server 2003/Office 2003. The pitfalls of XP are well known and huge incident databases have been built: nothing can break that doesn't have an immediate fix. Seven and even Vista is still in the early stages of figuring out all the solutions of all that can and does go wrong. I think any large or medium sized corporations still on the 2003 paradigm are fine and well under the budget expendature of those idiots that needlessly and irrationally raced to upgrade as long as they are in a rotation of reimaging every XP machine every 4-6 months... if their network infrastructure is resilient to the trouble users can get into, they may never need to upgrade these to new systems until the physical machines and their components cease to function.

Re:Approach no. 4 File complaint to D.O.J.

If this is not an example of Microsoft's monopolistic practices i don't know what is.

EU vs monopolistic behaviour?

[Richard_J_N]

Seems to me that this is a very serious violation of the spirit of the antitrust rulings when MS killed netscape. Why aren't our consumer protection agencies stepping in to forbid MS from doing this?

Re:He's right you know...

[Zontar+The+Mindless]

Ever install Vista or Win7?

Yes. I bought this laptop I'm using a couple of months ago. It dual-boots Win7 and openSUSE 12.1, both of which I installed myself.

Boot the disk, answer a couple of questions, the installer does the rest...

First question: Does it have all your device drivers?

essentially imaging the system to a clean install for a computer that doesn't have Windows installed.

With none of those applications you go on about.

Linux in orders of magnitude more difficult to install...

With apologies to any equines who may be in the audience, that's complete and utter horseshit. To quote your own fine self, installing a modern Linux distro is a case of "Boot the disk, answer a couple of questions, the installer does the rest".

...not to mention all the 0.x unfinished apps for supposed Windows app substitutes.

What Windows apps? You mean the apps *for* Windows that don't actually *come* with Windows that you have to find (and possibly *buy*) and install separately? As opposed to the hundreds (thousands?) of perfectly usable apps available in any halfway respectable Linux distro that you can load as part of the OS installation?

BTW, the installation of Windows 7 Pro and about a dozen applications which had to be obtained and installed separately (following the OS installation) took almost exactly *twice* as long as as the openSUSE installation, which provided *everything* I need for both personal and work use with just 2 exceptions--Skype, and a proprietary app we use at work.

Oh, and let's not forget cost: the Windows 7 Pro OEM DVD (English) ran me about 1350 SEK (call it US$200); the blank CD on which I burned the Linux network installer was about a dollar and a half (~10 SEK).

TL;DR: Windows took twice as much time to install, cost me 200 times as much money, and provided about 10% of the software.

So... You are badly misinformed, deluded, or just plain lying. I'd say it's a bit of all 3.

What is it with you guys, anyway, that you find Linux so threatening that you have to resort to spewing garbage like this about it?