Slashdot Mirror
SUSE Slowly Shows UEFI Secure Boot Plan
itwbennett writes "One blog post at a time, SUSE is revealing its plan for getting SUSE Linux Enterprise Server (SLES) to boot on machines with UEFI Secure Boot. The short version: 'For now, it seems, SLES will implement an approach similar to that used by Fedora,' writes Brian Proffitt. '[Director of the SUSE Linux Enterprise Olaf] Kirch's first blog entry on Tuesday merely introduced the problem of UEFI Secure Boot. Today's blog only specified the use of the shim bootloader.' Just dying to know what's next? Tune in to the SUSE blog."
How long until firmware yays or nays the OS your trying to install? Windows 8 Tablet is just a baby step into that future...
running on Chromebooks. All source is there. You can download it and study it and build something good on it.
So what are the "open source OS companies" putting all their effort into? Satisfying a closed, proprietary system designed to lock users in. Very disappointing.
I don't get it.
So after several decades of fighting for free software (and computer freedom in general), all these distributions are just going to roll over on command for Microsoft?
You know what? Anyone who goes along with this UEFI bullshit is a fucking traitor, a coward, and a goddam disgrace to the open source community.
Playing along here is NOT THE ANSWER. Doing NOTHING is the only appropriate course of action. Why? Simple, because then you're shifting the problem to the hardware manufactures who are going to get shafted in sales because their stuff doesn't run Linux OOTB (not without configuring UEFI first). They're going to realize this mighty fast and either produce cheaper "Linux" versions of their motherboards without UEFI restrictions (or even better, without UEFI at all)- or just drop the whole Secure Boot thing all together.
Again, playing along with this mockery is the WORST POSSIBLE THING anyone could do. It's like letting the Germans into your country during 1945 because they promised they'd only ask for your papers when you're entering or leaving your own city. How long do you think it'll be until they have the same guards stationed everywhere? Train stations, food stores, clothe stores... How long before you're walking down the street in your own community and you're getting stopped for papers, only blocks away from your house?
I'm sick and tired of people saying "it's only the bootloader man, chill". Yeah, it might be today. What about tomorrow, when they drop the ability to manually disable Secure Boot permanently? What then, huh? Well, then Microsoft has the power to revoke your keys and doom your operating system to death. After everything Linux has been for, after everything Linux has stood for- why the fuck would you EVER want to give Microsoft this power?
Fedora, Ubuntu, and SUSE can kiss my fucking ass. All these distributions are a disgrace. A total fucking disgrace. The least they could do is show some goddam balls, stand up and say "No, we're not going to be your bitch". So what if your users have to manually disable Secure Boot for now. At least then they'll realize what is going on here and you might actually educate a few of them as to why CLOSED PLATFORMS ARE BAD.
-AC
I'm used to a little bit of healthy paranoia here, but the amount of FUD and flat-out misinformation in Slashdot's UEFI reporting is frankly astonishing. Let's get a few things straight.
UEFI is not a Microsoft technology. It is an industry standard intended intended to replace the archaic x86 BIOS. Microsoft participated in the standard, as did Slashdot favorites Red Hat, Canonical, IBM, and AMD. You can freely download the full specification from the uefi.org website.
Secure Boot is part of the larger UEFI specification. See section 27 for the technical details. Of particular interest to Slashdot readers will be section 27.7 which describes the key update mechanism.
Secure Boot is intended to solve the real-world security problem of boot-time malware. No operating system can defend against malware at boot-time; this would be equivalent to defending against the hardware itself. If it helps, imagine how you would defeat a keylogger embedded in your keyboard.
Secure Boot uses code-signing to defeat boot-time malware. This is the optimal solution and should be full-proof provided (1) the machine is physically secured, and (2) the private keys are secure. (I am defining "full-proof" here to mean the keys and hashes involved are adequately difficuly to brute-force with modern hardware. I am also explicitly discounting scenarios outside of UEFI's area-of-responsibility, such as vulnerabilities in the operating system's signed image.)
For some real irony, see the Slashdot article Windows 8 Secure Boot Defeated. Both the headline and much of the discussion in this article were flat-out wrong. The exploit in question targetted the legacy BIOS and MBR. This is exactly the problem that Secure Boot addresses, and it reinforces the need for this technology.
Secure Boot is not a DRM scheme, nor it is explicitly a tool for Microsoft lock-in. Remember that on x86 platforms, the end-user can edit the key database, and can disable Secure Boot entirely. I concur that Microsoft's treatment of ARM is a dick move, but is also typical for other vendors in that market segment. In either case, remember that Secure Boot is a logical solution to a real-world problem affecting all operating systems, and evaluate it on this merit first.
Just because the technology can be mis-used is no reason to completely boycott it. For my part, I intend to use Secure Boot when it becomes generally available, but only buy parts that allow me to edit the key database.
Links:
UEFI membership list: http://www.uefi.org/join/list/
UEFI specification: http://www.uefi.org/specs/agreement
Think you can disable it? Think again: who is going to care about your being able to disable it when, eventually, Microsoft requires it to be always on on Intel versions of Windows just like they have done on ARM?
Yeah, I know that. Do you know what random typos are?
I'm getting tired of passive-aggressive gestures of submission by AC's.. I mean, I get it, but still.
The EU would probably stop them.
“Common sense is not so common.” — Voltaire
Think you can disable it? Think again:
Um, no. It is part of the spec that motherboards must be able to disable UEFI. So if you go out and buy a Windows 8 certified system then you will be able to install any operating system you want. And no amount of bleating about how nobody cares for your right to boot the old fashioned way will change this.
Disabling secure boot, or manually installing a new vendor key, may be easy enough for us. But it adds another large hurdle for joe average user to try another operating system. That alone is reason enough to complain about it and object to it.
As it stands now the UEFI standard doesn't specify how the user can install a custom trusted key.
IMHO, hardware vendors should be required to leave the trusted key set empty from the factory. UEFI should then have a standard prompt to enable secure boot and install a key found on bootable media. If Microsoft were forced to guide the user through the same process that a linux installation would require, this process would get the attention it deserves to make it as user friendly and standardised as possible.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
It is sad that the Linux distributions are bending over so easily, together they might have been a force to be reckoned with... they better f-well not say "we could not have known..." in a few years time, seriously.
What the linux distro distributors have failed to do, the Linux Kernel folks should pick up the slack
Do not forget, there exists a spokeperson for Linux - Linus Torvalds
It's up to Mr. Torvalds to decide which direction Linux should proceed on this UEFI issue
Muchas Gracias, Señor Edward Snowden !
If being able to disable it is part of the UEFI spec, what are those Windows 8 ARM devices using?
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
Think you can disable it? Think again:
Um, no. It is part of the spec that motherboards must be able to disable UEFI. So if you go out and buy a Windows 8 certified system then you will be able to install any operating system you want. And no amount of bleating about how nobody cares for your right to boot the old fashioned way will change this.
It is part of the spec AT THE MOMENT, but that doesn't mean it will remain part of the spec.
When our name is on the back of your car, we're behind you all the way!
As someone who's gotten Linux to boot on an EFI machine, I can tell you that motherboards do not always implement the full specification.
Generally they do what is necessary to boot Windows, and once that's working, call it good. They have no motivation to test and make sure disabling UEFI works.
"First they came for the slanderers and i said nothing."
It is a different spec for ARM than Intel chips. The ARM version of Windows 8 does not have to maintain backwards compatibility with an existing user base. Intel Windows does have a long pedigree, and the OS will work on systems made in 2002. Given that they are trying to support computers that predate UEFI by a decade, then they can't start insisting on secure boot only.
No, it doesn't, and no, it doesn't.
It does not create any extra protection for IT people to use against their users. If they break into their computers enough to install a boot loader, Secure Boot doesn't stop them from doing anything else, besides installing some unigned Linux distro.
It also won't protect your computer against any trojan or virus that doesn't install a boot loader, and that set is basicaly all of them. There are a few exceptions, of course, boot loader malware exists, it is just very very very rare.
The most visible practical consequence of Secure Boot (the way it is now, ignoring the obvious extension that will make Windows mandatory) is that it will protect your computer against anti-virus and data recovery tools.
Rethinking email