Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Foundation Offers Solution for UEFI Secure Boot

Posted by Soulskill on from the sidestep-and-ignore dept.

Ever since news broke last year that Microsoft would require Windows 8 machines to have UEFI secure boot enabled, there were concerns that it would be used to block the installation of other operating systems, such as Linux distributions. Now, reader dgharmon sends this quote from Ars Technica about a new defense against that outcome: "The Linux Foundation has announced plans to provide a general purpose solution suitable for use by Linux and other non-Microsoft operating systems. The group has produced a minimal bootloader that won't boot any operating system directly. Instead, it will transfer control to any other bootloader — signed or unsigned — so that can boot an operating system." The announcement adds, "The pre-bootloader will employ a 'present user'; test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it."

11 of 308 comments (clear)

  1. So why even bother with secure boot by Anonymous Coward · · Score: 5, Insightful

    As per subject

    1. Re:So why even bother with secure boot by Joce640k · · Score: 4, Insightful

      Exactly. Malware authors can use this.

      Not if everything in the startup chain has to be correctly signed ... something which a malware author can't do.

      --
      No sig today...
    2. Re:So why even bother with secure boot by bmo · · Score: 5, Insightful

      Because secure boot has never been about securely booting.

      --
      BMO

    3. Re:So why even bother with secure boot by Hatta · · Score: 4, Insightful

      And I'd be really fucking pissed off if my Linux PC required a user present at the console to reboot. Seriously, how is this a fix?

      --
      Give me Classic Slashdot or give me death!
    4. Re:So why even bother with secure boot by Miamicanes · · Score: 4, Insightful

      >and still find a way to keep the code signed?

      With a certificate bearing the same CN as the original? Low, as long as the bootloader realizes that it's never seen anything signed by s0m3hack3r@foo.to, and presents the user with a dialog that says something like, "You have never booted an OS signed by s0m3hack3r@foo.to, and foo.to is not recognized as a known OSS Organization. Click here to boot into your computer's mini-distro and perform an automated legitimacy lookup (internet access required), or (... options that include 'continue if you trust them' and 'cancel'...)

      For a side trip, boot into a mini Linux burned into flash that can grab an ip via dhcp or connect to wifi with ssid/key stored in flash or entered now & wget a lookup of the CN from the UEFI bootloader's organization. Known malware CNs would be blacklisted & identified as such, others could be further researched using Lynx before either continuing the boot (optionally remembering the CN for future boots) or aborting.

    5. Re:So why even bother with secure boot by spike+hay · · Score: 4, Insightful

      The average computer user is not going to be monkeying around in the BIOS. This is about making life more difficult for non-MS OSes, and reverting the mistake that was the open x86 platform.

      --
      If you don't understand any of my sayings, come to me in private and I shall take you in my German mouth.
    6. Re:So why even bother with secure boot by Cajun+Hell · · Score: 5, Insightful

      Take it easy dude. Let's try to remember what this whole thing is for.

      For all the bitching about secureboot, all currently known (yes, this can change) x86 machines which come with it, allow the user to turn it off. Remember the last 4 times you bought a new computer and, in fact, did diddle with stuff in the firmware, maybe to at least check the timings on your expensive Mushkin memory or whatever? Well, then, this whole article and the software it describes, isn't about you because you're going to turn off secure boot, making every aspect fo this boot loader irrelevant. You won't care about pressing enter, because you won't have to press enter.

      This is for users who won't do that. This is for people who are dumber or lazier than your grandma's ditzy bridge partner, for which we do not expect them to follow any directions or do anything "extra" prior to using their computer. They're not installing headless servers. They're not "picky" except in the sense that they don't want to have to read or understand anything longer than one sentence. They can, and will, press enter.

      The people who are opinionated enough to be "pretty fucking pissed" about pressing enter, will also tend to care enough to do what is needed in order to make pressing enter become unnecessary.

      If there are any people left who become furious about pressing enter, but also feel entitled enough to refuse to turn off secureboot, but also feel entitled enough to refuse to install some other secureboot loader, those people can and should go fuck themselves. Or they can go buy a Mac. Or they can boot Windows, and (think about it) they will never notice that they're not running Linux. Just lie to them and tell them Windows 8 is Linux, and they will believe you, and the lie will never have any consequences because behind the blank smile they gave you when you lied, they already forgot what you said.

      --
      "Believe me!" -- Donald Trump
  2. The solution is simple by Anonymous Coward · · Score: 5, Insightful

    The solution is simple. Simply do not purchase ANY computer that requires secure boot, or does not allow you do disable it!

    Personally, I think this is a "feature" that is going to come back and bite MS in the derriere.. At least I hope so! :-)

  3. For newbies by Chemisor · · Score: 4, Insightful

    Your solution of any value mostly to newbies who are incapable of going to the BIOS and typing in a new signing key (yes, all BIOS manufacturers worth buying, like ASUS, offer this option). I, for one, will not purchase any computer without secure boot. I like having a trusted hardware root. I like the fact that no malware can get in the boot process without my consent.

    1. Re:For newbies by Hatta · · Score: 4, Insightful

      Yeah, that works great until Microsoft deprecates the option for Windows 9 or 10. They've already done so on Windows 8 ARM tablets, why wouldn't they do it on x86 PCs?

      --
      Give me Classic Slashdot or give me death!
  4. Re:Srsly, what is wrong with you people? by Hatta · · Score: 4, Insightful

    Secure boot is a good thing when the owner of the PC has ultimate control over which signatures are valid. But Microsoft has tipped its hand with Windows 8 ARM tablets, and I see no reason not to expect them to lock down secure boot on x86 PCs in the future.

    If this was a vendor neutral initiative, I can see how it would be useful. But this is being done by Microsoft, for Microsoft. This will not end well for open source.

    --
    Give me Classic Slashdot or give me death!