Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Foundation Offers Solution for UEFI Secure Boot

Posted by Soulskill on from the sidestep-and-ignore dept.

Ever since news broke last year that Microsoft would require Windows 8 machines to have UEFI secure boot enabled, there were concerns that it would be used to block the installation of other operating systems, such as Linux distributions. Now, reader dgharmon sends this quote from Ars Technica about a new defense against that outcome: "The Linux Foundation has announced plans to provide a general purpose solution suitable for use by Linux and other non-Microsoft operating systems. The group has produced a minimal bootloader that won't boot any operating system directly. Instead, it will transfer control to any other bootloader — signed or unsigned — so that can boot an operating system." The announcement adds, "The pre-bootloader will employ a 'present user'; test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it."

3 of 308 comments (clear)

  1. Re:So why even bother with secure boot by GameboyRMH · · Score: 5, Interesting

    Exactly. Malware authors can use this. So we've come full-circle and only gained a big heap of complexity. Which is the best we could hope for once this idiotic idea got going.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  2. Unsuitable for server use? by Chrisq · · Score: 5, Interesting
    From TFA:

    To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge

    Doesn't this mean it is unsuitable for server use - or any "headless" operation such as MythTV?

  3. Re:So why even bother with secure boot by DRJlaw · · Score: 5, Interesting

    And I'd be really fucking pissed off if my Linux PC required a user present at the console to reboot. Seriously, how is this a fix?

    Because it is a fix for those who cannot or will not use the alternative of entering their own list of acceptable signing keys into the UEFI, which would not require a user present but draws a great hue and cry that it is "too complex" for the average Linux user to accomplish.

    1. Enter your keys into the UEFI key list, walk away; or
    2. Have a user present to acknowledge that they want to boot unsigned/signed-but-not-entered code; or
    3. Don't use a UEFI PC; but not
    4. Prevent the rest of the world from having access to a secure boot chain because you refuse to lift a finger yourself