Slashdot Mirror
Linux Foundation Offers Solution for UEFI Secure Boot
Ever since news broke last year that Microsoft would require Windows 8 machines to have UEFI secure boot enabled, there were concerns that it would be used to block the installation of other operating systems, such as Linux distributions. Now, reader dgharmon sends this quote from Ars Technica about a new defense against that outcome:
"The Linux Foundation has announced plans to provide a general purpose solution suitable for use by Linux and other non-Microsoft operating systems. The group has produced a minimal bootloader that won't boot any operating system directly. Instead, it will transfer control to any other bootloader — signed or unsigned — so that can boot an operating system."
The announcement adds, "The pre-bootloader will employ a 'present user'; test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it."
Yeah, baby !!
As per subject
we've come this far in our fight against everything microsoft why cave in now? just don't buy products from companies that enforce UEFI.
Apple...You're next.
Forst!
This just got me thinking - can windows 8 run in as a virtual machine, in say, VirtualBox or VMWare player? Will current 'virtual' bootloaders be able to boot it?
I worry more about my inability to install Linux on an iPad...
My book: Friendly F#, fun with game development and XNA; my game: Galaxy Wars by VSTeam; my gamedev language: Casanova.
To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge
Doesn't this mean it is unsuitable for server use - or any "headless" operation such as MythTV?
LF became slave of MS and now working under its decisions: "the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader". Bad decision.
Never underestimate the dark side of the Source
The solution is simple. Simply do not purchase ANY computer that requires secure boot, or does not allow you do disable it!
Personally, I think this is a "feature" that is going to come back and bite MS in the derriere.. At least I hope so! :-)
When I turn on my PC, it will boot the pre-boot loader, which will then boot grub, which will then boot my initrd which will finally boot Linux. Can we put any more steps in there?
Give me Classic Slashdot or give me death!
Fuck It, I never post on slashdot anymore but I just have to comment on the stupidity of this.
Essentially, this means that this whole damn "Secure Boot" (as if anyone actually believed it was secure) can be circumvented. So, big deal, the Linux Foundation's version has some safeguards etc, etc.
This damn thing is hardware based, so updates will be few and far between. I predict you'll be able to take any executable and "patch" it to run at boot, the same way people have been patching Console video games to run (or at least, used to in the good 'ol Dreamcast days, Ive not been active in that scene for quite some time).
Goodamn it. All this shit is is extra complexity, less control over your own system, and a really, really, retarded approach to security. At some point, users will have to take responsibility for what they do on a computer. The less companies try to hide that fact, the faster the security mindedness of the average joe will increase. ... I aint even mad tho.
I'm ok with the concept of signed code at the hardware level, as long as keys can be totally maintained by the user.
I don't know enough about UEFI though to know what's required to sign binaries. Can Linux be signed? Can software from repositories be signed in a GPG kind of fashion?
If I have to enter a key in the BIOS and sign a kernel with a related key in order to install Linux, I could potentially live with that, and it actually might have a few security uses.
This classic took Microsoft years to develop this technology and it takes the open source community less then a year I love the power of the open source community.
http://www.thetechnologygeek.org
Because you can compile with slightly different options and now the signature is different and won't boot. You can't sign the changes because the private keys allowed to sign are not given to you and the BIOS needs updating to accept any new ones, so expect to have to prove your existence and pay a LOT of money to get your keys added in to all the UEFI machines.
Boot sector viruses are the rarest form of virus, require root permissions to infect, and aren't especially hard to remove. And we've handed over a big chunk of freedom and made things worse for everyone to fight this minor annoyance (yeah right). This is worse than the computer equivalent of the PATRIOT act.
"When information is power, privacy is freedom" - Jah-Wren Ryel
No true Scottsman jokes about sheep.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Your solution of any value mostly to newbies who are incapable of going to the BIOS and typing in a new signing key (yes, all BIOS manufacturers worth buying, like ASUS, offer this option). I, for one, will not purchase any computer without secure boot. I like having a trusted hardware root. I like the fact that no malware can get in the boot process without my consent.
Does this fix the Windows 8 ARM tablet problem?
so we put bootloaders in your bootloaders.
Yo dawg!
I heard you like boot loaders. So we put a boot loader in your boot loader so you can boot up while you boot up!
If we make it, we can break it. Making secure boot just more locks to keep honest people out and more headaches for honest people to deal with.
Perhaps the real question here is why do people continue with Windows, when there are other options that have better general security?
Comment removed based on user account deletion
Why are you fighting secure boot? Secure boot is a GOOD thing. Making sure your BIOS/UEFI and boot loader haven't been tampered with is a GOOD thing. Let's figure a good way to make Linux work with it. I'm glad that Microsoft is taking this attack vector seriously.
And what exactly compels microsoft to add this key ?
Or add it and fsck it up so that it 'just happens to fail sir' ?
And then when this is "addressed" by making it not possible to turn off AT ALL, you now have a sanctioned monopoly of Windows Only PCs. Again.
Now, if this happens, you're STILL in a problem. Why are viruses so "bad"? Because they take your data and delete it. Well if I am the virus writer and I already HAVE your computer, you've already lost. If you are worried about your personal information being taken, if I have your computer then Secure Boot doesn't secure the disk drive from being read and you've already lost.
So what, precisely, does the scare of "what's to stop me installing a compromised version of Windows?" got to do with this if you need to be sitting at the keyboard to install a compromised version of Windows?
Yeah, great. How are non-MS operating systems going to use this mechanism for remotely initiated booting, as in WOL? Does that mean non-MS shops will have night shift "specialists" on-site to press the Any Key whenever required?
Seems to me that MS has finally given Linux the boot :-(
I like my spaghetti with source.
The purpose of Secure Boot is to prevent people from booting non-Microsoft operating systems.
Why on earth would Microsoft sign such a bootloader?
Anyone want to open an over/under line on when this happens?
I'll put $100 on the first patch Tuesday following the heat death of the universe.
To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots.
That seems like a LOT more of a pain in the butt than simply turning off the secure boot option. In fact, it would be a deal breaker for any of my Linux machines that must be able to reboot unattended every time. It's a "solution" to a trumped up problem. There are plenty of legit reasons to hate Microsoft, but this isn't one of them.
The bottom line: UEFI secure boot is not going to be enabled on any machine shipping with Linux unless that distro has the keys themselves. That is most likely the only group of Linux users not savvy enough to change a single setting in the firmware. If someone builds their own p.c. it won't have secure boot enabled. If someone decides to replace the MS os they paid for with Linux, it's not even slightly unreasonable to think they would be capable of changing the necessary firmware setting.
Every linux distribution I've EVER tried including the "easy" ubuntu is more complicated to install than changing this setting would be. Silliness...plain and simple.
Sounds like a possible good-bye to automatic and unattended linux booting (like wake-on-LAN, timer based booting, etc...)
Wouldn't a simpler solution just be to allow the end-user to sign his bootloader?
Once the boot loader is signed, it's trusted until the next time the system is reinstalled.
The idea is, if something replaces the bootloader, it needs to be re-signed by the user. The process of signing could be convoluted and long enough to keep a user from just blindly clicking "sign" (require special boot media, or a jumper to be set on the motherboard).
This will provide all the security benefits of UEFI secure boot, while retaining the user's control of the system.
I won't use anyone's binary blob, even if it is signed by Microsoft and distributed by the FSF. You Asshats are supposed to stand up for Free Software, bending over to MS and enabling the hardware manufacturers to shrug off pressure from end user complaints by giving them this release valve is BAD. Fuck you all, Each and every one.
...now we have to deal with a dummy/shell of a bootloader, which boots the real bootloader, before the OS will even be told to start booting? Come the fuck on--something needs to be done about this, because this is just bullshit. We shouldn't be forced into such unnecessary extra complexity to use our computers that we bought, just because some shitty crooked company decided they want to make everything that runs *their* (read: almost everything) insecure OS a locked-down fortress with the "claim" (hint: yeah, right) that it is being used specifically to stop the spread of malware. There has to be a better solution. Until then, it looks like I will have to stick with x86 machines unfortunately, as much as I would like an ARM-based laptop, until something good is released without Windows... er, I mean, without these restrictions. The Windows tax was bad enough; now we're paying in the form of our freedom to use our computers in the way we want. Thanks, Microsoft. Cocksuckers.
where is the windows 7 UEFI boot loader?
Why is it so hard to put every device key in escrow and provide an automated and simple process that allows a user to individually unlock their own device? This escrow could also provide a signing service for any dists on neutral and fair terms that allowed them to replace the bootloader. A locked bootloader is desirable in some regards but it should not be under the control of a single OS vendor.
Apple is attacking the consumer's expectation of software freedom.
The mass market consumer product can have tens of millions, hundreds of millions of users --- and in the case of the Windows PC, a billion or more users --- who quite clearly don't give a s***t about "software freedom" as the geek understands it.
My company is trying to help Microsoft capture that 0% market share. We're spending tons of resources writing and debugging UEFI to do it. While the rest of the company is making boat loads of cash making Android devices.
I repeat it again, If you want to secure the bios put a jumper before the write pin of the eprom/flash memory/whatever. Those who can't open the case and locate it are surely not qualified for a bios upgrade.
It simply does not work that way. Especailly on ARM phones and tablets. Most vendors support secure ROM which is hard wired in the chip and requires a signed bootloader to proceed. Usually the vendor just offers a fake bootloader (or a fuse bit) that can then run uboot or whatever so you can get ChromeOS or Android up on the device.
For UEFI, the UEFI firmware itself is signed, and the AP(application processor, another word for CPU) will refuse to boot. There ain't shit you can do about it without replacing the AP.
It's not FUD. if a phone or tablet maker wants to have ARM Windows, they will be required by a licensing agreement to enable all of these security features from the processor vendor. And it will be nearly impossible for a non-technical person to run a free OS on them in a general way. Each device will have to be hacked and exploited in a unique way.
And I really doubt enough models will be compromised early enough to make running Linux on a cheap Windows ARM netbook a practical thing. Unless this ChromeOS thing catches on, you simply won't have a way to do a Linux ARM netbook in the next few years. (Android keeps resisting Netbooks, they don't sell very well).
It sucks to be a Linux user that has to piggy-back on hardware industry for a more popular OS. It sucks worse when Linux gets locked out of the hardware access we have been taking for granted.
Just turn secure boot off FFS. You are able to disable it. If you're going to go through all the trouble to use this work around, what is the actual benefit to the system anymore? Just turn it off.
I have a cure, if for some reason I get a PC with windows 8 on it I am gonna reformat the HDD and install windows 7, because windows 8 sux.
It's so obvious that Microsoft is practicing it's monopoly here, why, oh WHY are there no lawsuits?. I would gladly pitch in to stop the company I hate more than any other.
Sorry, that test fails my usability test. Any hardware manufacturer that wants to sell me a motherboard that requires I use this can stick their motherboard. I for one have no interest in a device which can never be rebooted remotely and can never bring itself back automatically after a power failure.
In the Intel case this is no more difficult than setting the BOIS date/time, or boot order, this is NOT the ISSUE ... It is the intended lock in in the ARM market, and these days it is much easier to beat M$ at their own game, just complain to Joaquín Almunia who has succeeded the redoutable Dr Nellie Kroes.
After another few billion EURO fines Balmer will fling another chair, and give in.
MFG, omb
I don't give a damn about all this secure boot bullshit, do you have any idea how many decades I've wanted a bootloader bootloader that can boot from cd or usb? For years now, I've had to swear at fucked up BIOSes that couldn't boot from CD to install or couldn't boot from USB. Most recently (~5 years ago) I had a 1U server that I had to open up and hook up an IDE cdrom in because in an effort to save $30 I ordered it without a CD drive and ASSumed the BIOS could boot from a USB cdrom drive I had sitting around. With something like this, I could have dropped the drive in another machine to add the bootloader or installed the bootloader on a floppy or something and spared a LOT of headaches over the years dealing with shitty BIOSes.
Now most of the BIOSes do pretty well, even with USB cdroms, so I don't know that I'll ever need this, but man, if this had been around back then...
How about an HTTP link. GIT can do that.
now we need to go OSS in diesel cars
Frickin' useless for home servers and the like.
> Why on earth would Microsoft sign such a bootloader?
Probably as there are monopoly/anti-trust implications if they don't.
Also FatPhil on SoylentNews, id 863
...Or just refuse to purchase any computer, motherboard, or other product that supports UEFI.
If enough people vote with their money, manufacturers will provide the option.
No it is not. Wherever did you get this idea from!
(gosgog)
Seems to me that some new neck bearded geek just past coding exams and dreamed up this one...ultimately that means a future lifetime career as a member of that undistinguished well known group...CONGRESS! Where they are always trying to pass ridiculous laws.... or like Obama...the ultimate Yoyo, they use EXECUTIVE ORDER.