Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Foundation Offers Solution for UEFI Secure Boot

Posted by Soulskill on from the sidestep-and-ignore dept.

Ever since news broke last year that Microsoft would require Windows 8 machines to have UEFI secure boot enabled, there were concerns that it would be used to block the installation of other operating systems, such as Linux distributions. Now, reader dgharmon sends this quote from Ars Technica about a new defense against that outcome: "The Linux Foundation has announced plans to provide a general purpose solution suitable for use by Linux and other non-Microsoft operating systems. The group has produced a minimal bootloader that won't boot any operating system directly. Instead, it will transfer control to any other bootloader — signed or unsigned — so that can boot an operating system." The announcement adds, "The pre-bootloader will employ a 'present user'; test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it."

9 of 308 comments (clear)

  1. So why even bother with secure boot by Anonymous Coward · · Score: 5, Insightful

    As per subject

    1. Re:So why even bother with secure boot by GameboyRMH · · Score: 5, Interesting

      Exactly. Malware authors can use this. So we've come full-circle and only gained a big heap of complexity. Which is the best we could hope for once this idiotic idea got going.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    2. Re:So why even bother with secure boot by bmo · · Score: 5, Insightful

      Because secure boot has never been about securely booting.

      --
      BMO

    3. Re:So why even bother with secure boot by DRJlaw · · Score: 5, Interesting

      And I'd be really fucking pissed off if my Linux PC required a user present at the console to reboot. Seriously, how is this a fix?

      Because it is a fix for those who cannot or will not use the alternative of entering their own list of acceptable signing keys into the UEFI, which would not require a user present but draws a great hue and cry that it is "too complex" for the average Linux user to accomplish.

      1. Enter your keys into the UEFI key list, walk away; or
      2. Have a user present to acknowledge that they want to boot unsigned/signed-but-not-entered code; or
      3. Don't use a UEFI PC; but not
      4. Prevent the rest of the world from having access to a secure boot chain because you refuse to lift a finger yourself

    4. Re:So why even bother with secure boot by Cajun+Hell · · Score: 5, Insightful

      Take it easy dude. Let's try to remember what this whole thing is for.

      For all the bitching about secureboot, all currently known (yes, this can change) x86 machines which come with it, allow the user to turn it off. Remember the last 4 times you bought a new computer and, in fact, did diddle with stuff in the firmware, maybe to at least check the timings on your expensive Mushkin memory or whatever? Well, then, this whole article and the software it describes, isn't about you because you're going to turn off secure boot, making every aspect fo this boot loader irrelevant. You won't care about pressing enter, because you won't have to press enter.

      This is for users who won't do that. This is for people who are dumber or lazier than your grandma's ditzy bridge partner, for which we do not expect them to follow any directions or do anything "extra" prior to using their computer. They're not installing headless servers. They're not "picky" except in the sense that they don't want to have to read or understand anything longer than one sentence. They can, and will, press enter.

      The people who are opinionated enough to be "pretty fucking pissed" about pressing enter, will also tend to care enough to do what is needed in order to make pressing enter become unnecessary.

      If there are any people left who become furious about pressing enter, but also feel entitled enough to refuse to turn off secureboot, but also feel entitled enough to refuse to install some other secureboot loader, those people can and should go fuck themselves. Or they can go buy a Mac. Or they can boot Windows, and (think about it) they will never notice that they're not running Linux. Just lie to them and tell them Windows 8 is Linux, and they will believe you, and the lie will never have any consequences because behind the blank smile they gave you when you lied, they already forgot what you said.

      --
      "Believe me!" -- Donald Trump
  2. Re:just let microsoft die by GameboyRMH · · Score: 5, Funny

    You target MS before Apple? That's like shooting at a vicious pomeranian nipping at your heels while a wolf is leaping for your throat.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  3. Unsuitable for server use? by Chrisq · · Score: 5, Interesting
    From TFA:

    To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge

    Doesn't this mean it is unsuitable for server use - or any "headless" operation such as MythTV?

  4. The solution is simple by Anonymous Coward · · Score: 5, Insightful

    The solution is simple. Simply do not purchase ANY computer that requires secure boot, or does not allow you do disable it!

    Personally, I think this is a "feature" that is going to come back and bite MS in the derriere.. At least I hope so! :-)

  5. No true Scottsman by Dareth · · Score: 5, Funny

    No true Scottsman jokes about sheep.

    --

    I only look human.
    My mother is a halfling and my dad is an ogre, so that makes me an Ogreling