Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Linux Foundation's UEFI Secure Boot Pre-Bootloader Delayed

Posted by Soulskill on from the threatening-to-become-post-bootloader dept.

hypnosec writes "The Linux Foundation's plans for releasing a signed pre-bootloader that will enable users to install Linux alongside Windows 8 systems with UEFI have been reportedly delayed. The Foundation proposed a signed pre-bootloader that will chain-load a bootloader which, in turn, will boot the desired operating system, thus keeping Linux installations for novice users as simple as it was before. Further, this particular component is meant for small-time Linux distros which otherwise wouldn't have the required expertise or resources to develop their own system to tackle the secure boot issue. This was going as per plans up until Linux kernel maintainer James Bottomley disclosed that he has been having rather bizarre experiences with Microsoft sysdev centre. Bottomley said, 'The first time I sent the loader through, it got stuck (it still is, actually). So I sent another one through after a week or so. That actually produced a download, which I've verified is signed (by the MS UEFI key) and works, but now the Microsoft sysdev people claim it was "improperly" signed and we have to wait for them to sort it out. I've pulled the binary apart, and I think the problem is that it's not signed with a LF [Linux Foundation] specific key, it's signed by a generic one rooted in the UEFI key. I'm not sure how long it will take MS to get their act together but I'm hoping its only a few days." Update: 11/21 14:22 GMT by U L : See the Original weblog post, and one interesting tidbit: Microsoft banned bootloaders licensed under the GPLv3 and "similar open source licenses."

18 of 179 comments (clear)

  1. Somebody should sue Microsoft anyway by Anonymous Coward · · Score: 5, Insightful

    At least in Europe they'd succeed.

    1. Re:Somebody should sue Microsoft anyway by SampleFish · · Score: 3, Insightful

      Why is MS the one signing the bootloader in the first place? Shouldn't there be a neutral root authority like there is for any other certificate in the world? To make Linux developers ask Microsoft to sign their bootloaders sounds like a very clear conflict of interest.

  2. Not surprised by gagol · · Score: 3, Insightful

    Somehow, thay can sign town of apps and drivers on a regular basis, but signing teeny tiny code for FSF got screwed... It only validate, in my opinion, this whole secure boot shit was meant to give alternative OS a hard time.

    --
    Tomorrow is another day...
    1. Re:Not surprised by mwvdlee · · Score: 3, Insightful

      Something about contributing to stupidity instead of malice.
      I'm guessing since MS has to sign these bootloaders for relatively few cases, they're doing it atleast part manually.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  3. Let me get this straight by DMiax · · Score: 5, Insightful

    So, instead of signing with a scrap key that vendors will ignore they signed essentially with the original one, so that this bootloader will work on any PC that follows the standard? This is so awesome I don't even know at what to laugh first.

    I wish LF just released this bootloader and defuse all this "secure boot" crap. Of course they will play nice and allow Microsoft to save their face... Microsoft incompetence is just appalling. They will probably end up signing malware by accident at some point, but at least you won't be able to run Linux on your PC, so mission accomplished.

  4. Wtf? by ickleberry · · Score: 5, Insightful

    We have to ask Microsoft for permission now before they give us a key that lets us install Linux on our own machines?

    This is seriously not good, lads. They still have the monopoly so we should sue them till the last toothpick in their Redmond HQ are belong to us.

    1. Re:Wtf? by turkeyfeathers · · Score: 5, Insightful

      Or just disable secure boot, which is amazingly easy to do in the first place.

      For now.

    2. Re:Wtf? by kiwimate · · Score: 1, Insightful

      We have to ask Microsoft for permission now before they give us a key that lets us install Linux on our own machines?

      I count three incorrect assumptions in this one statement.

      Short answer: no, and see the other answers as to why it's no.

      Long answer: no, and I'm not really that bothered that someone doesn't know this. What does bother me is that this got modded up to +5 Insightful.

      Remember the days when Slashdot used to have technical people hovering around these pages?

  5. What am I missing? by wonkey_monkey · · Score: 2, Insightful

    So the Linux Foundation, quite rightly, are trying to make available a signed bootloader which will then anyone boot whatever we want without having to disable secure boot - have I got that right? What stops someone monkeying around with the next level of abstraction?

    --
    systemd is Roko's Basilisk.
    1. Re:What am I missing? by Anonymous Coward · · Score: 2, Insightful

      As you have noticed, the system is retarded and unworkable.

  6. Godspeed by Anonymous Coward · · Score: 1, Insightful

    Freedom is getting fucked harder and harder every day.

  7. Of course it was defective. by Anonymous Coward · · Score: 1, Insightful

    Which part of "Microsoft Product" did they not understand?

  8. Microsoft as gatekeeper by lasermike026 · · Score: 4, Insightful

    Microsoft as gatekeeper to PC hardware is a non-starter. You can not have one company determine who will and will not use a PC. When I mean use I mean loading the operating system of the user's choice. That is using a computer, running the programs and operating system that the owner of the computer wants. One company determining how a user will use their computer best example of a monopoly.

  9. Re:Not surprised at all by Paul+Jakma · · Score: 4, Insightful

    What people really want is that their running code is verified to be running the way it is supposed to be. This requires formal proofs of code operation - which is notoriously difficult (and impossible to do generally with arbitrary software). SecureBoot does not give that, it only attests the code image *started* as the one it was supposed to be, according to the trust anchor. SecureBoot can however make the lives of ordinary users difficult. For now, we have the ability to use our own trust anchor, or none at all. Microsoft can't yet afford to block users from running all the non-SecureBoot OSes - as these include older Windows releases.

    It's sad that so many Linux distributions and foundations are going along with this.

    --
    I use Friend/Foe + mod-point modifiers as a karma/reputation system.
  10. Re:I wouldn't worry too much about all this by Anonymous Coward · · Score: 2, Insightful

    It's *already* mandatory for ARM systems.
    So you're the 'borderline retard'.

  11. Re:Not surprised at all by Anonymous Coward · · Score: 5, Insightful

    Secure Boot closes off one nowadays almost completely irrelevant vector for malware, not all of them.

    FTFY.

  12. Re:Microsoft banned GPL in UEFI binaries .. by l3v1 · · Score: 4, Insightful

    What? GPLv3 doesn't allow a binary of the software to be signed with a key? Do you have a citation for that? Cause it sounds... interesting.

    --
    I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
  13. Re:Not surprised at all by marcosdumay · · Score: 4, Insightful

    Is there something about UEFI and secureboot that causes many folks' brains to be absolutely switched off?

    No. But it seems there are a few points that you are making an effort to ignore. Because you just quoted them, but still don't acknowledge them.

    --
    Rethinking email