Slashdot Mirror

← Back to Stories (view on slashdot.org)

Matthew Garrett Makes Available Secure Bootloader For Linux Distros

Posted by timothy on from the working-with-the-work-around dept.

TrueSatan writes "Matthew Garrett, formerly of Red Hat, is providing a shim bootloader that will allow installation/booting of secure boot enabled computers. The shim is designed to chain boot GRUB (Grand Universal Bootloader) without the need for a distribution to obtain a key from Microsoft. Garrett asks that further contacts regarding the shim be made to him and not to Red Hat as he no longer works there and they may not have knowledge of the product."

12 of 274 comments (clear)

  1. Fuck secure boot. by bmo · · Score: 4, Insightful

    I find it disappointing that instead of actively fighting secure boot and making a BIG PUBLIC STINK about it and embarrassing everyone involved in implementing this, the community is aquiescing to the concept and "working with it."

    Stallman is right, guys, and anyone endorsing Trusted Computing 2.0 by either actively participating in the distribution of it, or tacit approval needs to be publicly humiliated and embarassed into doing the right thing.

    Secure boot was never about protecting the end user.

    --
    BMO

    1. Re:Fuck secure boot. by budr · · Score: 3, Insightful

      What BMO said. Where's a +10 when you need it.

    2. Re:Fuck secure boot. by zakeria · · Score: 4, Insightful

      exactly; this is just another attempt to stifle and forthcoming competition in the OS development arena and at the same time helping to cement the belief in people that the PC only has one true OS that should be running on the machine namely Microsoft Windows!

    3. Re:Fuck secure boot. by jonwil · · Score: 1, Insightful

      secure boot is in no way "Trusted Computing 2.0" and Microsoft requires OEMs shipping Windows 8 to provide both options for the user to turn secure boot off completly AND for the user to install new keys of their choice.

      Also, Secure Boot is very much about protecting the end user. It stops unknown/untrusted/unwanted low-level code running including many of the new breed of viruses that infect the master boot record to make it harder for anti-virus programs to defeat them.

      Now if a manufacturer of x86 PCs started selling PCs where secure boot was on and there was no way to turn it off or to enroll new keys, THEN I would start complaining.

    4. Re:Fuck secure boot. by bmo · · Score: 1, Insightful

      >The free option allows you to generate your own key.

      With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?

      >you're safe from hypervisor malware attacks.

      This is an unrealistic attack and to present it as plausible and likely is laughable, since more mundane and common attacks are far more likely to be an actual problem. It's like recommending that I go outside every day with a hardhat to avoid falling meteors when the actual threat to my safety is people speeding through the neighborhood and not stopping at stop signs as I attempt to cross the street.

      >I'm sure that if the linux community stops shouting

      We should never stop shouting.

      >official distro keys

      The point of Linux for a lot of people is the ability to do your own kernels, your own bootloaders and your own software. This is the key to the rapid evoloution of Linux. Requiring everyone who does this to supplicate at the Altar of Redmond and give burnt offerings of $99 USD, is nuts, insulting, and is clearly an attack designed to take the steam out of the innovation in the Linux world. Fuck that noise.

      >you'll find that a lot of the manufacturers will start pre-installing those keys

      That's a really big IF there, especially since it's known that Microsoft is willing to strong-arm everyone it can.

      >business range machines

      I don't feel like paying for enterprise support for my own personal laptop, and I should not have to just to be able to install my own OS.

      Go away.

      --
      BMO

    5. Re:Fuck secure boot. by recoiledsnake · · Score: 1, Insightful

      I love it how Windows RT tablets(which are supposed to be DoA anyway according to Slashdotters) are somehow "ARM devices" but the iPads and Android tablets, Kindle Fires, Nooks with locked bootloaders with 99% marketshare in mobile are just iPads and Android tablets, Kindle Fires, Nooks. Win32 software which is a big reason for the monopoly won't even run on Windows RT. And then they call for government intervention. Meanwhile Apple is locking everything down but the fanboys keep the discussion down. Why do people get their panties in a twist when it's MS while Apple is decimating freedom by implementing Palladium(see app store) and unable to keep their locked iDevices in stock? Yelling in bold only makes you sound more retarded.

      --
      This space for rent.
  2. Re:How does this work? by schitso · · Score: 4, Insightful

    thus preventing people from using their hardware as they see fit.

    FTFY

  3. Doesn't work by Anonymous Coward · · Score: 4, Insightful

    I happen to have a computer with Secure Boot enabled by default. Matthew Garrett's boot loader doesn't work while Secure Boot is enabled. The reason being that the machine will not (repeat not) boot from any device except the hard drive unless Secure Boot is first disabled. The steps to load any OS, with or without Secure Boot support, goes like this:

    Enter into UEFI control panel.
    Disable Secure Boot
    Enable Legacy boot options
    Enable specific Legacy device, such as DVD drive
    Save settings and reboot.
    Change boot device to DVD

    If Secure Boot is turned on, "Legacy" devices can not be used to boot the computer. Therefore having this boot loader doesn't do any good on machines with Secure Boot enabled. It has to be turned off just to access the installation media.

  4. Re:Clarification by Nerdfest · · Score: 4, Insightful

    Of course you can add to that list:
      - Microsoft still doing things to suppress competition.
      - Apple has joined them.

    They earned that dollar sign. The OS is a bit better behaved than 15 years ago, although NT was pretty quick.

  5. Re:Yay! by Anonymous Coward · · Score: 5, Insightful

    You should never care if it is an AC.

    It is the message that is important, not the messenger. Why, after 11 years of using this site, should I register an account? My words stay the same. All it would be good for is group validation through karma whoring. I'd rather be ignored out of irrational bias than lauded for conforming to groupthink.

  6. Re:How does this work? by LordLimecat · · Score: 4, Insightful

    Why couldnt the romanian hackers use the signed chainloader to load their code?

  7. Re:Yay! by TheRealGrogan · · Score: 2, Insightful

    The signing process is relatively mechanical... Joe Blow could do it (with the proper notarization) and there is no way they can consider the full functionality of the binary that you upload to be signed. You put your credentials on the line, you pay the money, you get your binary certified. If it's bad, then there is someone to go after. The way they have set this up, it can only be reactive.

    The implications of this will not make them happy. I'm betting that you would realize that this is being done for more than just our "safety". They want to make it a pain in the ass to use anything else, especially with Windows RT on ARM (where you can't allow secure boot to be disabled if you want your shiny Windows 8 compliance sticker), where they think they can seize control now at this crossroads. Windows 8 is designed to steer everyone towards the Microsoft Software Store.

    This signed Grub shim is a wildcard, and it only needs to be done once. A barrier has been removed, that will rightly enable others to skip the BS.

    You're right though, given that they followed due process and are not malicious, Microsoft will not be able to do anything about it. It is, however, my opinion that they will complain, as this was not the intent of the signing process.