Matthew Garrett Makes Available Secure Bootloader For Linux Distros

TrueSatan writes "Matthew Garrett, formerly of Red Hat, is providing a shim bootloader that will allow installation/booting of secure boot enabled computers. The shim is designed to chain boot GRUB (Grand Universal Bootloader) without the need for a distribution to obtain a key from Microsoft. Garrett asks that further contacts regarding the shim be made to him and not to Red Hat as he no longer works there and they may not have knowledge of the product."

Yay!

[wgoodman]

I'm really proud of him and I really hope that there is no ensuing lawsuit for violating some sort of propitiatory BS.

Re:Yay!

violating some sort of propitiatory BS

Yeah I really hate all that appeasing the gods BS, too.

Re:Yay!

[Russianspi]

I'm dying for a mod point here. I don't care if you're an AC. That's FUNNY!

Re:Yay!

[philip.paradis]

Given that conciliatory is a synonym for propitiatory, I suspect any scenarios involving Red Hat becoming litigious are unlikely to involve Red Hat acting in a conciliatory fashion on the matter at any point in the next decade or so thereafter.

Re:Yay!

He violated nothing. The better question to ask is "who the hell does MS think it is?" They don't and cannot control the HW manufacturers. Nothing stops independent HW dealers in Asia or wherever from selling directly to consumers. Look at Google, Amazon, and other large companies. They design and buy their HW direct from the manufacturer, cutting out the middle man. Cutting out the middle man is ALWAYS the right thing to do. No one is entitled to a profit. No one has the right to demand I buy from them and their overly-capitalist markup system. Screw all that.

I am going to start looking into buying from the source, even as a consumer. I have the right to buy from the source just like a company. I'm tired of dealing with the MS tax on computers. MS was and is a monopoly. I have used Linux as my home desktop/laptop system since 1998 and now this is happening. Screw any and all who would attempt to even try and dictate my actions with HW I've paid money for.

Re:Yay!

You should never care if it is an AC.

It is the message that is important, not the messenger. Why, after 11 years of using this site, should I register an account? My words stay the same. All it would be good for is group validation through karma whoring. I'd rather be ignored out of irrational bias than lauded for conforming to groupthink.

Re:Yay!

Cutting out the middle man is ALWAYS the right thing to do.

Next time you're sick, I'll call the undertaker.

Re:Yay!

[sethstorm]

Cutting out the middle man is ALWAYS the right thing to do

Unless it comes to the HR department, where the lack of a middleman between a worker and the employer (incorrectly) is considered a problem.

Re:Yay!

[TheRealGrogan]

Here's what's funny. The chainloaded "Grub" boot loader is actually circumventing the secure boot, because it has its own "OS kernel-like" functionality until it passes control over to the kernel components that it's booting. Grub was used to circumvent Microsoft's DRM, and now it will be used to circumvent their secure boot nonsense. I love it.

Grub is way more complex, knowledgeable (figuratively speaking... it's got high level filesystem drivers etc.) and functional than any bootloader Microsoft would envision. They'll be crying foul. Not only will this be used to boot Linux, but it will also allow booting any other OS without signing.

Re:Yay!

[EdZ]

The better question to ask is "who the hell does MS think it is?" They don't and cannot control the HW manufacturers.

The irony is, MS specifically require manufacturers to allow you (the end user) to modify the Secure Boot keys, or they don't get Win8 certification. They're enforcing the exact opposite of what you think they are.

Re:Yay!

[shutdown+-p+now]

Given that it's done with explicit consent from MS (how do you think it got signed?), it would be strange if someone was "crying foul" over it.

Re:Yay!

[Immerman]

Only out of fear of an anti-monopoly response I'm sure. They're requiring the exact opposite (no bypass possible) to certify ARM-based devices.

Re:Yay!

[wallsg]

You should never care if it is an AC.

It is the message that is important, not the messenger. Why, after 11 years of using this site, should I register an account? My words stay the same. All it would be good for is group validation through karma whoring. I'd rather be ignored out of irrational bias than lauded for conforming to groupthink.

Yeah. It's too late to get a low number anyway...

Re:Yay!

[wgoodman]

Hmm. I was really drunk, but I'm still not sure how spell check ended up at that.

Re:Yay!

[EdZ]

True, but ARM devices that aren't locked down are vanishingly rare. On the one hand you have every idevice, almost every Android device, set-top boxes, etc. On the other? A handful of Android devices with officially unlocked bootloaders, the RaspberryPi, and some ARM-based microcontroller-a-likes.

It's a Dick Move, but a Dick Move in line with the Dick Moves of every other portable-ARM-device manufacturer.

Re:Yay!

[thegarbz]

The problem is karma actually provides a good system for weeding out the abusive troll, but not the clever troll. People who register an account and act like many of the ACs here will end up with a very poor default karma and thus their comments will be hidden per default slashdot settings. Yet if you post something completely indifferent you will still end up with karma that gives you a default score of 1 when you post.

That's the only reason I signed up for an account. I had things to say, and they never got read. An AC's default post score means they show up as hidden comments, which is sad because sometimes they can be quite insightful.

Re:Yay!

[kiddygrinder]

most ACs are just trolls, so how is it irrational bias?

Re:Yay!

[Immerman]

Except that every other ARM device/OS manufacturer only wishes they had the monopolistic clout of MS. It's one of those cases where what's "business as usual" for a bit player may be completely unacceptable coming from a major player.

Re:Yay!

[epyT-R]

oh how terrible. Words you were told were 'bad' by your parents/society still cause you such harm that... seriously? Grow a pair.

what part of having/not having an account would prevent overly sensitive sorts like yourself from modding it down? ..and the term 'trolling' now has no meaning because, nowadays, it is mostly used to mislabel statements one doesn't agree with as an ad hom attack.

Re:Yay!

[TheRealGrogan]

The signing process is relatively mechanical... Joe Blow could do it (with the proper notarization) and there is no way they can consider the full functionality of the binary that you upload to be signed. You put your credentials on the line, you pay the money, you get your binary certified. If it's bad, then there is someone to go after. The way they have set this up, it can only be reactive.

The implications of this will not make them happy. I'm betting that you would realize that this is being done for more than just our "safety". They want to make it a pain in the ass to use anything else, especially with Windows RT on ARM (where you can't allow secure boot to be disabled if you want your shiny Windows 8 compliance sticker), where they think they can seize control now at this crossroads. Windows 8 is designed to steer everyone towards the Microsoft Software Store.

This signed Grub shim is a wildcard, and it only needs to be done once. A barrier has been removed, that will rightly enable others to skip the BS.

You're right though, given that they followed due process and are not malicious, Microsoft will not be able to do anything about it. It is, however, my opinion that they will complain, as this was not the intent of the signing process.

Re:Yay!

[kdemetter]

Because what fits for many may not fit for all, and certainly doesn't fit for some.
Anyone who hasn't checked 'Post Anonymously' , throw the first stone.

Re:Yay!

[EdZ]

Apple are the exact definition of a 'bit player' then, I take it?

Re:Yay!

[shutdown+-p+now]

Given the amount of press coverage that this whole story has been getting, I very much doubt that the people in charge of the process are not aware of it. And it's not like there are many of those signing requests coming in. I mean, really, how many other companies would need to sign their bootloader with MS key? all Windows OEMs just use the standard Windows bootloader; I wouldn't be surprised if, so far, this has actually been the first and only such request.

Also, did you actually read about how the signed shim works? It doesn't just quietly chain-load whatever you want. It always prompts the user about what it's doing and why, and it gives them the opportunity to add the key for whatever it is that it's going to load to the UEFI key store - so that for future boots it just works. So it can't be used to silently load any random OS (or malware) The whole scheme is rather elaborate, and it looks like it's a compromise that was worked out between the guy who wrote the shim, and the folks in charge of signing it.

Also, my understanding is that this signature will only work on Intel, not on ARM.

Re:Yay!

[TheRealGrogan]

I didn't say it could randomly load arbitrary code. The grubx64.efi (whether it's actually grub to be chainloaded or something else renamed) gets signed when the user imports the key from disk, so if it's maliciously replaced after that, it would fail to load. I actually did read the whole article (I did try to explain why I think MS won't like this), and all of the comments including new ones that appeared later and I do understand how this works and what it implies. I assumed that I didn't need to parrot the article or comments, because you would have read them too.

The author doesn't believe that they will do so (nor do I) as proper procedure was followed and it's non malicious, but it is acknowledged that it could be pretty short lived if Microsoft blacklists the key.

It was not a compromise between agreeing humans, the signing process is (mostly) automated but yes, I am sure they are aware of it now. We'll see what is said about this.

Yes, you're correct about this particular signed shim being x86 only. But it will be tried for ARM as well, you can bet on that. It is on ARM where something like this will be most needed. We'll see if an ARM bootloader shim survives this signing process.

MS isn't going to like this. Whether they would try to stop it, or could get away with it is another matter. I'll be more curious to see what happens with ARM.

Re:Yay!

[Immerman]

Pretty much. They have, what, a few percent of the "random pocket media gadgets" market? And yes, I'm lumping them in with every gaming handheld, media player, smartphone, etc. because all of those are basically glorified toys. The cell phone market is still massively dominated by flip & feature phones, and the entire smartphone market isn't at all comparable in size or sociological significance to the "real computers" market.

Re:Yay!

[tolkienfan]

I'd bet they'll find some excuse to blacklist the key in the not too distant future, and make it a bit more painful to use a non-windows OS.

Re:Yay!

[mcgrew]

Why, after 11 years of using this site, should I register an account?

Because if you want your comment seen, registering gives you advanteges over AC. ACs start at 0, registered users start at 1. Secondly, you will never see this comment, but if you were a registered user you would be informed that someone replied to your comment. I've had a lot of enlightening conversations with other slashdotters because of this.

Re:Yay!

[RockDoctor]

You should always care if it is an AC.

If someone has insuffucient metaphorical testicles to put their own /.ID to their comments, then the really don't deserve more attention than a fart in the wind.

It is what "AC"-dom expects. And the gutless cowards deserve the contempt that accompanies their pathetic limp-dick-edness.

Re:Yay!

[DirtyLiar]

The chainloaded "Grub" boot loader is actually circumventing the secure boot,

Then it's a violation of their licence, because they specify circumvention of security features as a violation.

Meaning that, according to Microsoft, you will have no right to use their products.

They'll be crying foul.

You bet they will.

How does this work?

[knuthin]

Can anyone explain me like I am 5, how this must be working? Or speculate?

Re:How does this work?

[Kergan]

In simplistic terms, it's a bit like on iOS devices: they'll only boot software that is signed by Apple, thus preventing low-level viruses and such from tampering with the OS.

In more complicated terms, I'll defer to the wiki page.

Re:How does this work?

[schitso]

thus preventing people from using their hardware as they see fit.

FTFY

Re:How does this work?

[Nerdfest]

Right, because you have no right to do that with a device you supposedly own.

Re:How does this work?

Had to look FTFY up, so I'll fix that for you:
definition FTFY: Fixed that for you

Re:How does this work?

[scheme]

Right, because you have no right to do that with a device you supposedly own.

The specs already require that the x86 EFI allows you to load your own key. This is just something to let you install and use linux or other OSes without having to go through the process of loading your own keys into the bios and instead using the ms key that's already been loaded.

Re:How does this work?

[mystikkman]

"thus preventing Romanian hackers from installing undetectable bootkits on your dad's computer"

Fixed that for you

Re:How does this work?

[knuthin]

No. I don't mean UEFI. I mean the bootloader. How can it work without the key that all distributions are supposed to have (the one that first Fedora and later Ubuntu, OpenSUSE and Linux Foundation were paying Microsoft/Verisign for)?

Re:How does this work?

[mystikkman]

This is a losing battle, there are too many uninformed posters who can't understand such technical matters. You reply to one and 5 other posts come up saying the same wrong things and still modded up. This is happening since a year, there's no use. The smart neckbeards have been replaced by 14 year old kids who don't know what they're talking about and only read headlines and other raving modded retarded rants by the likes of BMO.

Re:How does this work?

[Tuoqui]

And we all seen how well it stops people from rooting or jailbreaning iOS devices because an Apple product has never been rooted or jailbroken before.

Re:How does this work?

[Nerdfest]

I understand the issues quite well. The GP seemed to be stating that people have no right to run as root on their own hardware. It was actually unrelated to UEFI. Personally, I don't have that much of a problem with UEFI other than it's Microsoft administering it and it makes it much more difficult for an average user to install Linux (I think that's the actual motive behind it). Hopefully this boot shim will help solve the ease of use issue.

Re:How does this work?

[Narnie]

How long until this becomes a malware feature too? I like what this guy is doing to ensure the x86 platform stays open, but who doesn't see malware loading its own keys?

Re:How does this work?

[Hatta]

If I can load my own OS without entering a key, so can malware. Doesn't this defeat the entire justification for secure boot? Doesn't this prove that secure boot is not about security at all?

Re:How does this work?

[schitso]

If someone's PC gets a bootkit, they're already damn well past the point of having to worry about the MBR.

Re:How does this work?

[Billly+Gates]

What is needed is a pairkey system. THe first seed could be the serial number of the CPU. This way a piece of malware can't sign itself and each set of keys would be different for each PC.

You simply through a EFI utility connect to the internet to a keysigning service and another key is generated to sign the boot image. Easy. Perhaps put a special locked master key that only Intel knows for this process.

Linux, FreeBSD or any other OS can interact with the EFI to upload the key and sign itself in a standard way. Who the hell at Intel thought it was a good idea for WIndows 8 to get the key? Guess what?

If the key is just a string of binary code. It wont take long for someone to find it and then use that string of code to sign their own malware as legit and prevent AV software from deleting it. Just stupid to have one master MS key that anyone can see.

In actuality I like the idea of a signed Windows 7 kernel on my PC if it can reduce malware. Just not having MS do it.

Re:How does this work?

[LordLimecat]

All politics issues aside, it seems like a signed grub loader completely removes all benefits and problems with secure boot-- now a virus could use the signed chainloader to load its own code, and then load windows, which basically makes it as if secure boot didnt exist.

Or am I missing something?

Re:How does this work?

[LordLimecat]

Why couldnt the romanian hackers use the signed chainloader to load their code?

Re:How does this work?

[mjg59]

It'll only boot grub if grub is signed with a key that a physically present user has manually enrolled. If you choose to enrol a key that's been used to sign a grub that'll then boot anything (including viruses) then you're vulnerable, but such a virus would only be able to infect systems with that key installed - anyone who hasn't installed that key still gets the protection.

Re:How does this work?

[AdamWill]

Try reading the OP.

This is a build of shim that's signed by Microsoft. It has particular properties. It is intended to be distributed by small Linux distros, with their own key as config data. When you boot it, it offers you the option to trust a single specific key - the key it was provided to you with. You have to specifically perform a certain operation to trust the key.

What all this wiggling achieves is allow to say 'I trust the entity that provided me with this key to provide an operating system for my machine'. The safeguards prevent it from being used for malware, unless you're _really_ dumb and, when this screen pops up on your system after you install something you didn't think was an operating system, you carefully jump through all the hoops to allow it to nerf your system.

So Microsoft is happy because the malware path is very unlikely to occur, and the Linux distributor is happy because if the person really is installing an alternative OS, all they have to do is navigate a menu once in order to say that OS's key is trusted, and from then on, that OS can function with SB enabled indefinitely.

Clear?

Re:How does this work?

[AdamWill]

It is signed with Microsoft's key.

Re:How does this work?

[AdamWill]

You are missing that it does not automatically trust anything: it requires user interaction to trust a key.

Re:How does this work?

[mystikkman]

Because the one that the article is talking about will show a prompt at boot everytime that the user has to click "Yes" to. It's like sudo or UAC.

Re:How does this work?

[DarwinSurvivor]

That's briliant. I've yet to see a virus that can convince a user to hit an "OK" button!

Re:How does this work?

Oh yeah, it's plenty clear. To run Linux on my ARM device I'm going to have to commit a federal crime by circumventing a digital protection device.

Fuck You and your greedy shithead ways you horrid slimy bastards.

Re:How does this work?

[mjg59]

No, only the first time you install a given key.

Re:How does this work?

They can. The nice thing about the chain of trust in Secure Boot is that if you stop just before untrusted code is run (e.g. stop once you execute the Shim that Matthew Garrett has just released), you can examine exactly what you're booting and know that your system isn't lying to you.

Of course, this is based on the idea that your UEFI isn't compromised. Your UEFI certainly could be compromised, given that it's so enormous and thus almost guaranteed to have bugs. You just have to hope that the Romanian hackers don't feel like writing exploits for each UEFI implementation out there.

Re:How does this work?

[camperdave]

Would you be able to remotely load a disk image?

Re:How does this work?

[kdemetter]

So Trusted Computing all over again ?

Re:How does this work?

[LordLimecat]

, you can examine exactly what you're booting and know that your system isn't lying to you.

You could already do that by stopping the boot prior to loading the MBR code, for example with a bootable disk (Ubuntu, Windows Defender Offline).

Re:How does this work?

[AdamWill]

You mean, 'on your Windows RT device'. Which, if you don't want to deal with the restrictions on, you don't buy. Just like if you don't want to deal with the restrictions on an iPad, you don't buy an iPad.

Re:How does this work?

[mjg59]

Sure. The user shouldn't enrol keys unless they trust whoever provided it and the chain of trust that they assert exists.

Re:How does this work?

[Multiplicity]

No you don't understand. Microsoft isn't administering UEFI, they happen to be the only root signer *for now* because for some reason Red Hat and other who were offered to be root signers too *declined the offer*. So do everyone a favor and please inform yourself before posting, particularly before posting that you are informed.

Re:How does this work?

[Multiplicity]

You better stay duck until you learn a bit more. Lots of admins use sudo, and "sudo su" isn't an ubuntuism, it is a retardism.

RedHat Ftw!

Kudos for Matthew Garrett!

Clarification

[ClaraBow]

Will someone one please clarify for me if we will always be able to buy computers without a securebootloader, or will I have to deal with this shit sometime down the road. Thanks!

Re:Clarification

Well, since Micro$oft requires that any Windoze 8 certified computers must use secure boot, it's very likely you'll get to enjoy this bullshit as well.

Read all about it: http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/statement/campaigns/secure-boot-vs-restricted-boot

Re:Clarification

[MysteriousPreacher]

Micro$oft and Windoze? Have you recently emerged from 15 years in stasis? To bring you up to date...

Madonna is still shit and now looks like Iggy Pop.
9/11
Year of Linux on the desktop is imminent
The president's black
The Rolling Stones aren't dead
We sent cool shit to Mars
World didn't end but will end again later this month

Re:Clarification

[neokushan]

....I need more mod points.

Re:Clarification

[Nerdfest]

Of course you can add to that list:
  - Microsoft still doing things to suppress competition.
  - Apple has joined them.

They earned that dollar sign. The OS is a bit better behaved than 15 years ago, although NT was pretty quick.

Re:Clarification

I have never been one to steal software, but if I am not going to be allowed to have control over what I run on my machine, I will be downloading W7 and installing it. It is bad enough that we are having to fight fro our freedoms with governments, but to also have to do this with corporations is too much.

Re:Clarification

[serviscope_minor]

And Duke Nukem Forever was released.

Re:Clarification

[BenJury]

Mandated by whom? MS might be requiring it for Windows 8 certification, but thats a far cry from 'all computers'.

Re:Clarification

[MysteriousPreacher]

And Duke Nukem Forever was released.

Steady on there. We don't want to overwhelm him.

Re:Clarification

[DeVilla]

It will be there but it won't cause you any trouble. Windows 8 will boot just fine.

Re:Clarification

[Billly+Gates]

If you refuse to do business with Microsoft you wont be in business very long

Re:Clarification

I built a new PC running Win 8. The second HDD is Linux. When UEFI is on, only Win 8 loads. When UEFI is off, only Linux loads. I have set the BIOS to boot straight into Linux without a key press. It only uses UEFI when I press a function key. Then it boots straight into Windows.

Re:Clarification

[fido_dogstoyevsky]

If you refuse to do business with Microsoft you wont be in business very long

Just the nine years so far...

Re:Clarification

[jader3rd]

Will someone one please clarify for me if we will always be able to buy computers without a securebootloader, or will I have to deal with this shit sometime down the road. Thanks!

Only if you buy computers that have been Windows 8 certified.

Kudos

[cheesybagel]

The man delivered! I really hate not being able to use GRUB or some other bootloader anymore. Why the heck can't I choose what to install on the computer I bought with my own money? Imagine you were Linux Torvalds trying to write your own operating system but in a computer with UEFI enabled.

The way to get the key is also particularly weird. It's like Microsoft has gone out of their way to make it so you need to use Windows to get a key. .CAB files, Silverlight applications, .exe to generate a key, etc.

You can't even choose not to enable UEFI anymore. I bought a 3 TB hard disk recently and the BIOS isn't able to see anything above 2 TB on a non-UEFI system without GPT partitions.

Re:Kudos

[cheesybagel]

s/Linux/Linus/ Sorry dude.

Re:Kudos

[recoiledsnake]

First UEFI != UEFI Secure Boot.

Second, you can turn off Secure Boot in the settings. So, I am guessing the young Mr. Torvalds would be smart enough to do that.

Third, the keys are editable, i.e you can remove Microsoft's key and add your own or Linux's key if you don't trust Microsoft and that'll stop your machine from ever booting Windows. Thus, you're really in control of your computer. The defaults are setup that way to stop undetectable bootkits infecting your mom's computers because just wants to run Excel and doesn't know or care about signing keys and hashes.

There is so much FUD and misinformation being spread by stupid people.

Re:Kudos

[bmo]

But to get your own key, you have to shell out 99 bucks.

That's fucking galling. It's a tax.

--
BMO

Re:Kudos

[jonwil]

No.
The $99 fee is if you want to get stuff signed with the default Microsoft keys (or rather, with a chain-of-trust that ties back to the default Microsoft keys)

Anyone can load new keys into the UEFI boot key-store no problems via the BIOS options.

Re:Kudos

[cheesybagel]

The Microsoft key comes pre-loaded with every BIOS. Try installing your own key in the UEFI boot key store and see how easy that is. Microsoft users just pop in a DVD and install. Linux users can't do that.

Re:Kudos

[neokushan]

I don't suppose you (or anyone else) knows if these options (loading keys, disabling secure boot, etc.) will be available from all OEMs or is it something they can choose to not implement if they want?

I know with Windows RT, it's all locked down with no way to change it but that's not a "real" PC in any term.

Re:Kudos

[PPH]

I know with Windows RT, it's all locked down with no way to change it but that's not a "real" PC in any term.

Right. Its not a "real" PC. Its an ARM based mobile device.

Because Microsoft smells the death of "real" PCs and the market's migration to mobile and to ARM, away from Intel. So, sure, you can still have your beige tower and run whatever OS you want on it.

Re:Kudos

[neokushan]

Apparently I need to qualify my statement further: Windows RT is generally built on some sort of a SoC rather than assembling together components in the traditional sense (CPU, Motherboard, RAM, etc.). Different ARM SoC's tend to use customised code left, right and centre which includes the boot code so it's expected that it'll be as locked down as the likes of smartphones, routers, set top boxes, etc.
At least with traditional x86 PC's, they'll (hopefully) still be made up of off-the-shelf components from people like Gigabyte, Asus, et all.

Re:Kudos

[recoiledsnake]

First, that's to get your own binary get signed with the default installed Microsoft key, so it's meant for distributors, not users who can add/remove keys without any cost.

Also, if you think Microsoft is trying to make any money from the $99 you're sorely mistaken.

Read this and I hope you have enough reading comprehension skills to under the reasoning behind Microsoft's fee.

http://indiegames.com/2012/09/valves_solution_for_steam_gree.html

If there was no fee, every Russian malware author will apply thousand times to get boot keys defeating the whole thing, not to mention the money can be tracked down in the future if the key is maliciously used.

In other words, another bog standard stupid uninformed kneejerk karmawhoring typical retarded Slashdot anti-MS post from you. lurn2read. Don't you feel stupid making such idiotic posts?

Re:Kudos

[recoiledsnake]

First of all, adding keys should NOT be with a simple click or else malware will just instruct users to do that to watch DancingBunnies.exe

Second of all, it isn't that bad, There are GUI screens navigatable with a mouse(unlike BIOS) where you can input/remove keys. Perhaps you have ideas to make it easier while still maintaining security, instead of just kneejerk bashing and conspiracy theories of "OH THEY'RE GONNA GET US OMG".

If there are users incapable of doing that, do you really expect to be able to install Linux without blowing through the Windows partition or even search for and install drivers?

Re:Kudos

[PPH]

Well, laptops are usually not built up of components like 'traditional' PCs are. And yet the mandatory lockdown doesn't seem to apply to them. It seems to be a function of ARM/not ARM (Windows RT/not RT) rather than the hardware architecture of the device.

I'd expect the Windows RT architecture for ARM devices to allow for upgrades to drivers and other components for patching purposes as well as to the entire OS for new releases. So, in this sense, the s/w architecture of an ARM device needs to be closer to that of a classic PC rather than a monolithic SoC app.

If Microsoft isn't supporting these capabilities in RT, I suspect that your ARM device will be bricked, or you'll be left behind with old s/w whenever a new Windows version comes out. Never mind trying to load Linux on it.

Re:Kudos

[neokushan]

I don't think laptops are a fair comparison to an SoC. While the components may be generally soldered to the motherboard, they're still based off of discrete components supplied by other parties. The same motherboard can accompany several different CPUs and even different GPUs. They still use the same boot code as their desktop counterparts and things like that.

Still what you're saying is true, RT has to be flexible enough to allow for other components and drivers. I believe Microsoft mandates that this all has to be done via Windows update, though, for whatever that's worth.

Re:Kudos

[mdmkolbe]

Third, the keys are editable ... Thus, you're really in control of your computer.

Not if you are on an ARM instead of Intel. Microsoft's behavior makes it pretty clear they would like to do the same on Intel even if they can't right now.

[Your mom] doesn't know or care about signing keys and hashes.

Which means that it prevents your mom from running alternative operating systems unless that system (1) pays $99 to Microsoft or (2) requires her to fiddle with keys and hashes.

Re:Kudos

[greenbird]

Second of all, it isn't that bad, There are GUI screens navigatable with a mouse(unlike BIOS) where you can input/remove keys. Perhaps you have ideas to make it easier while still maintaining security, instead of just kneejerk bashing and conspiracy theories of "OH THEY'RE GONNA GET US OMG".

It's a much bigger deal than apologists are making it out to be. It's a big step in making the switch to Linux MUCH more difficult.

For the last ten years or so Linux has been easier to install on a raw machine then Windows. Microsoft finally came up with a way to reverse that. And of course it has nothing to do with making their OS easier to install.

Also no more booting a live CD/DVD so you can try things out or show them to someone. No more Knoppix STD when you're trying to figure out what crap your mom got on her computer this time or recover data from a flaked hard drive. Etc, etc...

Re:Kudos

[AdamWill]

Except that major distros will have their bootchain signed by Microsoft directly, and small distros can use this version of shim, which is precisely designed - with the co-operation of Microsoft, it is *signed by Microsoft* - to allow small distros which don't want to go to the trouble of directly working with Microsoft to have their bootchain signed to boot on SB systems with the Microsoft key.

You might try reading the OP to understand what this is for, how it works, and who was involved in designing it.

Re:Kudos

[Immerman]

Well, Linux (Ubuntu anyway) has gotten easier than all but the most trivial software installations* on systems with well-supported hardware (which can mostly be verified from the Live CD). Windows... yeah, I wouldn't want trust most folks to pull that off.

*Not including the minor partitioning headaches for a multiboot system. I was actually rather disappointed to discover that 12.10 wanted to default to a "nuke everything and take over the whole hard drive" install despite the existence of a couple 30+GB unallocated regions on the drive. I could have sworn 10.x had defaulted to "shrink the Windows partition if necessary and multiboot", which seems like a much friendlier default. Perhaps the existence of a non-trivial partitioning threw it off, but still, defaulting to wiping the drive?

Re:Kudos

[Immerman]

not to mention the money can be tracked down in the future if the key is maliciously used.

Not that it matters much - if they've managed to get their malicious bootloader signed with MS's key then ALL MS-signed software is now untrustable, as there's only the one key (or perhaps a very small handful, though I think the standard only demands support for one default).

But yeah, guarding against that totally justifies the expense, I'm actually rather surprised it's so low. Not sure that it justifies letting MS play sole gatekeeper, but I'm not sure there's any clear alternative. With luck at least a few other companies (Red Hat? Canonical?) will get vendors to support their keys by default as well so that at least there's a few gatekeepers to guard against future abuse.

Anyone know if the "must be locked down" wording for ARM-based devices precludes recognizing additional keys, or does it just prohibit user-addable keys?

Re:Kudos

[camperdave]

There are GUI screens navigatable with a mouse(unlike BIOS) where you can input/remove keys.

The BIOS on my new machine uses a mouse controlled GUI

Re:Kudos

[greenbird]

Except that major distros will have their bootchain signed by Microsoft directly, and small distros can use this version of shim, which is precisely designed - with the co-operation of Microsoft, it is *signed by Microsoft*

You say this like it's a good thing. That terrifies me even more. That's basically giving Microsoft control of the Linux distros.

Re:Kudos

[strikethree]

Anyone can load new keys into the UEFI boot key-store no problems via the BIOS options.

For now, yes; however, have you actually tested whether or not any other key works?

Fuck secure boot.

[bmo]

I find it disappointing that instead of actively fighting secure boot and making a BIG PUBLIC STINK about it and embarrassing everyone involved in implementing this, the community is aquiescing to the concept and "working with it."

Stallman is right, guys, and anyone endorsing Trusted Computing 2.0 by either actively participating in the distribution of it, or tacit approval needs to be publicly humiliated and embarassed into doing the right thing.

Secure boot was never about protecting the end user.

--
BMO

Re:Fuck secure boot.

[budr]

What BMO said. Where's a +10 when you need it.

Re:Fuck secure boot.

If you follow the money, it's actually about protecting IT from corporate users. No more, no less. You don't need a conspiracy to explain it when a billion dollar problem is staring you in the face.

Re:Fuck secure boot.

[zakeria]

exactly; this is just another attempt to stifle and forthcoming competition in the OS development arena and at the same time helping to cement the belief in people that the PC only has one true OS that should be running on the machine namely Microsoft Windows!

Re:Fuck secure boot.

[eexaa]

Don't frown upon this please. It is usually better to first show that any resistance is futile, before politely asking not to put such weird and unusuable features into production machines.

Re:Fuck secure boot.

[bytesex]

Because secure boot actually has real, nice consequences, open source or not?

Re:Fuck secure boot.

[bmo]

There was a time when the community embarassed Intel into not putting serial numbers into their processors.

I miss that time.

We have become soft.

--
BMO

Re:Fuck secure boot.

[jonwil]

secure boot is in no way "Trusted Computing 2.0" and Microsoft requires OEMs shipping Windows 8 to provide both options for the user to turn secure boot off completly AND for the user to install new keys of their choice.

Also, Secure Boot is very much about protecting the end user. It stops unknown/untrusted/unwanted low-level code running including many of the new breed of viruses that infect the master boot record to make it harder for anti-virus programs to defeat them.

Now if a manufacturer of x86 PCs started selling PCs where secure boot was on and there was no way to turn it off or to enroll new keys, THEN I would start complaining.

Re:Fuck secure boot.

[bmo]

If you could generate a self-signed key for free, then I would have less of a problem with this.

But to get a key, you have to pay a notary and prostrate yourself before Microsoft and get their blessing, for 99 bucks. It's a tax on kernel builders and hobbyists who compile their own kernels with experimental patches - a tax on progress for BSD, Linux, Haiku, everyone who isn't Microsoft. It's also a hoop to jump through deliberately engineered to scare the less informed and to make it inconveniient to use a different OS for end users.

It doesn't protect end users one bit, because boot loading malware is scarce these days since it's just easier to attack the user with his own permissions, never bothering to escalate from userspace to kernel space. Because it's "good enough." There are enough dumb users out there that will click on anything to get a purple cow for Farmville that engineering a boot hijacker is too much like work for the botnet herder. Basically because there is no antivirus out there that can protect a computer from Layer 8 dumbassery.

It's a tax, an inconvenience, and it does absolutely nothing in reality to protect the end user.

Yet you see no problem with this.

--
BMO

Re:Fuck secure boot.

[digitalaudiorock]

Oh to have mod points!...If people keep working around this crap rather than voting with their wallets they're saying it's OK. Everyone who gives a shit about this MUST refuse to buy any computer with secure boot...period.

Re:Fuck secure boot.

[bmo]

" Microsoft requires OEMs shipping Windows 8 to provide both options for the user to turn secure boot off completly AND for the user to install new keys of their choice."

A half truth is a whole lie.

Stop lying.

The other half of the truth is that on ARM devices, Secure Boot is ABSOLUTELY REQUIRED AND MUST NEVER BE TURNED OFF

Shill.

--
BMO

Re:Fuck secure boot.

[bingoUV]

Yes, Germany has just annexed Austria. Nothing to worry. It is a long way to UK. Germany is sure to attack Poland too, but nothing to worry they are east European bastards that need a good spanking anyway.

Next year : OMG, we lost half RAF to fight Germany, we should have supported Poland /Austria and nipped it in the bud. Too late.

Secure boot is about protecting the end user? Because malware writers are too dumb to follow Matthew's public instructions, right?

Re:Fuck secure boot.

[jonwil]

The whole point is that the bootloader shim will only load further code if the key used to sign that code is in the shim's internal (and unchangeable once the system has actually booted from what I can tell) list of valid keys. Since the malware authors probably dont have any of the keys likely to be in that list, if there is an attempt to boot (via the shim) a piece of malware, the shim bootloader would see that its signed with something not in its database and prompt the user "hey, this isn't signed, do you want to enroll its signing key?"

Re:Fuck secure boot.

Then you should have no problem with this.

The $99 dollar option gets your bootloader signed by Microsoft, with their key.

The free option allows you to generate your own key. This can be manually installed into the UEFI bios, at which point any bootloader you sign with it just works. This offers protection to linux too, as once you install the Debian key or whoever, you're safe from hypervisor malware attacks. I'm sure that if the linux community stops shouting and actually generates and publishes UEFI public keys, you'll find that a lot of the manufacturers will start pre-installing those keys (Dell certainly will on their business ranges)

Re:Fuck secure boot.

[Multiplicity]

No, no, no. You got it wrong.

I hate this whole kerfuffle as much as everybody, but the part about not being able to load self signed keys isn't correct. You can load self-signed keys into the UEFI boot key-store right from the UEFI UI. Of course that will prevent Windows 8+ from booting, but that's another story. You can disable it altogether, with the same result.

So you can either disable secure boot or have your own chain of trust separated from Microsoft and boot other OSes. BUT if you want to boot Windows 8+ you have to enable it and use Microsoft's chain of trust, and is in THAT case, when you want to also boot other OSes you must have the other OSes bootloaders signed by Microsoft.

This shim bootloader represents a convenience to the users of that specific case (which indeed is the most common one). They have a "generic" Microsoft-signed bootloader along with some tools to extend a chain of trust from that bootloader to another one, and this second one won't have to get through the dreaded certification process (which indeed forces you to use Windows).

The problem here is NOT UEFI / SECURE BOOT. The problem is MICROSOFT CERTIFICATION PROGRAM. That's where they boicott the whole industry, and where they should be given a fight. That stupid certification process they combined with a twisted use of the new capabilities of UEFI. Make no mistakes, shouldn't UEFI exist today, they would still be looking for ways to exploit their certification program to make manufacturers do anything they want, just so they can bless them with being "Win compatible". THAT is the great lie right there, by which they have the industry inexplicably grabbed by the balls.

The solution of course would be everyone giving the finger to Microsoft on their fucking certification program, and a more open competition would arise. I very much want to see how long they last on that environment.

Re:Fuck secure boot.

[bingoUV]

Yes, and Microsoft has immunized users against questions from their computer using UAC so the user will say yes, do what you want and let me do my work. So yes, genius.

Re:Fuck secure boot.

[TheLink]

And most of the malware currently out in the wild would be thwarted by secureboot? I doubt it since they exploit stuff (browser, flash, pdf, dumb users) that's nothing to do with secureboot at all.

And by the time the malware has enough power to change the boot up stuff, your OS is so pwned that secureboot will make no difference if the malware author knows what he's doing.

So as far as I can see, it's not about protecting the user.

Re:Fuck secure boot.

[bmo]

>The free option allows you to generate your own key.

With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?

>you're safe from hypervisor malware attacks.

This is an unrealistic attack and to present it as plausible and likely is laughable, since more mundane and common attacks are far more likely to be an actual problem. It's like recommending that I go outside every day with a hardhat to avoid falling meteors when the actual threat to my safety is people speeding through the neighborhood and not stopping at stop signs as I attempt to cross the street.

>I'm sure that if the linux community stops shouting

We should never stop shouting.

>official distro keys

The point of Linux for a lot of people is the ability to do your own kernels, your own bootloaders and your own software. This is the key to the rapid evoloution of Linux. Requiring everyone who does this to supplicate at the Altar of Redmond and give burnt offerings of $99 USD, is nuts, insulting, and is clearly an attack designed to take the steam out of the innovation in the Linux world. Fuck that noise.

>you'll find that a lot of the manufacturers will start pre-installing those keys

That's a really big IF there, especially since it's known that Microsoft is willing to strong-arm everyone it can.

>business range machines

I don't feel like paying for enterprise support for my own personal laptop, and I should not have to just to be able to install my own OS.

Go away.

--
BMO

Re:Fuck secure boot.

[Nerdfest]

I'd like to know why there's all this outrage about this, but iOS devices which are even worse get a pass. Someone above said you can actually install your own key and remove the Microsoft ones as well.

Re:Fuck secure boot.

[Nerdfest]

I'd also like to clarify that by "someone above" I meant a previous commenter, not FSM. Sorry for the confusion.

Re:Fuck secure boot.

[bmo]

>but iOS devices which are even worse get a pass

No they don't, not from the technorati. The lumpenproletariat don't care, but that's because they don't know and don't want to know.

Just because Apple does it doesn't make it right for Microsoft to do it.

"Timmy, stop hitting Audrey on the playground! It's not nice!"
"But moooom, Bobby was hitting Audrey too!"

Fucking schoolyard mentality.

--
BMO

Re:Fuck secure boot.

[Nerdfest]

I'm not saying it's right, I'm saying people should call Apple on it as well. Apple is defended regularly here, which is a somewhat technically literate site.

Re:Fuck secure boot.

[bmo]

You didn't read past his first sentence.

You don't need to infect the boot to hose the user. It's so much easier to hose the user through normal channels - piracy, troans, spyware, annoyware (toolbars, etc) and "legitimate" software that has "we'll hose you when we like" in the privacy statement that never gets read.

Step 1. Take a popular software package. Bundle malware with it that passes the top 10 scanners.
Step 2. Upload to usenet, direct download sites, and torrents.
Step 3. Wait.
Step 4. Botnet. There isn't even a ????????? here.

Infected boots are a minuscule problem.

--
BMO

Re:Fuck secure boot.

[DRJlaw]

I find it disappointing that instead of actively fighting secure boot and making a BIG PUBLIC STINK about it and embarrassing everyone involved in implementing this, the community is aquiescing to the concept and "working with it."

Stallman is right, guys, and anyone endorsing Trusted Computing 2.0 by either actively participating in the distribution of it, or tacit approval needs to be publicly humiliated and embarassed into doing the right thing.

We will tolerate no dissent! Not only will we refuse to use this, but we will ensure that nobody who disagrees with us (or simply doesn't give a rat's ass about our fundamentalist take on software freedom) will be able to even have the opportunity to use this!

FREEDOM! (for us, not for you... you're too stupid to be allowed the choice).

Re:Fuck secure boot.

[tepples]

No they don't, not from the technorati. The lumpenproletariat don't care, but that's because they don't know and don't want to know.

The problem here is that marketing a product to the technorati and only the technorati is often unprofitable. The proles dictate what enjoys economies of scale. Otherwise, for example, there would be more video games targeted at members of the technorati who want to replace a video game console with a home theater PC. Instead, because of tradition, video games in console-style genres tend to be released only for PlayStation 3 and Xbox 360 and not ported to the PC, despite that PCs use an operating system that's compatible with the Xbox 360's controllers and APIs, and even Intel's integrated graphics can play a PS3-class game.

Re:Fuck secure boot.

[westlake]

I find it disappointing that instead of actively fighting secure boot and making a BIG PUBLIC STINK about it and embarrassing everyone involved in implementing this, the community is aquiescing to the concept and "working with it."

The community is not united against secure boot. There are real benefits for the user.

One security threat that has been getting a lot of interest lately is the ability to ensure the integrity of the early boot sequence - the handoff of control from the lowest level system firmware (traditionally provided by the hardware vendor) through to the operating system kernel. This is important because there have increasingly been real-world exploits where fraudulently modified early boot code has introduced vulnerabilities into the operating system.

To confront this challenge, the upcoming generation of system firmware, referred to as Unified Extensible Firmware Interface (UEFI) secure boot, has capabilities in the system startup sequence designed to only pass control to operating system software that can be confirmed to be not tampered with. The mechanism used to confirm the integrity of operating system software is not novel, rather it uses traditional key signing and variations of checksumming. While these mechanisms have traditionally been used higher up in the software stack and later in the startup sequence - what is new is the fact that these validation checks are expected to now be available at the earliest points in the system startup sequence. Performing the checks early is crucial as it provides a safe, verified starting point.

UEFI Secure Boot [Tim Burke, vice president, Linux Engineering, Red Hat]

Re:Fuck secure boot.

[Truekaiser]

No. The last time that happened was only because Microsoft was not playing the regulatory capture game. Before the whole bundling internet explorer with windows antitrust case. Microsoft did not lobby that much if at all in Washington.

They have since learned that to not get targeted with any antitrust junk they must lobby the feds. They have done so to the point that many ex Microsoft, and possibly future Microsoft employee's* are running the needed groups that instead of targeting Microsoft for this 'clear' antitrust breach. They are running around trying to bring a case against microsfot's chief rival google over their text ad's.

If you want 'any' sort of antitrust regulation to apply to you. Move to Europe, their system is less corrupt.

*This is how regulatory capture works, People who leave company's lets say in this case a giant software company. Leave on good terms, they only left to work in the government because the government position while temporary offered a better deal. BUT to not burn any bridges, since they know and the companies know they will be going right back to working for them once their position ends. They will do NOTHING to anger them even to the point of doing what the companies say.

Re:Fuck secure boot.

[recoiledsnake]

I love it how Windows RT tablets(which are supposed to be DoA anyway according to Slashdotters) are somehow "ARM devices" but the iPads and Android tablets, Kindle Fires, Nooks with locked bootloaders with 99% marketshare in mobile are just iPads and Android tablets, Kindle Fires, Nooks. Win32 software which is a big reason for the monopoly won't even run on Windows RT. And then they call for government intervention. Meanwhile Apple is locking everything down but the fanboys keep the discussion down. Why do people get their panties in a twist when it's MS while Apple is decimating freedom by implementing Palladium(see app store) and unable to keep their locked iDevices in stock? Yelling in bold only makes you sound more retarded.

Re:Fuck secure boot.

[recoiledsnake]

Why? Where are your rants against Apple locking down the iPad and selling tens of millions a year while PC and laptop sales are declining every quarter and the OEMs are going down? iOS is even worse, you can't run programs on your device without paying 30% to Apple even for content purchased inside the apps. Maybe you have some rants against the Kindle Fire?

crickets

No? That means you're not for Freedom, but just are an anti-MS troll, Apple fanboy or both.

Re:Fuck secure boot.

[recoiledsnake]

which is a somewhat technically literate site

No longer, my friend. It's now all kids who think it's cool to hate on MS and then many run to buy the latest iDevices and then promote it to everyone around them.

It's more about hating on MS and bringing them down than fighting for true user and developer freedom. Since Apple is a rival to MS, it gets a free pass and even promotion on Slashdot even though it goes much farther than Secure Boot and implements the Palladium spec to the letter to all programs running on it with the App Store.

All this uninformed +5 INSIGHTFUL FUD in the thread is a reflection of that. People like BMO are completely out of their technical depth in understanding how keys, hashing, signing, asymmetric cryptography work. They just karmawhore the circlejerking groupthink and get +5 INFORMATIVE. It would be sad if it weren't so pathetically funny.

Re:Fuck secure boot.

[recoiledsnake]

This is an unrealistic attack and to present it as plausible and likely is laughable, since more mundane and common attacks are far more likely to be an actual problem. It's like recommending that I go outside every day with a hardhat to avoid falling meteors when the actual threat to my safety is people speeding through the neighborhood and not stopping at stop signs as I attempt to cross the street

You don't seem know much about malware and how it works. Here are some references about boot malware which UEFI secure boot can prevent.

http://www.chmag.in/article/sep2011/rootkits-are-back-boot-infection

http://www.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows/

http://www.computerworld.com/s/article/9217953/Rootkit_infection_requires_Windows_reinstall_says_Microsoft

I recommend reading atleast the first link.

Here's one juicy bit:

TDL4 is the most recent high tech and widely spread member of the TDSS family rootkit, targeting x64 operating systems too such as Windows Vista and Windows 7. One of the most striking features of TDL4 is that it is able to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled.

When the driver is loaded into kernel-mode address space it overwrites the MBR (Master Boot Record) of the disk by sending SRB (SCSI Request Block) packets directly to the miniport device object, then it initializes its hidden file system. The bootkit’s modules are written into the hidden file system from the dropper.

The TDL4 bootkit controls two areas of the hard drive one is the MBR and other is the hidden file system created at the time of malware deployment. When any application reads the MBR, the bootkit changes data and returns the contents of the clean MBR i.e. prior to the infection, and also it takes care of Infected MBR by protecting it from overwriting.

The hidden file system with the malicious components also gets protected by the bootkit. So if any application is making an attempt to read sectors of the hard disk where the hidden file system is stored, It will return zeroed buffer instead of the original data.

The bootkit contains code that performs additional checks to prevent the malware from the cleanup. At every start of the system TDL4 bootkit driver gets loaded and initialized properly by performing tasks as follows: Reads the contents of the boot sector, compares it with the infected image stored in hidden file system, if it finds any difference between these two images it rewrites the infected image to the boot sector. Sets the DriverObject field of the miniport device object to point to the bootkit’s driver object and also hooks the DriverStartIo field of the miniport’s driver object. If kernel debugging is enabled then this TDL4 does not install any of it’s components.

TDL4 Rootkit hooks the ATAPI driver i.e. standard windows miniport drivers like atapi.sys. It keeps Device Object at lowest in the device stack, which makes a lot harder to dump TDL4 files.

All these striking features have made TDL4 most notorious Windows rootkit and it is also very important to mention that the key to its success is the boot sector infection.

Another bit:

The original MBR and driver component are stored in encrypted form using the same encryption. Driver component hooks ATAPI's DriverStartIo routine where it monitors for write operations. In case of write operation targeted at the MBR sector, it is changed to read operation. This way it is trying to bypass repair operation by Security Products.

Re:Fuck secure boot.

[bytesex]

It isn't about the kernel - it's about the boot loader. And yes, I agree that there should be a dip switch on the motherboard that disables secure boot (letting this know to the boot loaders, so that they won't boot potentially).

"It's a tax, an inconvenience, and it does absolutely nothing in reality to protect the end user."

Yes it does, it's just that you don't see it. Probably because the end user scenarios that you can think of, don't involve it. But when a box is properly tamper-evident, secure boot does a whole lot to a particular class of machines. For most purposes, it throws a big spanner in the works of the whole 'if you have access to the hardware, you have access to everything' mantra.

Re:Fuck secure boot.

[mystikkman]

If you could generate a self-signed key for free, then I would have less of a problem with this.

Oh please, you can do exactly that.

It's clear by your posts that you're out of your technical depth here inspite of your misinformed rants getting modded up by clueless moderators. Your every new post on this topic shows that you're probably a 14 year old kid who just got his new Macbook and iPad.

May I ask what you do for a living? Or are you afraid to tell us?

Re:Fuck secure boot.

[mystikkman]

The problem here is NOT UEFI / SECURE BOOT. The problem is MICROSOFT CERTIFICATION PROGRAM. That's where they boicott the whole industry, and where they should be given a fight. That stupid certification process they combined with a twisted use of the new capabilities of UEFI. Make no mistakes, shouldn't UEFI exist today, they would still be looking for ways to exploit their certification program to make manufacturers do anything they want, just so they can bless them with being "Win compatible". THAT is the great lie right there, by which they have the industry inexplicably grabbed by the balls.

The solution of course would be everyone giving the finger to Microsoft on their fucking certification program, and a more open competition would arise. I very much want to see how long they last on that environment.

You're close, and much better informed unlike the other modded up posts which are simply put, retarded. But you got a few things wrong.

The motherboard manufacturers and OEMs offered RedHat and others to include their keys. But they or the Linux foundation are too afraid to maintain a key signing infrastructure and to filter malware and are shirking from the responsibility. Perhaps your energy is better directed at making an organization which does key signing instead of just blaming MS for their certification program. The OEMs are certainly willing to help and they have no incentive not to. Solely blaming Microsoft because of Linux organizations etc. not stepping up to the plate is wrong.

Re:Fuck secure boot.

[mystikkman]

Wrong, there is no case for an antitrust trial in the US or Europe in spite of uninformed Slashdot posts. If there was one, FSF Europe would've jumped on it. The technical matters are much different from the stupid modded posts like BMO's which are simply wrong. The FSF lawyers know their legal and technical stuff, Slashdot posters and moderators don't seem to.

Re:Fuck secure boot.

[mjg59]

"With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?"

openssl req -new -nodes x509 -outform DER -out sig.crt -keyout signing_key.priv

And then enrol it with mokutil or MokManager from shim.

Re:Fuck secure boot.

[Multiplicity]

If what you say is true, it would certainly complete the picture.

It still wouldn't mean the certification is not retarded, but it would certainly show the real direction for the FLOSS communities to push for. I began instinctively taking UEFI / SB as something "bad / anti freedom" mainly because of how it was tainted by Microsoft being the only root signer available at the launch of the technology, their certification program, and the inexcusable fact that they forbid disabling SB / managing keys in the ARM platform. But also, and not the least because I completely ignored how the technology works and the background (like BMO and such show clearly here).

There's huge amounts of misinformation, as we can see in this very same thread, where sensationalistic posts like "FUCK UEFI" get all the eyes and everyone goes idiotic "ZOMG DIE MS SHILL" at the slightest attempt of analysis and information gathering that is the basis for any real solution.

All this current whinning crap won't help us to get anywhere, apart from one or two assholes thinking for a day they are raising the glorious flag of freedom. It is imperative that we start educating ourselves and reach consensus towards more robust solutions; IMO this shim is good, for now, as a temporary one. I long for a more robust and permanent solution which I now begin to think could be, like you say, in the form of a signing infrastructure maintained by some big FLOSS player, like EFF/FSF/LF, and with acceptance by the OEMs and manufacturers.

Re:Fuck secure boot.

[EdZ]

If you could generate a self-signed key for free

Not only is this EXACTLY what you can do, the Win8 certification requires OEMs to allow you to do this.

Re:Fuck secure boot.

[DarwinSurvivor]

I thought they only required the OEM to let you disable secure boot, not necessarily add your own key.

Re:Fuck secure boot.

[grantek]

If you follow the money, it's actually about protecting IT from corporate users. No more, no less. You don't need a conspiracy to explain it when a billion dollar problem is staring you in the face.

Then why is Microsoft signing a "click OK to continue" shim that allows corporate users to install their own "untrusted" OS onto a system that only trusts the Microsoft key? Does MS have a more restrictive key that can be installed manually by IT departments? If so, could that be part of an evil plan to then get it onto generic vendor machines?

Re:Fuck secure boot.

[knorthern+knight]

> The OEMs are certainly willing to help and they have no incentive not to.

Howsabout an option to have "null keys"? I.e. no key required? That would help immensly. Such machines wouldn't run Windows, but there'll be enough Chromebooks, linux, etc to form a market. Hopefully I won't have to buy a Raspberry Pi as my next linux machine.

UEFI is a solution looking for a problem. And before anyone mentions disks > 2 terabytes. GPT (GUID Partition Table) can be implemented on BIOS-based machines, allowing (2^64) - 1 sectors (i.e. 9 zetabytes). Mac OS X and Windows 8 implement an arbitrary restriction of allowing it only with UEFI, but that's a corporate monopolist decision, not a technical limitation.

Re:Fuck secure boot.

[bmo]

I have said time and again on here that Apple took the concept of a repository from Linux distros and perverted it into something it shouldn't be. There is no way to add other trusted "stores," i.e, repos to IOS devices. You can't even add Amazon, for example - forget about adding non-commercial repos. This is not what the repo concept is in the Linux world is.

If you had actually ever used Linux from one of the major distros, you would understand this and why it's liked so much and why people like me also despise the concept of the single Apple Store.

The only way to really get more freedom is to root an IOS device, and I always recommend against this for the technologically inept, because of the danger of bricking.

It's also why I don't own an IOS device.

But who a I kidding, you're a self-admitted paid wintroll, and you'll just brush this off as "not typical"

So whatever.

--
BMO

Re:Fuck secure boot.

[mjg59]

It must be possible to install your own keys, but that may be implemented by allowing you to clear the platform key and switch back to setup mode.

Re:Fuck secure boot.

[dch24]

Please join us on coreboot.org. We especially need more laptops.

Re:Fuck secure boot.

[epyT-R]

except that won't solve anything.. Even the people who know nothing about secureboot benefit from the actions of those that do, so it DOES matter. This shouldn't be treated as a popularity contest.

Re:Fuck secure boot.

[DarwinSurvivor]

Ah, thanks.

Re:Fuck secure boot.

[sjames]

I agree it was never about the end user and it is the camel's nose coming through the tent flap. I do think this move is useful though. It pretty much demonstrates that secure boot cannot possibly serve the claimed purpose.

The sad thing is that secure boot COULD be a good thing if implemented by people with the right motives under strict guidelines.

Rule #1, it must be OFF by default. Rule #2, each BIOS should have a unique key. Rule #3, if the user should choose to enable it, he/she must command the BIOS to either sign the bootloader OR sign an OEM key that has signed the bootloader (at the user's choice). Any UEFI key management software should conform to open standards and the reference implementation must be free software.

As far as the law goes, if the USER cannot manage the keys for the secure boot, it should be fraud to claim to sell the device to the user. The owner of the device is the entity that controls the keys.

Re:Fuck secure boot.

[sjames]

Actually, no. I object to those devices having locked bootloaders as well. I applaud those who figure out how to break the lock.

Re:Fuck secure boot.

[bmo]

>The owner of the device is the entity that controls the keys.

THIS.

--
BMO

Re:Fuck secure boot.

[TheLink]

I said: "by the time the malware has enough power to change the boot up stuff, your OS is so pwned that secureboot will make no difference if the malware author knows what he's doing."

Yes if the malware changes the boot up stuff it will get detected and the firmware won't run it. But the point is by the time the malware has the power to change the boot stuff it doesn't have to! The malware can change whatever it wants in the rest of the system already. And there will be plenty in the rest of the system that's not protected by secureboot- browser, browser plugins, etc. It's already in the bank vault and holding all the money.

Re:Fuck secure boot.

[Aleksej]

Because this page is not about Apple, and everyone is supposed to know of Apple's evils already, and those against Microsoft are not necessarily with Apple as Microsoft wanted people to believe in the past.

Re:Fuck secure boot.

[Multiplicity]

What?? Do you expect truth and information to be visible in this threads? So naive of you :)

Re:Fuck secure boot.

[couchslug]

Making a stink is clearly optional, but meanwhile people want to run their choice of OS on hardware whose makers give not a single fuck about that happening.

Re:Making No Sense

Read his blog, he explains it all.

Basically, the Shim is signed with the Microsoft key, it will load on any system which trusts that key (i.e. every system out there).
The Shim will then load anything that's signed with any of the keys in the secure boot trust database, but it will also allow you to add keys to that trust database yourself.

For example: if you try to boot from a SuSe install DVD is will first start the Shim (which is trusted, because it's signed by Microsoft). The Shim will then ask you if you want to load whatever the DVD is trying to start, optionally installing the key used to sign what you're trying to start.

The end result is that John Q. User just needs to be told to push the 'Enroll key' button when he's installing SuSe/RedHat/Debian/... He doesn't need to be told how to disable Secure Boot, or how to install the SuSe/RedHat/Debian/... key into his system (which would be different for every system).

Doesn't work

I happen to have a computer with Secure Boot enabled by default. Matthew Garrett's boot loader doesn't work while Secure Boot is enabled. The reason being that the machine will not (repeat not) boot from any device except the hard drive unless Secure Boot is first disabled. The steps to load any OS, with or without Secure Boot support, goes like this:

Enter into UEFI control panel.
Disable Secure Boot
Enable Legacy boot options
Enable specific Legacy device, such as DVD drive
Save settings and reboot.
Change boot device to DVD

If Secure Boot is turned on, "Legacy" devices can not be used to boot the computer. Therefore having this boot loader doesn't do any good on machines with Secure Boot enabled. It has to be turned off just to access the installation media.

Re:Doesn't work

[cynyr]

Please provide the exact text that will show up on each menu/button. ohh right, UEFI did not spec the menu/configuration structure and nameing conventions. So directions for a VENDOR1 may not work for VENDOR2, and worse than that VENDOR1-2012 may not work for VENDOR1-2013.

So yea, that is really the issue here. It's like explaining to someone (who has issues with why Gmail and their computer can have different passwords) how to boot their computer from a USB stick. There is no common layout to BIOS and the same goes for UEFI.

Re:Doesn't work

[mjg59]

If your system currently has Windows 8 installed, then do this:

1) Insert the install media
2) Mouse to the bottom right
3) Select "Settings"
4) Click "Power"
5) While holding down shift, click "Restart"
6) Click "Use a device"
7) Click your install media

This is a little more involved than ideal, but it's got the huge benefit that it's consistent between systems rather than requiring you to use different hotkeys for different platforms.

Re:Doesn't work

[mjg59]

Well, that's the point. Nothing you run before reboot will be able to run in the firmware, because it doesn't have the right signature.

Re:Do not disagree with Garrett

[bmo]

"Or else he'll post ad-hominem personal attacks about you on his blog"

And this matters why?

--
BMO

What's the point of secure boot?

[loufoque]

What's the point of secure boot, if you can just use this bootloader to boot anything you want?

Re:What's the point of secure boot?

Keeping it so you can boot anything YOU want, not anything some random virus or trojan wants.

A difficult needle to thread, but hardly inconceivable.

Re:What's the point of secure boot?

[AdamWill]

You have to explicitly state that you trust the key it is bundled with. This doesn't happen automatically.

Re:Do not disagree with Garrett

Why does it matter? Because it could ruin your reputation, even wreck your career?
http://www.itwire.com/business-it-news/open-source/57290-garrett-slams-tso-as-rape-apologist

Garrett is scum.

Must ship with a way to turn off Secure Boot

[tepples]

Computers that ship with Windows 8 for x86 or x86-64 must ship with Secure Boot turned on but (importantly) must ship with a way to turn it off.

Re:Must ship with a way to turn off Secure Boot

For now... my friend.. for now...

Do not forget - we are talking about Microsoft here, so be prepared to get stabbed in the back (and have to pay for that privilege) in the near future...

Re:Must ship with a way to turn off Secure Boot

[complete+loony]

But there is no standard specification for *how* secure boot can be turned off. Or *how* the user can install a new key. It's the question of "how" to guide the user through the firmware screens that prompted the development of shim in the first place. This way there's one component with a known UI to guide the user through.

Re:Must ship with a way to turn off Secure Boot

[Darinbob]

And basically anyone with the smarts to use this boot shim, even if it just means smart enough to consider using something other than the default software, will be smart enough to figure out how to disable to secure boot.

Re:Must ship with a way to turn off Secure Boot

[DarwinSurvivor]

Computers that ship with Windows 8 for x86 or x86-64 must ship with Secure Boot turned on but (importantly) must ship with a way to turn it off.

Did they mandate what steps must be used in order to do that? I won't be surprised if disabling it is about as easy reprogramming the bios itself!

Re:Must ship with a way to turn off Secure Boot

[camperdave]

Computers that ship with Windows 8 for x86 or x86-64 must ship with Secure Boot turned on but (importantly) must ship with a way to turn it off.

Computers that ship with Windows 8 for x86 or x86-64 must ship with Secure Boot turned on but (importantly) must ship with a way to turn it off... for now.
FTFY

Secure Boot in custom mode

[tepples]

With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?

By setting Secure Boot to custom mode and installing the self-signed key. Microsoft requires makers of x86 and x86-64 PCs to allow neutering Secure Boot as a condition for Windows 8 certification, just like Google requires a device to have Android Debug Bridge open as a condition for access to the Google Play Store. The strict game-console-style lockdown is only for Windows RT.

Re:Secure Boot in custom mode

[bmo]

>The strict game-console-style lockdown is only for Windows RT.

As if this makes it ok.

An ARM computer is just as much a real computer as one with an IA64 processor in it, especially when the new ARM processors coming out support 64 bit computing

Why shouldn't I be able to put Linux or any other OS compiled for ARM on an ARM machine? An ARM laptop running Linux would be a nice thing with longer battery life than what can be found with Intel processors. Why do I have to supplicate and offer $$ to Redmond, from where I did not acquire the OS?

Brushing this off as if it doesn't matter "because you Linux guys only care about i386 and IA64" is disingenuous.

And like I said earlier, just because one company (apple) does it, doesn't mean it's OK for other companies to follow suit. Apple perverted the concept of a repository. This is not supposed to be a blueprint for other companies.

--
BMO

Re:Secure Boot in custom mode

[recoiledsnake]

Give it up,BMO is probably a PHB, he does not understand technical stuff, so he just trolls the karmawhoring Slashdot line by writing retarded anti-MS stuff and calling people paid shills. It's useless as trying to explain quantum mechanics to an amoeba.

Re:Secure Boot in custom mode

[AdamWill]

"Why shouldn't I be able to put Linux or any other OS compiled for ARM on an ARM machine? An ARM laptop running Linux would be a nice thing with longer battery life than what can be found with Intel processors. Why do I have to supplicate and offer $$ to Redmond, from where I did not acquire the OS?"

You don't. Microsoft's requirements for Windows RT only apply, pretty obviously, to Windows RT machines. Don't agree with them? Don't buy a Windows RT machine. Same way that, if you don't agree with Apple's restrictions, you don't buy an iPhone, or Motorola/Droid, or etc etc.

Microsoft has no kind of monopoly in the ARM market, in fact they're a minor player. You can buy more ARM hardware with a non-Microsoft OS than ARM hardware with a Microsoft OS.

Re:Secure Boot in custom mode

[Immerman]

Seems like pretty clear strategic positioning to me - most laptops are currently shipped as Windows-based devices. Current hardware trends suggest that, going forward, many/most laptops and replacements will be ARM-based. It's not a ferocious stretch to assume that, at least initially, Dell, ASUS, etc. will want to also ship those "laptops" with Windows as well (perhaps encouraged by MS incentive packages), at which point MS will have achieved significant lock-in on those devices, which will likely include a major percentage of the highest-end ones (i.e. the ones that will have the greatest staying power in the developing market). Doubly so since, given the current lack of system-level standardization in ARM devices, a shim such as this one would potentially have to be created and signed for every "flavor" of ARM system. (though WinRT may admittedly help impose standardization for supported hardware). And is there even any word on MS commitments to sign ARM shims?

Moreover, since new keys can't be added to ARM devices this sort of shim would mean having to confirm you wanted to boot an untrusted OS *EVERY* time you reboot or wake from hibernation. Not an insurmountable problem, but definitely an ongoing nuisance if you want to use "the competition", and largely rendering the benefits of secure-boot non-existant on such devices (yeah yeah, power on, click OK. What, yeah, sure, of course I verified the signing key. Right.)

And (thinking long term) what happens if MS finds itself in a position of eventually having dominated the ARM "serious computing" market as well (which is now the vast majority of "computers"), and simply refuses to sign any further shims? The competition could run for a while on old shims, until hardware migrates too far, but they'd be hurting. *Maybe* civilian governments could put the screws to MS to coerce them into backing down - but that's already a challenge, and MS would be in a much better bargaining position as the sole key-holder in this hypothetical future, even better if they've managed to insert a kill-switch into all those signed shims out there. Do I think such a future is likely? Not really, but I would bet good money that there are long-term strategists at MS considering the options, so we'd better be doing so as well. For starters I'm sure Red Hat, Canonical, etc. make a point of verifying that their signed shims all come back completely unmodified, right? Right?

Re:Secure Boot in custom mode

[epyT-R]

While what the parent said might be true, how long do you think it will last? How long before they're all like the RT platform? That's what BMO is really talking about..

Re:Secure Boot in custom mode

[dch24]

Give it up, recoiledsnake, probably a troll and you do not understand this stuff, writing retarded anti-BMO stuff and calling people karmawhores. It's useless as trying to explain why what you say in reply is wrong.

Windows RT is not called Windows 8

[tepples]

Microsoft requires OEMs shipping Windows 8 to provide both options for the user to turn secure boot off completly AND for the user to install new keys of their choice.

The other half of the truth is that on ARM devices, Secure Boot is ABSOLUTELY REQUIRED

And the gripping half is that the operating system for devices with an ARM CPU is not called Windows 8. It is called Windows RT (for 10" screens) or Windows Phone 8 (for 4" screens).

Re:Windows RT is not called Windows 8

[epyT-R]

...aaaaannd people should be able to boot whatever os they want on hardware shipped with RT as well.

Re:Windows RT is not called Windows 8

[sjames]

It certainly doesn't matter what it's called, what matters is that the things will not load any OS not blessed by MS.

Re:Windows RT is not called Windows 8

[tepples]

what matters is that the [Surface RT tablets] will not load any OS not blessed by MS.

Nor will a PlayStation 3 console running firmware 3.21 or later run an operating system not blessed by the manufacturer. Nor will an Xbox 360. Nor will a device that runs Apple's iOS, or for that matter Nintendo's iOS, without questionably legal circumvention. There exist other devices that someone who wants to run free software can buy in the first place instead of a Microsoft product.

Re:Windows RT is not called Windows 8

[sjames]

So MS isn't the only offender, I never claimed otherwise. Surely you're not using the 'but other kids...' argument here?!?

Re:Making No Sense

[lister+king+of+smeg]

easy answer ms tried screwing with the linux guys. they however just saw some programmers name on this application and signed it. MS is run by chair throwing anticompetitive dicks. if you start from that base assumption it all make perfect since.

If you don't want money going to Microsoft

[tepples]

An ARM laptop running Linux

Is manufactured by ASUS, under its Transformer brand.

Why shouldn't I be able to put Linux or any other OS compiled for ARM on an ARM machine?

Do you feel entitled to put Linux on, say, a Nintendo DS family product?

Why do I have to supplicate and offer $$ to Redmond, from where I did not acquire the OS?

If you don't want money going to Microsoft, don't buy a Surface RT, Xbox 360, Lumia, or any of its other locked down hardware.

Re:If you don't want money going to Microsoft

[Immerman]

Do you feel entitled to put Linux on, say, a Nintendo DS family product?

I do. As a rule I won't buy *any* product unless I will actually *own* it, aka can use it as I see fit. I flexed that rule once to buy a second-hand iPhone once I was certain I could in fact unlock it to do my bidding (no, I don't want to pay $900/year for a smart-phone data plan, I just want an iPod touch with integrated cell phone to use with my perfectly suitable $10/month plan). After a couple OS upgrade cycles that threatened to brick it for me I decided I wouldn't purchase any more products with such user-hostile management practices.

Re:If you don't want money going to Microsoft

[epyT-R]

An ARM laptop running Linux

is the exception to the rule. Most arm devices are locked.

Do you feel entitled to put Linux on, say, a Nintendo DS family product?

It's not about feelings of entitlement. It's about ownership rights. Once the hardware is purchased, then, by definition, he should have the right to run what he wants on it.

If you don't want money going to Microsoft, don't buy a Surface RT, Xbox 360, Lumia, or any of its other locked down hardware.

It's not that simple, and you know it.

Re:If you don't want money going to Microsoft

[tepples]

I just want an iPod touch

Do you mean "iPod" in the genericide sense of portable media player? If not, what specifically do you desire about Apple brand portable media players? Otherwise, you could buy an Android phone. All Android phones that have Google Play Store have Android Debug Bridge; Google requires this in the CDD for Android.

with integrated cell phone to use with my perfectly suitable $10/month plan

Until the carrier detects that you're on what it deems to be a smartphone and "slams" you to a more expensive plan.

I decided I wouldn't purchase any more products with such user-hostile management practices.

So do you plan on not buying a car because you can't unlock its in-car entertainment system?

Re:If you don't want money going to Microsoft

[Immerman]

Do you mean "iPod" in the genericide sense of portable media player?...you could buy an Android phone

Pretty much, though the large ecosystem of software and hardware sweetened the pot, and at the time that the iPhone 3G was released there weren't any android phones that were worth jack, and certainly none available for the $100 it cost me for a used iPhone 2G in great condition. And, owning a phone that satisfies my needs, it would be terribly wasteful to buy another now.

Until the carrier detects that you're on what it deems to be a smartphone and "slams" you to a more expensive plan.

Well, it hasn't happened in the last 4 years, and I still have the original flip phone to downgrade to if they want to try to jack with me.

So do you plan on not buying a car because you can't unlock its in-car entertainment system?

I don't see any reason to have a car entertainment system more sophisticated than a radio with a line-in jack, so probably not. More to the point the entertainment system is a minor feature of a car, whereas a pocket computer is the entire point of a smartphone.

Re:Making No Sense

[mjg59]

Given that I've been working with the Microsoft people who manage the signing for the best part of a year now, I'm pretty sure they know who I am and what I was getting signed.

Re:Making No Sense

[AdamWill]

This is mostly correct but not quite.

This incarnation of shim isn't intended for the big folks like Fedora, SUSE and Debian, it's for small distros. It's basically a process hack.

The big folks will build a shim package which inherently trusts their own signing key, and then work with Microsoft to have that signed. All the major distros are currently going through that process. In this version of the process, Microsoft essentially says 'we trust the Fedora project / the SUSE project / the Debian project / whatever to competently manage a bootchain'. They sign each distro's build of shim to declare that. From then on, the distro can manage everything above the shim level - grub2, the kernel, and userland - independently, as all of that stuff is signed with *their own* key, not with Microsoft's key. Microsoft signs the 'shim' layer. shim itself is a neat process hack that allows trust to be reposed in distro vendors without them actually having to get their own SB firmware keys distributed with systems.

This incarnation of shim is similar, but slightly different. It doesn't trust any particular key inherently. It is designed such that a small distro can package it with their own signing key, and then on boot, it requires the user to explicitly state that they trust that signing key. So it provides a mechanism by which you can securely state that you trust the authors of Bob's Little Linux Distro to securely manage a bootchain. So long as there is a mechanism by which you explicitly state that, Microsoft is happy. So it's similar to the 'big folks' process, but with the added wrinkle that this build of shim doesn't just trust one 'big folk' key inherently, it requires that the user explicitly state that they trust whichever key it is bundled with.

If you're an OS provider and you're willing to go through the trouble of working with Microsoft directly to have a shim build that trusts your own key signed - which involves proving to Microsoft's satisfaction that you're a competent OS vendor - you can go with that process, and your users won't have to explicitly trust your key, because Microsoft 'trusts it for them'. If you don't want to go to that trouble, you can use this version of shim, which saves you having to work directly with Microsoft, but requires your users to take a couple of manual steps which have the effect of declaring that they explicitly trust your key (i.e. you).

Matthew Garrett FTW!

[zigfreed]

And here's to hoping coreboot renders UEFI obsolete someday!

Re:Matthew Garrett FTW!

[Immerman]

Actually I think it has the potential to actually make UEFI live up to it's stated intentions (protecting against boot-vector malware),*without* giving MS a market edge. In fact it's pretty much the ideal scenario and should have been integrated into the standard from day one. Boot sequence:

-----

Starting up...
!!! WARNING !!!
The selected operating system drive (yada-yada on drive Y, partition X) has failed security checks and may be infected with malware
    [ it has been signed with the unrecognized security key xxxxx-xxxx-xxx-xxx-xxx ]
IF THIS IS YOUR NORMAL BOOT DRIVE THEN IT HAS BEEN COMPROMISED and you should perform a system recovery

If you are booting from other media (for example to install a new operating system) be aware that you are granting it access that could be used to install malware.

What would you like to do:

( 1 ) Shut down, I'll deal with this later
( 2 ) Choose a different drive to boot from (such as a System Recovery partition, if present)
( 3 ) I trust this operating system, go ahead and boot it

-----

[3] ->

!!! WARNING !!!
You are about to grant unrestricted system access to software who's integrity cannot be verified.
Are you ABSOLUTELY CERTAIN you want to do this?

( N ) Hell no! My finger slipped and I chose the wrong option, good thing this verification screen was here to save my ass.
( Y ) Yes, I'm quite certain, go ahead and boot
( @ ) Yes, and don't ask me again for software signed by this key.

-----

(Y/@) on a locked-down system ->

Authorization required to boot unverified operating system...
please enter the BIOS secure boot password to proceed
[____________]

And there, with maybe a dozen extra lines of code, we have a secure-boot interface that's simultaneously secure and easy to extend to new signing keys. That something like this isn't the recommended default is due to, one can only assume, either Microsoft's hubris or monopolistic aspirations. And considering their ever-increasing acknowledgement of the threat posed by alternative operating systems I rather doubt that it's hubris.

Re:Matthew Garrett FTW!

[Multiplicity]

I kinda agree, but from some answers here I'm starting to think that what should've been there from the beginning isn't a shim, but an alternate root signer / signing infrastructure not controlled by Microsoft. Some key Linux players were offered the chance to maintain this, but they declined. The technology launched with just one signer, and thus this confusion began, where everyone and their dog think that because every x86 mobo comes with MS keys, and the only signer is MS, then UEFI == MS. Which is not.

If the EFF/FSF/LF or for the matter (least preferably) Red Hat or Canonical would support a keysigning infrastructure, things would be more balanced, but they would have to divert their resources to do that, and be accountable for the binaries they sign. Instead they willingly choose to let Microsoft to be the one signer around.

Regarding ARM, it sucks, but it's exactly the same any other ARM player has done, and subject to the same circumstances.

Re:Do not disagree with Garrett

[AdamWill]

Oh, goody, once again with the 'ad hominem' canard.

An 'ad hominem' argument is only intrinsically a bad thing if you are attempting to debate a topic using strict formal logic.

If what you are attempting to do is point out that someone holds repugnant personal views, then 'ad hominem' is the only way to do it. Saying that a racist is a racist is an 'ad hominem' attack. Does that make it wrong?

Re:Do not disagree with Garrett

[AdamWill]

BTW, so far thousands of people have 'disagreed' with Matt and have not, so far as I can tell, been subject to 'personal attacks on his blog'. In fact, the few people Matt 'attacked' on his blog did not directly 'disagree with Matt' at all. They aired views that Matt found unacceptable, using their freedom of speech, so Matt used his freedom of speech to say that he found their views unacceptable. Do try and keep up.

LOL

[ArchieBunker]

Easier to install? Hardly. Its nearly identical. Don't tell me complicated windows gave you problems. This is just like the V chip inside every tv manufactured for the last 20 years. Must it be enabled for your tv to operate? No.

Will rootkits really prevent booting?

[Duncan+J+Murray]

Not sure I understand this fully, but I guess a rootkit changes the windows kernel in such a way that the signature becomes invalid, and so the UEFI refuses to load the windows kernel - is that right? So I presume the only way a rootkit can circumvent this is to either not change the kernel, or to re-sign it with the correct key. Have I got this right?

D

System76

[fatalGlory]

I hope that this whole Secure Boot issue pushes more people to buy computers with Linux (or whatever other open system) pre-installed. Even if you need to dual boot, buying a copy of windows that's not pre-installed is reasonably cheap nowadays. Buy a free-as-in-speech laptop and install Windows as the secondary OS. This would be in contrast to the old days where you'd generally get windows pre-installed (because it was cheaper that way) then install Linux later.

Bootloader

[Skapare]

How about the shim running a real bootloader ... instead of some software stack that's trying to be an OS ... ?

Like the boot order

[tepples]

Did they mandate what steps must be used in order to [disable Secure Boot]?

Nor does Microsoft mandate what steps must be used to switch the PC's boot order from HDD first to the more malware-prone USB first, yet people switching to GNU/Linux work around that somehow. And will it be that hard to go to Bing* and type in the computer maker followed by disable secure boot ?

* Let me give Microsoft the benefit of the doubt here.

Re:Like the boot order

[DarwinSurvivor]

Installing used to be easy. Insert disk -> install. Now you have to figure out which of 8 keys your particular motherboard uses to enter bios, enable USB boot, change the boot order and now disable UEFI. It's starting to get much less fun :(

"For now" could be a very long time

[tepples]

As long as Microsoft makes available downgrade rights to Windows 7, Microsoft has to support PCs that don't have Secure Boot. So "for now" could be a very long time, long enough for Chrome OS to mature, for Android to gain support for multiple windows on the screen, and for things like the recently funded PengPod to gain traction.

Re:"For now" could be a very long time

[camperdave]

As long as Microsoft makes available downgrade rights to Windows 7, Microsoft has to support PCs that don't have Secure Boot.

Just because Microsoft has to support PCs that don't have secure boot doesn't mean they can't force machines that do to be Microsoft only. The Windows 7 downgrade option can end tomorrow, and where does that leave folks?

Is Microsoft willing to exit the EU market?

[tepples]

Current hardware trends suggest that, going forward, many/most laptops and replacements will be ARM-based. It's not a ferocious stretch to assume that, at least initially, Dell, ASUS, etc. will want to also ship those "laptops" with Windows as well

Right now people expect to run desktop applications on laptops. Windows RT runs exactly two desktop applications: IE and Office. So unless Microsoft allows selling desktop applications through the Windows Store, I don't see in which direction Microsoft plans to take Windows RT for the traditional laptop form factor.

Moreover, since new keys can't be added to ARM devices this sort of shim would mean having to confirm you wanted to boot an untrusted OS *EVERY* time you reboot

Would it be any more trouble than existing dual boot scenarios, where the user has to pick Windows or GNU/Linux from the GRUB or Boot Camp menu?

or wake from hibernation.

I thought tablet operating systems only went to suspend, not hibernation. Hibernation is intended to restore the state of multiple applications, and tablet operating systems generally don't support multiple applications' windows on the screen.

And (thinking long term) what happens if MS finds itself in a position of eventually having dominated the ARM "serious computing" market as well (which is now the vast majority of "computers"), and simply refuses to sign any further shims? [...] *Maybe* civilian governments could put the screws to MS to coerce them into backing down

What could happen is serious legal trouble, even if only in the European Union, which has shown itself willing to put the screws to Microsoft. Is Microsoft willing to exit the EU market over this, especially as the EU market grows larger than the NAFTA market?

For starters I'm sure Red Hat, Canonical, etc. make a point of verifying that their signed shims all come back completely unmodified, right?

A signed work is just the concatenation of the unsigned work, the hash of the work encrypted with the signer's public key, and optionally a certificate chain from the root down to the signer. If portion of the signed work representing the unsigned work is identical to the original unsigned work, then Microsoft hasn't added a time bomb.

Re:Is Microsoft willing to exit the EU market?

[Immerman]

unless Microsoft allows selling desktop applications through the Windows Store, I don't see in which direction Microsoft plans to take Windows RT for the traditional laptop form factor.

Considering that the only real feature I've seen advertised for the new Windows tablet is the click-on keyboard, and that MS mangled Win 8 so that native apps have to use the tablet API for full OS access, it seems like that is an extremely likely outcome. After all you code to the API, not the device - do you really think any serious software producer is going to deny themselves access to another market because it's too much trouble to compile their product twice?

Would it be any more trouble than existing dual boot scenarios, where the user has to pick Windows or GNU/Linux from the GRUB or Boot Camp menu?

Yes. When I turn on my laptop it defaults to booting into Linux, I only have to respond to the multiboot menu if I want to use Windows instead. Moreover, as I said having to confirm booting from an untrusted source EVERY time completely defeats the purpose of having secure boot in the first place.

I thought tablet operating systems only went to suspend, not hibernation. Hibernation is intended to restore the state of multiple applications, and tablet operating systems generally don't support multiple applications' windows on the screen.

"On screen" is irrelevant, you get much the same effect if you run all your programs in fullscreen on a desktop. Multiple programs are still running, all that's changed is the way you switch between them. As for hibernation - when your battery inevitably dies (quite often while you're not using it) your options are only that or lose any unsaved work - I would be very surprised if it's not available. Admittedly though it will likely be used less than on a power-hungry laptop.

What could happen is serious legal trouble, even if only in the European Union, which has shown itself willing to put the screws to Microsoft. Is Microsoft willing to exit the EU market over this, especially as the EU market grows larger than the NAFTA market?

Oh certainly - the question is will MS care? The EU has had some balls dealing with MS thus far, but they're still showing trends of loosening the bonds holding corporations in check, if not quite slashing them away as has been happening in the US. If MS somehow managed to install a kill switch, how brave do you think the EU would be in the face of an ultimatum like "You let us off with a slap on the wrist, or we shut down 80% of the computers in your Union"? Not delivered publicly of course, that would just be bad manners.

A signed work is just the concatenation of the unsigned work, the hash of the work encrypted with the signer's public key, and optionally a certificate chain from the root down to the signer. If portion of the signed work representing the unsigned work is identical to the original unsigned work, then Microsoft hasn't added a time bomb.

Certainly it's not difficult to check, the question is do they? (oh, and that should be encrypted by their *private* key, the public key is used for decryption, lest there's anyone reading who's not familiar with the process)

Twitter, APK, and BMO

[tepples]

Twitter means both a microblog service and a Slashdot personality known for pro-GNU/Linux, anti-M$ sockpuppetry. APK means both an Android application packaging format and a Slashdot personality known for promotion of hosts files as a component of Internet security. And now BMO means both the public bug tracker of Firefox and a Slashdot personality known for accusing people of astroturfing for Microsoft. Why do names have to be so overloaded?

Battery dies in what way?

[tepples]

After all you code to the API, not the device

For one thing, you code to the device when trying to get your system requirements down to those of the device that your target market owns. For another, Windows RT lacks a publicly accessible API for overlapping windows; applications are instead expected to use the "modern UI" widgets.

Yes. When I turn on my laptop it defaults to booting into Linux, I only have to respond to the multiboot menu if I want to use Windows instead.

Some people have their bootloaders configured the opposite way.

you get much the same effect if you run all your programs in fullscreen on a desktop.

On a desktop window manager, I can and do choose to unmaximize an application's window and show multiple windows in a tiled or overlapping configuration. The current tablet operating system's window managers deny me that choice.

Multiple programs are still running, all that's changed is the way you switch between them.

True, I can be providing keyboard and mouse input to only one application at a time, the one with focus. But with a tiling window manager, I can switch between the output of one application and the output of another application by moving only my eyeballs. It'd be handy to put Chrome on one half and ColorNote on the other, so that I can refer to a web page while taking notes.

As for hibernation - when your battery inevitably dies (quite often while you're not using it)

By "dies" in this sentence, do you mean "needs to be recharged", or do you mean "no longer holds a charge and needs to be replaced"?

your options are only that or lose any unsaved work

Or have the application auto-save when it loses focus, which is the norm on tablet operating systems.

If MS somehow managed to install a kill switch, how brave do you think the EU would be in the face of an ultimatum like "You let us off with a slap on the wrist, or we shut down 80% of the computers in your Union"?

A lot of organizations in the EU have switched to GNU/Linux, and should Microsoft do something that causes the EU not to want to do business with Microsoft anymore, these organizations will have the market.

oh, and that should be encrypted by their *private* key, the public key is used for decryption

Oops, my bad.

Re:Battery dies in what way?

[Immerman]

Sure, you code to the resources of the target system - but for the most major resource-hungry applications that means desktop=easy, tablet=needs more optimization, which in most cases will benefit it on the desktop as well. And frankly this years tablets are typically stacking up pretty well against 5 year old desktops (which still comprise a huge percentage of the market) so I'm not seeing that it's much of an issue except for the most demanding software. Doubly so with the advent of laptops and more recently netbooks which can't hope to match the power of a powerful desktop and span the performance spectrum pretty well.

Sure, people multiboot differently, you didn't ask if it was a significant inconveniece for *everybody*.

As for the multitasking - my point is simply that tablets do it too, the UI is irrelevant to the behind-the-scenes behavior. And as far as save-on-focus-loss you're quite right, it does largely eliminate the need for hibernation, though it does get a bit more complicated for non-trivial programs. Saving that 400MB photoshop or CAD document every time you switch between it and the tutorial website could become an issue. Still, it can be done more elegantly and is essentially a move to independent app-level "hibernation", which I'm all in favor of, it's long overdue. You still need at least UI-level "hibernation" to keep track of what's currently running/suspended for seamless resume from reboot, but that's a minor detail.
Oh, and by the battery dieing I mean the device loses power and everything in RAM is lost, so that the OS will have to start over from a freshly powered on state and (hopefully) restore itself to whatever state it was in immediately before power was lost.

A lot of shops have switched to GNU/Linux

That's not the question if a kill switch gets smuggled in. The question is whether the gov't would back down in the face of a threat to have a substantial portion of the computing infrastructure effectively destroyed. How many trillions of dollars worth of computers would have to be rapidly replaced - not just by institutions but by private citizens? And also, how many of those Linux-running shops are using hardware that originally came with Windows? Because they'll all be SOL as well if a kill switch is activated, in fact they'll probably be the first to fall since MS would presumably take out the competition first.

In a more realistic scenario, MS is building ever more offices in the EU, which contribute not insubstantially to the local economies. You can bet they're not doing that because operating costs are lower than in other nations, rather it gives them leverage in their dealings with governments both immediately (give us these perks and we move in) and in the long term (do you *really* want us to leave?) above and beyond the usual bribery of politicians.

But other kids do it

[tepples]

I agree with you that "But other kids do it; therefore that justifies it" is wrong. What I was trying to say was more along the lines of "But other kids do it; therefore avoid Windows RT devices like you avoid those other kids."

Re:But other kids do it

[sjames]

And my point is that as a whole, the locked bootloader has done plenty of harm (so many kids vandalizing things) but no demonstrable good. I'd like to see this crap cracked and proven useless before it gets to the point where I have to resort to an abacus to get an open platform.

The solution to bad behavior is rarely to ignore it and hope it goes away.

Shut out the 90% crap in 1985

[tepples]

And my point is that as a whole, the locked bootloader has done plenty of harm (so many kids vandalizing things) but no demonstrable good.

The origin of this in home entertainment products can be traced to a recession in the North American video game market starting around 1983, as store shelves were flooded with hastily produced cash-ins like E.T. Toy retailers realized Sturgeon's Revelation, and in the fourth quarter of 1985, Nintendo wanted to reassure retailers carrying the NES that its third-generation console would not suffer from the same problem as the products on the market at the time. This led to the CIC, a matched pair of microcontrollers in the NES Control Deck and Game Paks that would continuously verify a pseudorandom stream, and to the digital signature in Atari 7800 cartridges.

Re:Shut out the 90% crap in 1985

[sjames]

I'm guessing that at least a mini-crash would have happened even without the 3rd party developers. It's root cause was that even the 'top-tier' developers were rushing games out the door. Another was their failure at branding. Had they been more careful with that, instead of a glut killing the market, they would have been differentiated better from the me-toos. Given the quality of the me-too games, they shouldn't have had much difficulty establishing a tiered market. Instead, Atari released E.T. and proved there was no real difference anymore.

Of course some of that apparent boom and bust was just the natural result of introducing a new class of consumer product. Naturally sales went in waves and then settled.

The after the fact fix was proper management of 3rd party developers through development kit programs and training. The lock-down was pure failure of enlightenment.

Two previous versions

[tepples]

Just because Microsoft has to support PCs that don't have secure boot doesn't mean they can't force machines that do to be Microsoft only.

UEFI can't tell that Windows 7 is a Microsoft operating system because Windows 7 doesn't carry a UEFI Secure Boot signature. Therefore, end users exercising downgrade rights will have to turn off Secure Boot to use Windows 7. And the page about downgrade rights implies that downgrade rights appear to cover the last two major versions: Windows 8 licensees can downgrade to 7 or Vista, and Windows 7 licensees can downgrade to Vista or XP. So Microsoft will more than likely allow end users to turn off Secure Boot until Windows 9 is no longer available, and that page states: "Note that end user downgrade rights will be available through the sales life cycle of Windows and Windows Server operating systems, which is up to two years after the launch date of a new version." So companies concerned about the Secure Boot problem have until two years after the launch of Windows 10 to plan their migration to hardware with a drawing of a penguin on the box. This could be seven or eight years from now.

The Windows 7 downgrade option can end tomorrow

From the page about downgrade rights: "Downgrade rights are an end-user right, documented in the Software License Terms that customers accept upon first running Windows software." If the Software License Terms are in fact a contract, then they bind Microsoft just as much as they bind the end user.

Re:Two previous versions

[camperdave]

Again, Microsoft can revoke that at any time without any notice, and with no appeal process. Just because they say it is so now, does not mean it will be so forever.

Re:Two previous versions

[tepples]

If the Software License Terms are in fact a contract, then they bind Microsoft just as much as they bind the end user.

Again, Microsoft can revoke that at any time without any notice

How can Microsoft revoke it to existing end users of Windows without violating the Software License Terms?

Re:Two previous versions

[camperdave]

Because Microsoft owns the license. They can change the terms at will.

It's a contract

[tepples]

Because Microsoft owns the license. They can change the terms at will.

Consideration was exchanged: the customer gave Microsoft money in exchange for a copy of a program and a license to decrypt its installer. I was under the impression that this formed a contract that binds both parties.