Slashdot Mirror
Linux: Booting Via UEFI Can Brick Samsung Notebooks
wehe writes "Heise News reports today some Samsung notebooks can be turned into a brick if booted just one time via UEFI into Linux. Even the firmware does not boot anymore. Some reports in the Ubuntu bug tracker system report that such notebooks can not be recovered without replacing the main board. Other Linux distributions may be affected as well. Kernel developers are discussing a change in the Samsung-laptop driver."
It appears even Samsung is having trouble tracking down the problem (from the article): "According to Canonical's Steve Langasek, Samsung developers have been attempting to develop a firmware update to prevent the problem for several weeks. Langasek is advising users to start Ubuntu installation on Samsung notebooks from an up-to-date daily image, in which the Ubuntu development team has taken precautions to prevent the problem from arising. It is, however, not completely clear that these measures are sufficient."
UEFI is working as intended.
Be seeing you...
Kernel developers are discussing a change in the samsung-laptop driver.
To be fair, they didn't realize anybody would actually implement the HCF instruction.
How can I believe you when you tell me what I don't want to hear?
Now THAT ladies and gentlemen, is a true brick. Not these smartphone soft-bricks that can be solved by a quick flash. you don't go home happy after a brick. Do not pass go. Do not collect $200.
The article spends four and a half paragraphs shouting how Linux has trashed the laptop and even states that "It does, however, only occur when Linux is booted using UEFI." But then right at the end it closes with "In addition to the samsung-laptop driver bug, there may be, it appears, other ways of messing up the hardware and firmware on some Samsung laptops to the extent that they will no longer boot." So, is it really the evil Linux that is fouling up Samsung's laptops, or is the the incompetent Samsung that allows the firmware on the motherboard to be fouled up so badly that it cannot be reflashed? (With regard to the replaced motherboard... I wonder if that is simply the easiest way to handle the warranty. Swap the motherboard, send it back to the customer, repair the "broken" motherboard later.)
Not sure what Samsung you're talking about. Some of the Samsung products I own incorporate free (really free, libre) software products in full compliance with the GPL. They seem to treat free/libre software as an ally, not an enemy.
The previous guy commenting about "sabotaging free software" got marked as a troll... But this is pretty similar to a major eMMC firmware bug present in many of Samsung's phones manufactured in 2011.
The eMMC flash chip is NOT JEDEC compliant, and the wear leveller can go out into la-la-land if you issue a secure erase command to the chip.
Starting with ICS, Google started performing eMMC erase when wiping data in recovery for privacy reasons. This would kill Samsung flash chips.
In the Galaxy Nexus, Google forced Samsung to fix the damn chip with an internal firmware update.
However, in other devices, Samsung worked around it in two ways:
1) Disabling MMC_CAP_ERASE in I9100 kernels for a while
2) Replacing secure erase with nonsecure erase and not documenting this anywhere
Without the assistance of an engineer from Google (whom Samsung later tried to silence as far as I can tell) providing critical information, the opensource community would have been fucked.
Eventually, Samsung claimed they were "working hard" on the issue in early June 2012 - http://www.xda-developers.com/android/samsung-diligently-working-towards-hardbrick-fix/
A month later, in early July, they added MMC_CAP_ERASE to I9100 kernels without providing even the slightest warning - Within a day, a pile of bricks showed up:
http://forum.xda-developers.com/showthread.php?t=1756242
In late August/early September, they submitted a patch to the Linux kernel to work around the issue at a kernel level - It was merged to mainline on September 4.
In early October, they released an update for Sprint devices WITHOUT THE FIX. "testing takes time" is an invalid excuse, as the build date for Sprint FI27 was September 27, 2011 - Almost a MONTH after the patch had been mainlined. The patch is very easy to backport to their I9100 kernel source baseline, so there is no excuse for this.
As a result, I still get PMs on XDA once or twice a week due to people accidentally digging up userspace binaries that perform secure erase. This shouldn't be an issue, as it is the kernel's responsibility to protect hardware from getting damaged by userspace. Samsung's position was that it was an "open source problem" and hence refused to fix it in the end.
Now that the exynos-abuse vulnerability is known and an exploit has been published, it's not an open source problem any more - Anyone who has not yet received an update to patch the exynos-abuse hole is dependent on this planet, out of 7 billion people, not having a SINGLE asshat who decides they want to permanently destroy a few Samsung devices. Even if exynos-abuse is patched, as long as the kernel still allows secure erase commands through, any other privilege escalation exploits will endanger devices again. Despite this, Samsung released an update for Sprint devices (FL24) at the end of December 2012 that *did not contain any protection against this issue in the kernel*
So yeah, Samsung wishes free software would go away - they claim otherwise, and make promises that they care and are trying to fix things, but they never deliver on such promises. Actions speak louder than words, and Samsung's actions send a pretty clear message to open source software - "fuck off and die".
(I won't even go into Samsung's constant and incessant GPL violations here... But it's incredibly rare for any Samsung source drop to correspond to any existing firmware release for a given device. When asked about this inconsistency, Samsung will claim that the firmware that came preinstalled on the device you purchased on launch day at Best Buy is a "leak" and thus they do not need to provide source that matches it.)
retrorocket.o not found, launch anyway?
It seems as though there is something badly wrong with the at least some part of the design if a bug of this flavor is possible(much less happening for reasons that even the vendor hasn't nailed down yet).
There are reasons to update/modify the firmware responsible for the first stages of the boot process; but not all that often(especially on a PC-class device, which has tons of both RAM and persistent mass storage available, this isn't some cost-reduced embedded device where the OS has to scribble configuration information in whatever bits of the teeny flash chip that also stores the bootloader).
Can anybody enlighten me as to why (outside of a BIOS update) a situation would arise where the kernel needs to scribble over the motherboard firmware, or where the firmware would be doing anything sufficiently drastic to itself based on input from the kernel that it wouldn't be recoverable?
Samsung notebooks can be turned into a brick if booted just one time
Why do people say "one time" when there's been a shorter word for it for hundreds of years? Damn Fugees...
Why do people say "hundreds of years" when there's been a shorter word for it for centuries?
Or it could be that the project leader inserted such code because he was told to by his werewolf leaders to block the use of the laptop by occultist vampires, who due to their niche market, have to rely on rebranded Linux distros for their neffarious deeds. At the same time, they would be blocking use of the laptop by robot leagions by preventing them from installing an OS that doesn't give them nightmares. I don't know how the pirates (real pirates) fit into this.
The idea that Samsung is in control by werewolves, with Linux usability caught up in the perpetual war between werewolves, vampires, and robots, is not a good possibility, but it hasn't been entirely eliminated yet either.
Looks like you are confusing UEFI with secure boot stuff. BIOS was kind of a legacy mess, and it was about time the interface got updated. UEFI is that replacement. You can get a UEFI setup without the secure boot stuff.
Please.
When I first installed linux it was the powerpc version, that is, a port, on a powerbook, in 2002.
One kernel recompilation and wireless worked, sound worked, gigabit ethernet worked, radeon 3d worked (lots of frames too). Only thing missing, the faxmodem.
Logic says the intel version should have been simpler, because of the 10x-100x mindshare it had. When I switched to intel, not exotic models, it wasn't. In the following years, i had INCREASING difficulties with laptops. The broadcom driver, 3d needing proprietary drivers (and proprietary IMHO means more lockups, instead of more quality). Then with desktops (firmware for the network card, a blasphemy because common protocols for any os to speak to a network card are there at any level of hardware abstraction).
Now, bricking a machine needs something more than a bug, it needs a feature. It makes perfect sense commercially. Hardware makers might bicker about windows to get better deals, but they sure know that if the world switched to linux their sales would go down, for lack of artificial obsolescence represented by the OS/drivers/app upgrade cycle.
The fight for the desktop has begun. Valve, restricted boot, UEFI, ACPI... Buy wisely.
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
Bricks can be fixed with JTAG; if you have to outright replace the hardware, that's fried, toasted, nuked. (How the HELL does software do something THAT bad, anyway? Even flashing a ROM for an entirely incorrect model on a smartphone is still technically reparable..)
Facts do not cease to exist because they are ignored. - Aldous Huxley
That makes Apple a FOSS leader....
New Economic Perspectives
On the other hand, people might upgrade their hardware more often if they could be assured their new hardware wouldn't come with Microsoft's latest abomination and a shit-ton of bloatware.
One thing we do know is that hardware manufacturers don't have the balls to try it. Properly, at least, rather than periodic token attempts.
Log in or piss off.
yeah, to the tune of 500k a year to the linux foundation alone.
Hmm, let's see who is behind UEFI, shall we? AMD, AMI, Apple, Dell, HP, IBM, Insyde, Intel, Lenovo, Microsoft, Phoenix. Yup, Linux haters all. Obviously this is all Microsoft's fault.
Mine got bricked booting Fedora 18 XFCE..
I tried to install Ubuntu 12.10 a few months ago, using the UEFI boot instead of the regular BIOS boot loading options on a Samsung laptop. The installer started, and all I got was a black screen. When I tried to turn it on again, all I got was a black screen. I assumed it was a hardware problem, and managed to get a replacement laptop. I then tried to do the same procedure again, and I also managed to brick the second laptop. Since the internal SSD is not serviceable, I was not able to resolve the issue, and Samsung was unable to help me in any way. I returned the second laptop, and then I disabled the ExpressCache from Windows before I wiped the system and installed Ubuntu Linux without using UEFI.
Any sufficiently advanced technology is indistinguishable from magic.
Which patents are those, exactly, and where is it proven that they are being infringed upon by Linux?
Learn from the mistakes of others. There isn't enough time to make them all yourself.
And this has nothing at all to do with secure boot, so what is your point?
Anything that slows the the english language's inevitable progression into a type of text speak is a good thing.
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
Which begs the question
No it doesn't.
how does Apple boot Windows 8?
The computers are Macintoshes. Apple is the company.
Their UEFI doesn't support secure boot as OS X doesn't support it...
Windows 8 doesn't require UEFI Secure Boot. It couldn't, since one of Microsoft's requirements is that users be able to disable Secure Boot. Having UEFI Secure Boot is a requirement places on the OEMs that ship computers with Windows 8, and Apple doesn't ship Macs preinstalled with Windows.
On the other hand, people might upgrade their hardware more often if they could be assured their new hardware wouldn't come with Microsoft's latest abomination and a shit-ton of bloatware.
I highly doubt this. Most consumers still call their computer case the "CPU" and buy new computers when they don't have to because they don't realize Windows and their computer are different things. Basically, the average person looks at their computer like they would an advanced VCR.
The sad fact is, most people go out and buy new computers precisely because it has the newest version of Microsoft's abomination and all that bloatware which are marketed as features on the box and by the Best Buy droids. Computer manufactures know this, love it, and bank on it. It's how companies like Intel can get away with requiring a new goddamned socket every year (or less) and not have people storming their castle with pitchforks and torches. My parents don't care. Dell don't care either, because they're selling whole systems and not parts. Likewise, every time Microsoft come out with a new version of Windows, computer makers start seeing dollarsigns.
Not an expert, but my impression is that UEFI is (yet another) bad idea poorly implemented from Intel and a committee of camels.
Exactly how booting an OS can permanently cripple purportedly secure firmware eludes me, but after the past two decades of watching strange ideas become accepted wisdom, I don't find it all that surprising. (OK, OK, I guess bricked is pretty secure. Not very damn useful, but very secure.)
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
UEFI is a replacement for BIOS. As their web page puts it: The UEFI specification defines a new model for the interface between personal-computer operating systems and platform firmware. The interface consists of data tables that contain platform-related information, plus boot and runtime service calls that are available to the operating system and its loader. Together, these provide a standard environment for booting an operating system and running pre-boot applications.
Secure boot is an optional feature of UEFI which can be used to ensure that the boot image being loaded by UEFI is from a trusted source.
The problems described in this article have nothing to do with secure boot.
...Microsoft requires it on all new Windows 8 computers...
I thought it was just required to be "certified"... Though they do require Secure Boot not be able to be disabled on ARM. Supposedly this Windows 8 certification is optional - whatever that might mean. I hope to never buy such a UEFI/Secure boot machine, kind of like how I do not want a Samsung Chromebook. Wiki Cite:
In 2011, Microsoft was accused by critics and free software/open source advocates (including the Free Software Foundation) of trying to use the secure boot functionality of UEFI to hinder or outright prevent the installation of alternative operating systems such as Linux, by requiring that new computers certified to run its Windows 8 operating system ship with secure boot enabled using a Microsoft private key.
"but money is the God of Algiers & Mahomet their prophet." - Rich. O'Bryen June 8th 1786