Slashdot Mirror

← Back to Stories (view on slashdot.org)

UEFI Secure Boot Pre-Bootloader Rewritten To Boot All Linux Versions

Posted by timothy on from the next-level-reached dept.

hypnosec writes "The Linux Foundation's UEFI secure boot pre-bootloader is still in the works, and has been modified substantially so that it allows any Linux version to boot through UEFI secure boot. The reason for modifying the pre-bootloader was that the current version of the loader wouldn't work with Gummiboot, which was designed to boot kernels using BootServices->LoadImage(). Further, the original pre-bootloader had been written using 'PE/Coff link loading to defeat the secure boot checks.' As it stands, anything run by the original pre-bootloader must also be link-loaded to defeat secure boot, and Gummiboot, which is not a link-loader, didn't work in this scenario. This is the reason a re-write of the pre-bootloader was required and now it supports booting of all versions of Linux." Also in UEFI news: Linus Torvalds announced today that the flaw which was bricking some Samsung laptops if booted into Linux has been dealt with.

29 of 185 comments (clear)

  1. Microsoft controls compoter booting by ozmanjusri · · Score: 5, Insightful

    The redesigned bootloader has already been submitted to Microsoft for singing and once the signed version is received, The Linux Foundation is planning to provide it for free.

    Why in hell did the world give Microsoft control over computer bootup hardware?

    That's just insane.

    --
    "I've got more toys than Teruhisa Kitahara."
    1. Re:Microsoft controls compoter booting by Xipher · · Score: 5, Insightful

      The alternative is to try and get every motherboard manufacturer to accept a singing key from them. Having Microsoft sign it means they don't have to deal with that headache.

      --
      I don't know everything.
    2. Re:Microsoft controls compoter booting by fph+il+quozientatore · · Score: 4, Insightful

      Why in hell did the world give Microsoft control over computer bootup hardware? That's just insane.

      I am curious - with a huge SSL signing and authorities infrastructure in place, why did no one ever think to use it? That's probably horribly broken in many other ways, but at least it will only take one solution to solve both problems, when someone manages to fix SSL.

      --
      My first program:

      Hell Segmentation fault

    3. Re:Microsoft controls compoter booting by SuricouRaven · · Score: 5, Insightful

      Because Microsoft demanded OEMs give it that control, or else lose their access to dirt-cheap OEM windows licenses. As it is impossible to sell a computer without Windows outside of a very small niche - most users don't even know what an OS is - that gives Microsoft such bargaining power that when they demand, OEMs have no choice but to comply.

    4. Re:Microsoft controls compoter booting by Zemran · · Score: 5, Funny

      I love the idea of singing motherboards :-) it would be much better than this stupid idea that is being forced on us in order to make more money for M$...

      --
      I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
    5. Re:Microsoft controls compoter booting by Bob9113 · · Score: 4, Insightful

      Why in hell did the world give Microsoft control over computer bootup hardware?

      Because our government leaders voted that the risk of allowing corporations to inhibit competition was less threatening than the risk of allowing the government to regulate such behavior. It reflects the laissez-faire notion that corrupt elected officials are more dangerous than corrupt corporate executives. Though, in practice, our lax policy regarding such anti-free-market behavior is the result of corrupt corporate executives financing corrupt elected officials.

      --
      Stop-Prism.org: Opt Out of Surveillance
    6. Re:Microsoft controls compoter booting by Mike+Frett · · Score: 5, Interesting

      I actually sent a very long and detailed letter the DOJ about this and how it constitutes a violation of the Sherman Act. Not Five (5) minutes after sending I received a generic reply about how Microsoft was not in violation of anything.

      With all the E-Mail these people receive and the sheer size of my Letter, there is no way in hell the DOJ read my Letter that fast. What they did was see the word 'Microsoft' and instantly reject it.

      Next week my lawyer is cutting me a deal to rewrite my letter and send it by other means to the right people, we'll see what happens then. Of course I have no money to fight anybody in court, but at least I am trying to get a response that isn't generic.

    7. Re:Microsoft controls compoter booting by EvilIdler · · Score: 5, Interesting

      That could potentially be an article of its own. Hope you post it everywhere :)

    8. Re:Microsoft controls compoter booting by Patch86 · · Score: 3, Insightful

      If he was wrong, it would be nice if they could respond to each point he raised and tell him why he was wrong. Getting a reply which says "trust us, don't worry about it" is always going to be unsatisfying.

    9. Re:Microsoft controls compoter booting by Anonymous Coward · · Score: 5, Funny

      It'd be loads more fun to troubleshoot as well.

      fur elise - bad ram check
      oh fortuna - check video card

      etc etc.

      Much easier than beep codes and instills a bit of culture too.

    10. Re:Microsoft controls compoter booting by mrbluze · · Score: 3, Interesting

      Microsoft is in bed with the US government at high levels so i don't think your letter will go anywhere.

      This is significant. What is the difference between having your computer pwned by some kind of boot-time virus that feeds your info to criminals, to having your computer pwned by some kind of government official who is also a criminal?

      There is no other way to look at this situation than to accept that it is an abrogation of a basic freedom - to run whatever the hell we want on hardware we paid for

      --
      Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
    11. Re:Microsoft controls compoter booting by Anonymous Coward · · Score: 4, Interesting

      I think you mean if someone manages to fix SSL. The huge number of SSL signing authorities is its biggest weakness IMHO.

    12. Re:Microsoft controls compoter booting by ami.one · · Score: 5, Funny

      Reminds of the old days when a linux kernel compile would take 6 hours and we were trying some modifications for VIA hardware which required hundreds of tries with minor changes in the driver codes - so we would start the compile with a script to play two different types of music on Error or Success, and then go to sleep.

      If in the middle of the night it was dire straits then we would get up and debug/fix the errors and start a compile again; if it was some soothing instrumental we would continue sleeping knowing that its compiled.

    13. Re:Microsoft controls compoter booting by bcmm · · Score: 3, Informative

      It's a misdirection. We direct our anger at untouchable faceless corporations instead of individuals who are actually vulnerable at election time.

      --
      # cat /dev/mem | strings | grep -i llama
      Damn, my RAM is full of llamas.
    14. Re:Microsoft controls compoter booting by martin-boundary · · Score: 4, Insightful

      No offense, but I don't want to pay for a DOJ that staffs an extra 2,000 people just so that they can read every piece of email that comes in, and respond back with a detailed analysis of all the legal mistakes made.

      I'd prefer they waste their money on that, than use it to prosecute hackers who copy science papers. The money, once in the budget, will be spent regardless. If it _won't_ be spent on serving the public, it _will_ get spent on selfish career making schemes.

    15. Re:Microsoft controls compoter booting by exomondo · · Score: 3, Insightful

      The alternative is to try and get every motherboard manufacturer to accept a singing key from them. Having Microsoft sign it means they don't have to deal with that headache.

      Or to not use secureboot motherboards or just turn secureboot off and continue on as we do now, hell if you really wanted to use windows 8 you still could, it doesn't need secureboot either, it doesn't even need UEFI.

    16. Re:Microsoft controls compoter booting by Anonymous Coward · · Score: 5, Funny

      Standard boot message:
      "Is this the real life?
      Is this just fantasy?
      Caught in a landslide
      No escape from reality..."

      Oh so many lines from that song would make great kernel error messages.

    17. Re:Microsoft controls compoter booting by ami.one · · Score: 3, Interesting

      That didn't work because we were developing a thin client type of consumer device on VIA micro boards which had to do network boot with the kernel delivered by the ISP over the network and it was not possible to have a mounted rootfs - so almost everything required was in the kernel. On top of that VIA had notoriously difficult code for its drivers which would get modified by us with almost no knowledge & just trial and error. Good times.

    18. Re:Microsoft controls compoter booting by ZorinLynx · · Score: 4, Interesting

      Why not allow the owner of the motherboard to sign their own code? This could be done at OS install, then if any malware modifies the code, it won't boot.

      Giving control to the manufacturer just sounds wrong.

    19. Re:Microsoft controls compoter booting by TheGratefulNet · · Score: 3, Funny

      spill some coffee on the motherboard and its:

      thunderbolts and lightening,
      very very frightening...

      --

      --
      "It is now safe to switch off your computer."
  2. Alternatives by fyngyrz · · Score: 5, Insightful

    Well, actually, another alternative is for motherboard manufacturers to continue to make motherboards that boot the same way as they have for some time. So older, fully functional operating systems can continue to boot.

    Of course, this would allow us to continue to use those fully functional OSs, and remove a goodly portion of the incentive to upgrade... so one might, if one were cynical, imagine that there is a corporate motive at work here.

    --
    I've fallen off your lawn, and I can't get up.
    1. Re:Alternatives by Anonymous Coward · · Score: 4, Informative

      Which they do. Every motherboard out there can have its secure boot disabled by the user, in addition they should all accept custom keys.

    2. Re:Alternatives by nojayuk · · Score: 3, Informative

      Not implementing UEFI means the mobos can't be used in a production environment where they can receive the coveted "Windows 8 Ready" approval for millions of customers in the coming years. Continuing with the older BIOS system means they can easily boot alternative OSes for a few thousand enthusiast customers (who can in fact use UEFI anyway) but they lose the much bigger market. Decisions decisions...

      Mobos are megacheap for what they do because of the numbers of each model that are built; a custom mobo with classic BIOS to specifically support Linux or other open OSes would cost hundreds of bucks per unit produced in limited quantities. At that point a cost-benefit analysis says "pay the damn Microsoft tax already!"

    3. Re:Alternatives by Simon+Brooke · · Score: 4, Interesting

      Mobos are megacheap for what they do because of the numbers of each model that are built; a custom mobo with classic BIOS to specifically support Linux or other open OSes would cost hundreds of bucks per unit produced in limited quantities. At that point a cost-benefit analysis says "pay the damn Microsoft tax already!"

      While in practice the pragmatics of the situation are that you are right, in principal I believe that we should be talking to the anti-trust authorities - both sides of the Atlantic - because this is very clear abuse of monopoly. Unless, of course, Microsoft irrevocably commits to authorise any version of any competing operating system for free, in which case the whole point of secure boot has just vanished.

      --
      I'm old enough to remember when discussions on Slashdot were well informed.
  3. Re:Isn't this, "also Linux works round Samsung bug by ProfMobius · · Score: 5, Informative
    Agreed. From http://www.jakobheinemann.de/en/blog.html :

    The implementation in Samsungs UEFI shows some weird behavior. Error code EFI_INVALID_PARAMETER should only be returned, if one of the given pointers to variables is NULL and pointing to an invalid memory section. Samsungs implementation also throughs this error, if the given memory blocksize is not exactly 128 bytes, so for example (like the Linux-efivars module does) 1024 bytes. The Linux module does not expect the strange error code (it checks for NULL pointers itself) and does not report any UEFI variables, no boot entries, no nothing. The installer accepts that and installs the Linux boot entry into the first slot, where actually the boot entry for the setup is located - overwriting that entry! Setup is dead since Linux took its boot entry.

    It does look like the Samsung implementation is doing weird things and Linux is doing weird things in return because it is expecting it to follow standards...

    --
    EULA : By reading the above message, you agree that I now own your soul.
  4. Samsung's response? by harryjohnston · · Score: 3, Interesting

    Has anybody seen confirmation that Samsung will be repairing affected user's machines under warranty? Definitely a design fault, it should be impossible for software to brick hardware.

  5. Nothing Has Been Fixed With Samsung Laptops by segedunum · · Score: 5, Informative

    I don't know where people get that idea from. If you read the kernel people are just disabling the driver because the code is so utterly retarded. Samsung haven't done shit about it as is typical for Samsung.

  6. Samsung didn't follow the standard. Linux did. by raymorris · · Score: 4, Interesting

    Linux followed the IEFI standard. Samsung did not. Unambiguous foul on samsung.

    More specifically, Samsung tried to implement version 2 of the standard and advertised it as version 2, but accidentally left in code which required version 1 behavior. Additionally, if an OS implemented version 2, when Samsung's firmware got confused, it didn't throw the proper error message, but instead returned it's own address to be overwritten. So at least two failures on Samsung's part. Linux simply followed the standard as written.

  7. Re:Yeah by Microlith · · Score: 3, Informative

    It is not written into the UEFI spec. In fact, the UEFI specification makes no such statements with respect to it being possible to disable secure boot, only how it is supposed to work. That was done deliberately.

    The only reason you can even turn off secure boot on hardware now is because Microsoft caught shit for the first pass of their guidelines that left it up to OEMs whether or not users would be able to turn off secure boot. Had they left like that you can guarantee that Samsung et. al. would have locked every laptop and desktop they shipped with Windows 8 and you would never actually own your PC again.

    I bet Samsung is more pissed that Microsoft changed it so they had to allow for unlocks than they are at their own developers.