Linux Foundation's Secure Boot Pre-Bootloader Released

hypnosec writes "The Linux Foundation's UEFI Secure Boot pre-bootloader for independent Linux distros and software developers has finally been released. Announcing the release of the secure boot system James Bottomley noted that the signed pre-bootloader was delivered by Microsoft on February 6th. Bottomley has released two validated files: PreLoader.efi and HashTool.efi. Bottomley has also created a bootable mini-USB image that provides 'an EFI shell where the kernel should be and uses Gummiboot to boot.' Just last week the pre-bootloader had to be rewritten to accommodate booting of all versions of Linux."

What about *BSD?

[ad454]

This is great news for Linux distributions, and a small victory in the losing battle for openness.

But in the spirit of openness, hopefully bootloaders for NetBSD, OpenBSD, and FreeBSD will also be eventually signed.

Everyone should be able to install and run whatever they want on their own computers.

Re:What about *BSD?

Incidentally.. Microsoft will have two keys. One for Windows, and another for "third party" stuff.

So they can revoke everyone's software and leave theirs working.

BTW: Anyone interested in the abuses that UEFI allows should read both the UEFI guidelines and the Microsoft Mandate (the rules they apply to OEMs for Win8 certs, and anyone wanting to have their software signed).

Microsoft's rules violate several of the guidelines - unsurprisingly those to do with who actually controls the PC.

Re:What about *BSD?

[cupantae]

the losing battle for openness

What losing battle? Open source software hasn't been as prevalent as it is now since proprietary software first arose. Linux, in particular, is in the strongest position it's ever been in, and it looks like 2013 will be a very big year for Linux. Sure, there are always setbacks like this, but look: it's been just over 3 months since Windows 8 began to be sold, and the problem is already almost completely solved.

But in the spirit of openness, hopefully bootloaders for NetBSD, OpenBSD, and FreeBSD will also be eventually signed.

So you have time to whinge, but none to RTFA:

A signed pre-bootloader will allow for chain-loading of boot-loader of any other operating system thereby enabling users to install non-signed Linux distros on Windows 8 UEFI hardware.

Everyone should be able to install and run whatever they want on their own computers.

Yes, but not everyone should be able to install or run whatever they want on your computer. In fairness, UEFI goes some way towards securing your PC. Microsoft did well for the consumer in that respect. They're also a fairly ruthless company, and they're not going to go out of their way to make sure you can install rival operating systems from day 1. But today, at about day 100, the problem is a long way towards being solved. Get over it.

Re:What about *BSD?

[TCM]

No. In the spirit of openness, hopefully this bullshit will get eaten by the anti-monopoly regulation.

Giving in to this bullshit was the most stupid thing the Linux guys could do.

Re:What about *BSD?

[osu-neko]

Well, yes. UEFI can only make guidelines. Microsoft can impose rules...

Re:What about *BSD?

[dissy]

But today, at about day 100, the problem is a long way towards being solved. Get over it.

I interpreted it a little differently. Today at about day 100, Microsoft has won it's war against Linux.

Microsoft started by saying you don't want to use Linux because it's inferior, but they were easily shown to be wrong.

Then Microsoft turned to saying it was illegal to use Linux because it's a mess of copyrights and patents, as well as infected with a viral license that destroys businesses. It took a lawsuit a decade long with one of this countries top companies (at the time) to finally prove otherwise.

Now, today, Microsoft has finished by saying Linux can and will only exist at Microsoft's whim. They hold the keys to the kingdom, and can lock and unlock any OS as they see fit.
Please note I am not speaking of a technical measure, but a legal one.

Instead of having the UEFI key signing authority forced from Microsoft's hands and taken away by power of law, now we are humbly begging for permission to be allowed to use non-windows on our own computers, while also praying the check clears to buy that capability which should be a natural right.

Now I'm not trying to claim that would have been an easy battle, and I myself certainly have not put my own money life and future on the line to fight for it either.
But I still believe that battle not being won is what will make all those "Yeay tablets and phones, we are in the post PC era now!" predictions come true.

The FCC already went back on their fair use ruling about jailbreaking and being allowed to run the software you choose to run. If you didn't notice, only jailbreaking the iPhone is still an exception to the law. Do the same thing on another device that's just a bit bigger (an iPad) or made by any other manufacturer, and you are committing a federal crime.

If Microsoft officially claims they have revoked the certificate and thus permission for the Linux preboot loader, then instantly every desktop and server in this country running Linux is in violation of the law. Booting it is a felony.

While no I do not trust Microsoft, I have to say I can't see myself trusting ANYONE with this power.
Signed booting absolutely MUST be controlled at the highest level by the owner of the computer. No one else!

This means there should be ZERO keys or certs installed by default, and it should be a very serious crime to try and sneak one in, similar to any other mass scale computer intrusion laws.

One should be required to learn how it works, why it works, what the advantages of signing your own boot loader would be, and then using that knowledge to enable it and upload your keys.
If someone can't do that, then clearly they don't need this feature.

Re:What about *BSD?

[AmiMoJo]

One issue that never seems to be mentioned but could be potentially huge is that the signed bootloader requires user interaction to boot. It was designed that way to prevent malware using the bootloader to silently root the OS, the very thing SecureBoot was designed to prevent.

It won't boot until you press a key to continue. Many Linux machines don't have any facility for that, either because they are a tablet with no physical keyboard or because they are a headless server with no-one around to operate them locally.

Re:What about *BSD?

[TangoMargarine]

It's all sensationalistic nonsense until it actually happens. Which seems to be just a matter of time and judicial incompetence. If you want to be optimistic about it, that's your own business, but I am NOT.

Yes, it makes it more difficult for the end user. But I'm sure somebody has made a quote about convenience and liberty at some point (Ben Franklin?). That's a wholly different argument.

This is bollocks

[Skiron]

All the time Microsoft have control, they will always have control.

Why don't people LEARN from history from how they operate?

This will all go horribly wrong, mark my words.

And I still do not understand how Microsoft get to control this.

Re:This is bollocks

[EdZ]

And I still do not understand how Microsoft get to control this.

For anything x86 based; they don't. They expressly require OEMs (and onyone else producing motherboards with a little Windows 8 sticker on the box) to allow the end user to add their own Secure Boot keys, as well as insert Microsoft's key. No end-user modification, no certification.

So what are various Linux distros getting bootloaders signed by Microsoft? Because they assume users are not competent enough to enter keys manually. Thus, they ask Microsoft (or take advantage of the service Microsoft offers) to sign their bootloader with Microsoft's preloaded key.

Re:This is bollocks

[darkHanzz]

And I still do not understand how Microsoft get to control this.

They talk directly to manufacturers, since windows is still installed by default. So the swing they have on the whole laptop market just became a bit more visible, it's always been there, however.

Re:This is bollocks

[Sarten-X]

It's not an issue of "competent". It's an issue of "willing".

A major source of Linux's desktop growth is the use of live CDs. Just drop in a disk at boot, and you've got yourself a working Linux desktop to play with and perhaps even like. You can see the filesystem's different layout, you can see each application's settings saved to plain old files, and you can see the package manager's simple installation of useful software. Perhaps you can even like it and decide to install. If not, there's no changes to your computer.

That's all changed now. Now, either you your computer must be prepared for Linux first, through some means of adding a new key. While not really beyond the average user's level of competence, it is beyond their level of ambition just to try "that Linux thing". The longstanding promise of "try it without changing anything" that has fueled trials isn't wholly true any more. Supposedly Windows' bootloader will let you boot unsigned CDs, but I've tried that three times with three failures on known-good disks, so I expect there's something screwey hidden in that route, and that doesn't really solve the problem of booting once the installation's complete.

To make matters worse, there's no standard mechanism for adding the boot key. One option is an BIOS-based tool, which with come with the typical polish of a motherboard manufacturer we've had on BIOS setups for years. Expect a keyboard-based menu with unique brand-specific names. Another option that might be viable in the future is a Windows tool to add a key, which will inspire Windows to raise scary warnings about compromising security and never starting again, which will do wonders for the user's confidence.

Microsoft surely knows that Secure Boot won't affect savvy nerds from converting to Linux. They also surely know that Linux is still growing organically, relying on word-of-mouth and firsthand try-before-you-buy experience. By requiring Secure Boot to be user-modifiable, they've thrown a roadblock in the path for Linux's growth, without looking like they're being blatantly nasty. They can keep exaggerating the threat of bootloader rootkits to justify locking everybody out, then point to the key-adding ability to dispel accusations of abusing their monopoly.

Re:This is bollocks

[EdZ]

Not only can you turn Secure Boot off (and add your own keys to the bootloader) for x86 devices, the end user MUST be able to do so in order to gain Windows 8 certification. No end-user configuration, no shiny windows sticker on the box (or windows pre-installation in the case of OEM systems).

Re:This is bollocks

[SuricouRaven]

The margin on most PCs is razor-thin. If they were required to buy a full Windows license, the cost of the machine to manufacture would shoot up by a hundred dollars. Microsoft provides heavily-discounted OEM edition licenses to OEMs, which they simply cannot do without: No OEM licenses, no business. So when Microsoft sets standards for that 'designed for Windows 8' sticker and the license discount that comes with it, OEMs have no option but to meet those standards. This gives MS the power to dictate a sweeping change. Sometimes something major, others something trivial like mandating an extra button on the keyboard.

Re:This is bollocks

[EdZ]

From the horse's mouth itself (the Windows 8 certification guidelines, specifically System.Fundamentals.Firmware.UEFISecureBoot para.17):

Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following: It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.

Separately (Para.18):

Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv.

Re:This is bollocks

[robsku]

Too bad I don't have mod points to +1 you - or -1 the bollocks you got as a result. Anyone claiming total UEFI lockdown on ARM is for security and has nada to do with blocking OtherOS is deluded - and anyone thinking MS wouldn't love to do just that with x86 but took slightly more moderate route because they are a monopoly at x86 desktop, and it would just be nasty for them if they had gone that way, is deluded.

What you describe is what's happening with the plan they had to settle with.

Re:This is bollocks

[ais523]

Because being able to turn it off doesn't necessarily mean you know how to do so. (It's likely to be buried in a settings menu during the boot process.) Just putting a CD in the drive and choosing "install", like you used to be able to do, won't work unless you reconfigure the UEFI first. So it's adding a bunch of extra steps to try out a new OS.

Re:This is bollocks

[westlake]

And I still do not understand how Microsoft get to control this.

Secure Boot became part of the UEFI spec in 2008-2009. (Rev 2.2)

The spec is managed by the UEFI Forum --- representing AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde Software, Intel, Lenovo, Microsoft, and Phoenix Technologies. Unified EFI Forum

The Linux Foundation posted a "Power Point" presentation in October 2011: Making UEFI Secure Boot Work With Open Platforms

It comes down to this:

To successfully implement hardware level security in a mass market consumer product, it has to be enabled by default. The geek knows this is true, even if he doesn't like the implications.

Microsoft isn't going to yield on this point ---

and the geek has no leverage.

The OEM market for the x86 UEFI motherboard is OSX and Windows.

Great! Now let's boycott it.

[UltraZelda64]

Seriously, when Microsoft is paid for the key and they own the key into our computers, we've lost. Simple solution: Avoid ARM-based machines as long as Microsoft requires that no way exists to disable Secure Boot. By buying into this shit, we're just setting ourselves up to be fucked in the ass by Microsoft. I can't say anything good about the Linux Foundation for playing ball with these assholes either. Pre-bootloader, my ass--more like pre-pre-boot-extra-complexity-nightmare, thanks to Microsoft. Having to use this would be a disgrace; that alone should be enough to get people to buy more compatible hardware (but won't be).

Re:Great! Now let's boycott it.

[Microlith]

This does nothing for ARM machines. Microsoft won't sign anything other than their own software to boot on certified Windows RT devices.

Re:Great! Now let's boycott it.

[Kjella]

Seriously, when Microsoft is paid for the key and they own the key into our computers, we've lost. Simple solution: Avoid ARM-based machines as long as Microsoft requires that no way exists to disable Secure Boot.

Uhh this isn't about ARM, Microsoft doesn't allow any third party OS on their ARM machines period. This is if you want any x86 machine shipping with Windows 8 and the "Designed for Windows 8" label to boot any other OS without finding the obscure and non-standard way to disable Secure Boot in UEFI (the new BIOS). At least in this incarnation you can always disable it yourself (again, only on x86), but I smell a Darth Vader quote coming as in "I'm altering the deal. Pray that I do not alter it further." But there's really no way to boycott Secure Boot without boycotting all machines with Win8 preinstalled, which has a snowball's chance in hell of working. What you'd really want is Linux preinstalled laptops, but they're still very few and far between. Desktops are less of an issue because you can always build from parts, or have one built for you.

Re:only

[K.+S.+Kyosuke]

That sort of doesn't make sense, the kernel is in full control of the whole physical memory, and once you boot the kernel, it's perfectly free to recreate its state and that of all running processes.

Enough is enough

[benjymouse]

Microsoft surely knows that Secure Boot won't affect savvy nerds from converting to Linux. They also surely know that Linux is still growing organically, relying on word-of-mouth and firsthand try-before-you-buy experience.

You are seriously delusional. "Converting" to Linux is not, has never been and will never become a threat to Microsoft. Right now Microsoft is pressured on other fronts, such as desktop PC losing relevance, not being on the boat on mobile and not competing effectively in the tablet game.

You are trying to wage last decades battle. Microsoft does not feel threatened by Linux on the desktop *at* *all*. Get real. The threats to Microsoft do not come from conversions in the x86 space, the come from vertical players and mobile, like Chromebooks, tablets, smartphones.

Note how *all* of these emerging platforms have more restricted app models, and especially *boot* models. Microsoft is simply evolving their primary platform to match the features and security (from closed and semi-closed gardens) of the threatening platforms.

The threat to Microsofts desktop business is *not* Linux. Even though Linux has evolved in that space and on the surface appears to be able to go head-to-head, Microsoft Windows is still *much* more mature than any desktop Linux. Consider for instance group policies, restart manager, volume shadow service, various troubleshooting guides, shims for both application and device compatibility etc. The real threat is that the desktop become irrelevant.

If the desktop is perceived as less secure than an online counterpart, Microsoft will be losing. They *need* to ensure secure boot. It is not a anti-Linux move at all. You are flattering yourself. And being stupid.

Re:Enough is enough

[corvax]

Even if it wasnt intentional (i doubt it) what this does do is make it just a little bit harder to install linux. And makes microsoft the gatekeeper of YOUR hardware. What happens to ALOT of old windows pc's? They get linux installed on them to give them a few more years of usefulness = a loss of revenue for microsoft. Even if it is a small percentage its not enough microsoft would be much happier if the percentage was ZERO......

Re:Enough is enough

I agree with most of your points, however I feel Microsoft is its own biggest threat. Them fucking around with all sorts of shit in Windows is going to drive people away. I number of changes since WinXP have irritated me, but I have stuck with Windows until now.

I recently bought a new laptop (Lenovo x230). I upgraded the storage myself - to use an mSATA SSD for the operating systems. After spending hours trying to get Win8 installed (no OS DVD provided) I gave up, it was the last straw. The UEFI stuff was a pain in the ass, but managed to get Arch Linux up and running comapartively easily.

I have been tinkering with Linux for a number of years, but it finally took Windows 8 to drive me to Linux full time & I couldn't be happier. This is the first computer I have owned without Windows installed on any partition - it was nerve-wracking at first, but now wish I had made the move sooner.

Re:Enough is enough

[nzac]

Consider for instance group policies, restart manager, volume shadow service, various troubleshooting guides, shims for both application and device compatibility

I don't think Linux has a nice "clicky" interface to any of these things but to suggest that it does not have solid equivalents to the first 3 (the rest appear to assume Linux has the same problems as Windows).
Group polices are probably difficult to fully replicate on Linux but its due to flaws in windows that it even needs a restart manager. Maybe SSV is more permission friendly than LVM also.
You are just another windows user who assumes that a proper OS should function the same Windows. There are better lists than this for things Linux is missing on the desktop but the one is the lack of third party applications.

Re:Enough is enough

[AmiMoJo]

Note how *all* of these emerging platforms have more restricted app models, and especially *boot* models.

Chromebooks will boot anything you like, including Linux and Windows. Android devices from Google have unlocked bootloaders that will boot anything, including Ubuntu for phones, and the OS itself allows installation of apps from any source without any signing requirement at all.

Android is also the most popular mobile OS. Google learned the lessons from history that others did not: the most open platform usually wins. Betamax vs. VHS. MiniDisc vs. CD-R. MemoryStick vs. SD card. Amiga/Atari/Sinclair/Amstrad vs. IBM PC clones. Proprietary Unix vs. Linux/BSD. Windows RT is doomed to failure by nature of being too closed an ecosystem.

I'm still wondering...

[QuietLagoon]

... why Microsoft is the gatekeeper for what OS's are allowed to boot on the computers I buy.

Re:only

[SuricouRaven]

True. Except that it can be used to bypass secure boot:
1. Boot secure OS.
2. Hack it, get root.
3. Write hibernate image to the drive containing your hacked kernel, which includes disabling of the code to delete the image after use.
4. Trigger reboot.
5. Pwnage.

It'd take some very impressive skill to do that - it isn't something you could just make a script-kiddie toolbox for. The only way to prevent this is for the kernel to use TPM hardware to sign the boot image. As this isn't yet an option, it's debated if Secure Boot linux should also disable hibernation, in order to be strictly compliant, even though it introduces much user annoyance to provide protection against an attack that would be near-impossible for even the best hacker to pull off.

Its NOT Microsoft

[ArchieBunker]

Nobody ever brings this up but me. Guess who else is in the UEFI group?

AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde Software, Intel, Lenovo, Microsoft, and Phoenix Technologies

*sigh*

[ArchieBunker]

To quote Wikipedia "The board of directors includes representatives from eleven "Promoter" companies: AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde Software, Intel, Lenovo, Microsoft, and Phoenix Technologies."

No its not just Microsoft.

Re:Will dell systems be able to use this or will M

[gtall]

In a sense, they do not own a piece of Dell. From what I understand, they contributed some dough as a loan and I have not heard they will have anyone on the board. Dell cannot live on the desktop market, in the server market they cannot ignore Linux.

This doesn't stop MS from using its usual bag of dirty tricks, but if Dell has any sense and balls, he'll keep MS away from actually running the business.

Re:only

[osu-neko]

True. Except that it can be used to bypass secure boot:
1. Boot secure OS.

Easy, assuming Microsoft operating systems are defined as a "secure OS", which they are for purposes of secure boot, despite all evidence to the contrary.

2. Hack it, get root.

Easy, assuming a Microsoft OS again...

3. Write hibernate image to the drive containing your hacked kernel, which includes disabling of the code to delete the image after use.

No need to disable such. Once you're at the stage of "waking" into a hacked kernel to boot, you can just write a new image each reboot, becoming how you always boot from then on. In any case, the only real trick here, regardless of which way you decide to handle reboots, is writing a hibernate image and hacking the on-disk kernel in the image. Is this really any more difficult than hacking a kernel in memory? Indeed, isn't it easier?

4. Trigger reboot.

Yup... trivial... once you get past step 3, the machine is pwnt...

It'd take some very impressive skill to do that - it isn't something you could just make a script-kiddie toolbox for.

Anything that you can do, you can make a script-kiddie toolbox for. The person who makes the toolbox obviously has more impressive skills than a script-kiddie, but that's pretty much always the case. This is not the easiest hack in the world, but I would say calling this "near-impossible" is extreme hyperbole.

Re:So, other than anticompetition...

[blauregen]

As I understood it, the reason for uefi was being able to boot from big harddisks, having prettier hardware-setting-screens, having a builtin network stack for remote maintenance, and so on. It is questionable whether it was necessary to specify pretty much a complete operating system including cli, just to run another OS, and the recent samsung brick fun, is a good hint that manufacturers will need a few years to iron even the bigger kinks out of their implementation, but uefi itself is in theory not without merits.

The reason for secure boot isn't bios-malware, but boot malware. There are a few of those around, as far as I know. The problem with boot-rootkits would be that they can play hypervisor to your OS, which hides them perfectly from software running under it. The idea with trusted boot, again as far as I understood, would be to have a trusted bootloader, which loads a trusted kernel, which in turn loads trusted drivers and trusted applications, the trust being conveyed by signatures.

Only... you have to start at the bottom, which is the bootloader, if you aim for such a chain of trust.

Re:why rely on microsoft

[fikx]

The problem is even if they "do their job" how much can they do? Microsoft has the advantage of motherboard makers coming to THEM to get a key. On the other hand the Linux Foundation would have to seek out Motherboard makers large and small and convince them to add their key. It's not do-able to get all of them to agree even with unlimited time and energy.
The issue is, what keys come with the motherboard. for now, Microsoft guaranteed. So, the obvious short term solution (although problems like everyone has mentioned) is to ask nicely to use one of the keys that is already going to be on the board. Just not a long term solution, but at lest it lets us continue to have the option of booting Linux in some form without bypassing the boot security (as some have described it: without having to prepare, using MB maker's inconsistent and buggy tools and methods ). And booting demo/live disks relies on not preparing the MB before booting (at least for a lot of uses for live CD's)

Re:only

[VortexCortex]

True. Except that it can be used to bypass secure boot: 1. Boot secure OS. 2. Hack it, get root. 3. Write hibernate image to the drive containing your hacked kernel, which includes disabling of the code to delete the image after use. 4. Trigger reboot. 5. Pwnage.

OK, I get where you're coming from, but you fail to see that Secure Boot and TPM are completely pointless endeavors, and they're FULL of holes because the OSes are FULL of holes. If there's a mistake in the kernel code that allows a root level exploit to happen then it can simply be re-exploited each time you boot your system, see? No need to mess with the boot-up files. Even if your CPU is running encrypted instructions of signed programs once you find some data that triggers a buffer overflow, you can simply use return oriented programming to build the exploit. This means your exploit is built out of "op codes" of data that jump from one existing piece of signed and encrypted code to another -- You don't even need to know what the code is that's executing, you just log the changes in state the locations perform, and these become your (complex) operations with which to build the exploit. This already exists, it's not hypothetical. Return Oriented Programming is made out of existing code, even if it's signed and encrypted. SecureBoot is pointless so long as kernels have mistakes that allow unexpected stack smashing, or heap function pointer overwriting. There doesn't seem to be any way to prevent the mistakes, since your human race tends to make mistakes. SecurityTheaterBoot is a more apt. name for it.

Ah, but if the kernels could be written correctly -- with no mistakes -- then there would be no exploit vectors to exploit, and thus absolutely no reason for Secure Boot to exist. It's pointless from a security perspective, it serves primarily to make it harder for users to install alternate OSs. That's all. SecureBoot should be considered harmful and avoided if possible.

It'd take some very impressive skill to do that - it isn't something you could just make a script-kiddie toolbox for.

NO, that's just wrong. Do you even know what you're talking about? Yes, it takes more skill than a script-kiddie currently has, but it just takes one skilled hacker to crack the system and add the exploit to an exploit tool kit then the script-kiddie toolbox would contain the impressive exploit.

What? Exploits aren't impressive anymore once they've been automated? Gimme a break man. This happens all the time, it's HOW script kiddies even exist. Ugh, sorry, but your words reek of ignorance -- It's like you don't even comprehend what your words imply (by your logic script kiddies wouldn't exist).

The only way to prevent this is for the kernel to use TPM hardware to sign the boot image. As this isn't yet an option, it's debated if Secure Boot linux should also disable hibernation, in order to be strictly compliant, even though it introduces much user annoyance to provide protection against an attack that would be near-impossible for even the best hacker to pull off.

"Only" -- That word shouldn't be used lightly, because it tries hard to make you a fool, every time. What if we put Linux in the BIOS firmware. The PC turns on and is running Linux. Firmware can check its hash / fingerprint matches the install image on boot, like it does already, (even CMOS checksums for integrity), without requiring anyone to be in bed with a flawed PKI model run by Microsoft. If we simply give users an option in the BIOS boot menu that says: "Enable OS install on next boot", and it would flash part of the firmware with the /boot/ data. That would be TONS simpler than entering a long hex code that they're going to fuck up, and to bypass this unencrypted method of booting securely would require entering BIOS and changing a setting (or cracking BIOS security) -- Which is exactly the same as with Secure boot.

If the OS w