FreeBSD Team Begins Work On Booting On UEFI-Enabled Systems

An anonymous reader writes "The FreeBSD project has begun the process of making it possible for the operating system to run alongside Windows 8 on a computer which has secure boot enabled." Linux distros have taken to using a minimal loader, signed by Microsoft, to enable booting on UEFI systems with secure boot. "Indeed we will likely take the Linux shim loader, put our own key in it, and then ask Microsoft to sign it," says developer Marshall McKusick in the linked IT Wire article. "Since Microsoft will have already vetted the shim loader code, we hope that there will be little trouble getting them to sign our version for us."

Why not promote motherboard manufacturers

[future+assassin]

who dont have or build motherboards that can disable EUFI. Seems to me like there's a great market for non EUFI mother boards that can target Linux/Unix users.

Re:Why not promote motherboard manufacturers

[Arker]

It's UEFI, the Unified Extensible Firmware interface. EUFI is ExtraUterine Fetal Incubation. Very different things.

The motherboards they are shipping now have a simple disable. So there is no immediate fear of being unable to run Linux on the things. BUT you have to go in and disable it in BIOS which is just completely over the head of most computer users these days. You dont have to make it impossible to deter most people from using it, just a tiny hurdle will divert the herd.

Right now they are signing the certificates without a problem. But what will they do in a year or five or a decade? Building a business that relies on getting certs signed by MS doesnt seem wise long term. Of course no one thinks long term anymore... a small change in the law here, an easily fabricated incident using a signed bootloader to compromise a business there, and they could easily revoke these keys.

The other problem is that UEFI is actually really cool tech, we dont want to get rid of it. We want to be able to use it. I should be able to install my own key on my own motherboard so it will only load code that I sign personally. Rather than simply trusting MicroSoft or turning off a great security component that I already paid for and theoretically own.

Re:Why not promote motherboard manufacturers

[gman003]

Or you can have a BIOS that addresses the decades of accumulated legacy bodging that is the PC, without UEFI.
Just put a BIOS that removes all the old cruft of the old BIOS, adds some new features, but is totally minimalistic.

That's what UEFI is - it drops old cruft (mainly ISA, AGP and such, IIRC), ups the minimum requirements (UEFI can assume some level of graphics support, so no more MDA text mode; likewise, it no longer runs in 16-bit mode), and extends functionality (booting off 2TB+ drives). They broke compatibility in a few places, but they did so, in part, to speed up boot times by moving functionality from the BIOS/UEFI to the OS.

UEFI, itself, is a big step forward. The only problem is the "Secure Boot", and honestly, the problem is currently theoretical (at least on x86 - ARM is a different story). Secure Boot itself is fine - as long as the user is allowed to add and remove keys, and can enable/disable it, it's at worst unneeded functionality.

Loophole

[Todd+Knarr]

My bet would be that Microsoft refuses to sign the loader, saying that they can only sign if the loader's coded to only load binaries signed by a trusted authority (ie. Microsoft) and that allowing a loader that can load untrusted (ie. unsigned or not signed by Microsoft) binaries compromises the security of the boot process.