FreeBSD Team Begins Work On Booting On UEFI-Enabled Systems

← Back to Stories (view on slashdot.org)

FreeBSD Team Begins Work On Booting On UEFI-Enabled Systems

Posted by timothy on Sunday June 30, 2013 @05:51PM from the is-a-shim-a-shame? dept.

An anonymous reader writes "The FreeBSD project has begun the process of making it possible for the operating system to run alongside Windows 8 on a computer which has secure boot enabled." Linux distros have taken to using a minimal loader, signed by Microsoft, to enable booting on UEFI systems with secure boot. "Indeed we will likely take the Linux shim loader, put our own key in it, and then ask Microsoft to sign it," says developer Marshall McKusick in the linked IT Wire article. "Since Microsoft will have already vetted the shim loader code, we hope that there will be little trouble getting them to sign our version for us."

33 of 248 comments (clear)

Min score:

Reason:

Sort:

Well I'll be... by fustakrakich · 2013-06-30 17:59 · Score: 3, Informative

I did not know Microsoft won that battle.

--
“He’s not deformed, he’s just drunk!”
1. Re:Well I'll be... by kthreadd · 2013-06-30 18:03 · Score: 3, Funny
  
  Won what battle? There is no battle. They just managed to get their key into the hardware manufacturers and happen to conveniently sell access to that. Nothing stops anyone else from doing the same.
2. Re:Well I'll be... by Anonymous Coward · 2013-06-30 18:08 · Score: 3, Insightful
  
  Hahahahaha. The rich and poor are equally prohibited from sleeping under bridges... Free-market ideology induced brain damage at its best. Or was this sarcasm? Then I am sorry.
3. Re:Well I'll be... by icebike · 2013-06-30 18:26 · Score: 4, Informative
  
  No it defeats no point, and Microsoft is free to accept or deny just about anything. Properly implemented secure boot increases your security by letting you decide what the machine should boot and prevent it from booting unknown or potentially malware infected operating system. That is a good feature. It has nothing to do with preventing competition.
  Deciding that one, and only one company can sign shims, can't be considered anything but anticompetitive.
  Then, forcing that company to sign boot shims from Linux and FreeBsd to avoid illegal restraint of trade charges, pretty well eliminates any benefit the plan might have had. Is Microsoft going to sign every backroom version of Linux and every clone of FreeBsd, ot did the just pare down the competition teo a few major distros?
  
  --
  Sig Battery depleted. Reverting to safe mode.
4. Re:Well I'll be... by recoiledsnake · 2013-06-30 18:31 · Score: 4, Insightful
  
  You could start a signing company now, and if people trust you, they will add your keys, and you may even get traction from the OEMs. Nothing in secure boot prevents that except that no one wants to create a signing organization because they don't want to be bothered. In face Secure Boot MS Spec requires OEMs to enable users to add their own keys or even remove Microsoft's if they don't trust it.
  
  --
  This space for rent.
5. Re:Well I'll be... by Anonymous Coward · 2013-06-30 18:53 · Score: 3, Insightful
  
  And whoops, you just lost your license to distribute OEM Windows copies. How unfortunate. But that would never ever happen, right?
6. Re:Well I'll be... by SuricouRaven · 2013-06-30 19:18 · Score: 2
  
  For now.
  They dont 'have' to accept shim loaders. They are doing so for now, to minimise the backlash. There's no assurance they'll continue to do so in future, or (more likely) that they won't start imposing onerous requirements in the name of 'security' like mandating that any qualifying bootloader be incapable of loading an OS that allows unsigned drivers.
7. Re:Well I'll be... by Rockoon · 2013-06-30 20:28 · Score: 5, Insightful
  
  you just lost your license to distribute OEM Windows copies.
  No you didn't...
  
  ..you just lost Windows Certification.
  
  Another way to lose Windows Certification is not allowing the end user to disable Secure Boot.
  
  In other words, Windows Certification actually protects your rights.
  
  --
  "His name was James Damore."
8. Re:Well I'll be... by aaaaaaargh! · 2013-06-30 20:52 · Score: 2
  
  Properly implemented secure boot increases your security by letting you decide what the machine should boot
  
  Exactly. Secure boot is not properly implemented. A proper implementation would allow you to install anything you like after flipping a manual switch.
9. Re:Well I'll be... by nukenerd · 2013-06-30 21:05 · Score: 2
  
  [AC wrote] you just lost your license to distribute OEM Windows copies.
  [Rockoon wrote] No you didn't... ..you just lost Windows Certification.
  Amounts to the same thing. With the exception of a tiny niche market, OEMs cannot make a living by selling PCs without Windows at its bulk discounted price, nor without a Windows certification sticker on it. While it would not bother me, Joe Public just won't buy a PC unless they see "Designed for Windows" on it.. Withdrawing either of those priviledges are weapons Microsoft has to control the market.
10. Re:Well I'll be... by devent · 2013-06-30 22:16 · Score: 2
  
  > In other words, Windows Certification actually protects your rights.
  Only because it's currently in Microsoft's interests.
  And that come from the anri-competition fines from the EU.
  So you should thank the European Commission.
  http://en.wikipedia.org/wiki/European_Union_Microsoft_competition_case
  
  --
  http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
11. Re:Well I'll be... by Rockoon · 2013-06-30 22:24 · Score: 2
  
  OEMs cannot make a living by selling PCs without Windows at its bulk discounted price, nor without a Windows certification sticker on it.
  The only consumers that care about Windows Certification are enterprise customers...
  
  Seriously.. do you think your grandmother makes sure that the laptop has Windows Certification before she buys it?
  
  Translation: You really havent thought about this at all, but have just jumped at a shallow poorly considered excuse to hate at Microsoft again.
  
  --
  "His name was James Damore."
12. Re:Well I'll be... by Rockoon · 2013-06-30 22:29 · Score: 2
  
  Exactly. Secure boot is not properly implemented.
  
  Its properly implemented. you are just putting an undue amount of weight to the hand wavers that don't really have an argument:
  
  Te get windows certification, the end user must be able to:
  
  a) disable secure boot
  b) install their own keys
  
  What extra implementation restriction did you have in mind?
  
  --
  "His name was James Damore."
13. Re:Well I'll be... by RaceProUK · 2013-06-30 23:26 · Score: 2
  
  Why do the different Linux distributions need to get MS to accept those shims again ?
  They don't, but you can't put a price on convenience.
  
  --
  No colour or religion ever stopped the bullet from a gun
14. Re:Well I'll be... by moronoxyd · 2013-07-01 00:16 · Score: 2
  
  If the UEFI firmware is implemented correctly, it offers an option for someone with physical access to the machine to see a list of the keys, add and (probably) remove keys at will.
  Actually, if I'm not mistaken Microsoft demands this for machines to get the Windows 8-Logo.
15. Re:Well I'll be... by moronoxyd · 2013-07-01 00:27 · Score: 3, Informative
  
  Too bad the user can't manage his own hardware now. We're at the mercy of the mobo manufacturers, as they decide who's keys are trusted by default (ie microsoft ONLY). If I have to go to microsoft in order to be allowed to boot BSD on my own motherboard, then my property rights are being violated.
  You can deactivate secure boot.
  You can add other signing keys to the list used by the UEFI firmware.
  You can remove the Microsoft key.
  So what's your problem?
  Actually, Microsoft DEMANDS all these things from an OEM before they can put the niftly little 'designed for Windows 8' stickers on their machines.
16. Re:Well I'll be... by Gadget_Guy · 2013-07-01 01:04 · Score: 3, Informative
  
  Why do the different Linux distributions need to get MS to accept those shims again ?
  To make it easier to install the OS without having to require that people install keys. Since there would be a variety of interfaces in the different motherboards, it would make it difficult to write generic documentation to tell lay people what to do. That hardly makes for a plug-n-play experience, and brings us back to the good-old-days of overly complicated operating system installations.
Hmm... by Mirar · 2013-06-30 18:27 · Score: 2

...what is the point of secure boot again? Do we still have problems with MBR viruses?
1. Re:Hmm... by rmdashrf · 2013-06-30 19:13 · Score: 5, Informative
  
  And that attack vector can completely be negated by having the BIOS read-only by default, while only enabling updates when the user toggles a physical switch when the BIOS needs an update.
  
  --
  Nihil in publicum sputa.
Re:Why not promote motherboard manufacturers by Arker · 2013-06-30 18:28 · Score: 5, Interesting

It's UEFI, the Unified Extensible Firmware interface. EUFI is ExtraUterine Fetal Incubation. Very different things.
The motherboards they are shipping now have a simple disable. So there is no immediate fear of being unable to run Linux on the things. BUT you have to go in and disable it in BIOS which is just completely over the head of most computer users these days. You dont have to make it impossible to deter most people from using it, just a tiny hurdle will divert the herd.
Right now they are signing the certificates without a problem. But what will they do in a year or five or a decade? Building a business that relies on getting certs signed by MS doesnt seem wise long term. Of course no one thinks long term anymore... a small change in the law here, an easily fabricated incident using a signed bootloader to compromise a business there, and they could easily revoke these keys.
The other problem is that UEFI is actually really cool tech, we dont want to get rid of it. We want to be able to use it. I should be able to install my own key on my own motherboard so it will only load code that I sign personally. Rather than simply trusting MicroSoft or turning off a great security component that I already paid for and theoretically own.

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Loophole by Todd+Knarr · 2013-06-30 18:47 · Score: 4, Interesting

My bet would be that Microsoft refuses to sign the loader, saying that they can only sign if the loader's coded to only load binaries signed by a trusted authority (ie. Microsoft) and that allowing a loader that can load untrusted (ie. unsigned or not signed by Microsoft) binaries compromises the security of the boot process.
Re:Why not promote motherboard manufacturers by Anonymous Coward · 2013-06-30 18:57 · Score: 5, Insightful

Conceptually, if the user has access physical access to the computer and the ability to plug shit in, your security is already gone.
Conceptually, 99.99% of computer users don't even need this kind of security in the first place, so why is it being forced on 100% of the new computers?
Conceptually UEFI won't stop a single virus which 100% of computer users face daily, and that IS a problem.
UEFI serves one and only one purpose. It makes it 'easier' to just continue using Windows and more difficult to use any other system.
Linux doesn't need UEFI. Nobody needs UEFI.
Stopped shilling lipstick on a pig.
Re:it already does by kthreadd · 2013-06-30 19:15 · Score: 2

Apple uses parts of the FreeBSD user land in OS X, and actual parts that works with the hardware and UEFI is not related to it.
Re:Windows has been using BSD code for over a deca by gavron · 2013-06-30 19:20 · Score: 5, Insightful

MS has the LICENSE to use BSD code.
They don't owe BSD anything.
Next time you're thinking of whether to license YOUR code using GPL or using something
that allows MS to use your stuff and give nothing back in return... remember this.
Ehud
needs a new installer..still by ThorGod · 2013-06-30 19:21 · Score: 2

I've tried both the newest PC-BSD and bsdinstall installers...and they leave a lot to be desired. :/

--
PS: I don't reply to ACs.
Re:Useless EFI by nukenerd · 2013-06-30 21:18 · Score: 4, Insightful

I don't see much of a problem - it only affects people who wants to dual boot and that is totally last century. Boot Linux and run Windows in a VM.
It is not to do with dual boot, it is to do with booting anything at all. This is a motherboard chip feature. Booting from a live CD will be impossible, and even if you wipe your HD, trying to install anything else will be impossible - if Secure Boot is enabled.

You can disable Secure Boot (FTTB, but I suspect MS will hope to clobber even that in the not too distant future), and I will myself. But it will deter people from trying out Linux tentatively and perhaps liking it. That's how I started, and MS hate people doing that.
Re:Why not promote motherboard manufacturers by SuricouRaven · 2013-06-30 21:25 · Score: 4, Informative

Just to clarify: UEFI is not the problem. It's just a replacement for the old BIOS system which addresses the decades of accumulated legacy bodging that is the PC. Secure Boot is a feature that UEFI enables. You can have UEFI without Secure Boot.
Re:haven't by aaaaaaargh! · 2013-06-30 21:32 · Score: 5, Insightful

Absolutely. Both Apple and Microsoft have long recognized that free operating systems are the biggest threat to their business models. Operating systems do not offer enough ways to stay ahead of competition by innovation, once the basic needs are fulfilled new features become mere gimmicks that might be nice to have but are not essential (see history of OS X).
Both Apple and Microsoft have a well-recorded history of anti-competitive business behavior and have in the past tried by all means to keep the application barrier up. In the 90s Java and Web-browsers were the biggest threats and they successfully averted these by tricky anti-competitive behavior. SCO tried to sue free operating systems out of existence and failed (so far, bogus patent law can change that and new law suits are in the drawer), now GNU/Linux has matured so well that it has become intolerable to Microsoft and Apple. Bear in mind that you can run many Windows programs in Wine already and that GNU/Linux has reached a certain usability threshold putting it roughly on a par with Windows XP in terms of software that end-consumers actually need (and GNU/Linux is much more stable).
The sole and only purpose of the current secure boot specification is to be the entry ticket to completely locked-down machines with completely locked-down whitelisted software that is only runnable and distributable by obtaining a key from Microsoft or Apple respectively and only with their blessings. That's the long-term goal.
The current, more modest goal is to make it hard for end-users to install another OS and hard to set up dual boot systems. Microsoft will then urge (=blackmail) hardware makers to produce more consumer boards that can run only Windows, and Apple will start to make their manufacturers produce OSX-only boards, while at the meantime urging manufacturers to sell more expensive motherboards that are not locked down so they can still claim they allow competition. For Microsoft, this is particularly important, because they need to make money with Windows and the "windows tax" is annoying more and more people. So they want to make sure that a board that runs GNU/Linux or BSD systems is more expensive (a 'pro feature', so to say) than a consumer board that only runs Windows plus the OEM fee for Windows. Microsoft is very desperate to keep their huge share of the dwindling desktop market, because they have already lost the mobile market.
This might all sound exaggerated to you now, but the fact is that these companies plan far more ahead than some people might think.
Re:Why not promote motherboard manufacturers by KingMotley · 2013-06-30 22:48 · Score: 2

Nobody needs UEFI
That's bullshit. I need UEFI. BIOS only allows a very limited set of space (384K) for hardware device BIOSes. I've hit that limit, as does most server admins because high performance devices use that space up very quickly. There is numerous other advantages to UEFI, but you'd need to take off your tin foil hat and actually learn about it for you to understand it. That or build a server. Then you'll be crying about why stuff doesn't work and how stupid BIOS really is and why there isn't something better out there.
Re:Windows has been using BSD code for over a deca by dfghjk · 2013-07-01 00:34 · Score: 2

You assume BSD is unhappy with this result. They are not...and the problem isn't MS using BSD's "stuff" and not giving anything back to BSD in return, it's not giving anything to YOU in return. BSD got precisely what they wanted in that transaction, you didn't.
Re:Why not promote motherboard manufacturers by petermgreen · 2013-07-01 02:15 · Score: 4, Informative

There is no reason that a traditional PC BIOS can't boot a 3TB drive. The bios just reads the first sector of the drive and runs the code, it doesn't need to care what type of partition table is used. So the 2TB limit of the DOS style partition table is irrelevent to the first stage of booting a PC. AIUI grub2 has no problems being booted by a traditional PC bios and then going on to read a GPT partition table and load linux from it.
The inability to boot windows on a 3TB GPT drive with a traditional PC bios is entirely microsoft's fault.

--
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Re:Why not promote motherboard manufacturers by gman003 · 2013-07-01 02:20 · Score: 3, Interesting

Or you can have a BIOS that addresses the decades of accumulated legacy bodging that is the PC, without UEFI.
Just put a BIOS that removes all the old cruft of the old BIOS, adds some new features, but is totally minimalistic.
That's what UEFI is - it drops old cruft (mainly ISA, AGP and such, IIRC), ups the minimum requirements (UEFI can assume some level of graphics support, so no more MDA text mode; likewise, it no longer runs in 16-bit mode), and extends functionality (booting off 2TB+ drives). They broke compatibility in a few places, but they did so, in part, to speed up boot times by moving functionality from the BIOS/UEFI to the OS.
UEFI, itself, is a big step forward. The only problem is the "Secure Boot", and honestly, the problem is currently theoretical (at least on x86 - ARM is a different story). Secure Boot itself is fine - as long as the user is allowed to add and remove keys, and can enable/disable it, it's at worst unneeded functionality.
Re:Why not promote motherboard manufacturers by evilviper · 2013-07-01 07:38 · Score: 2

UEFI can assume some level of graphics support, so no more MDA text mode
No it can't. Servers will still be restricted to text mode, because out-of-band management is commonly through IPMIv2, which supports text only, not graphics.
It's ironic that Microsoft is getting on-board with text-mode OS for their servers, while at the same time, Linux distros are going the wrong way and forcing GUI installers, using a pointless graphical splash screen for the bootloader, and other nonsense that helps no-one, but screws up serial and IPMI consoles.

and extends functionality (booting off 2TB+ drives).
Nope, I've been booting 2TB+ drive arrays for many years, with plain 16-bit BIOSes.

UEFI, itself, is a big step forward
Compared to the legacy BIOS, yes (though it comes with plenty of steps backwards, as well), but it's a big step backwards compared to every other firmware out there: LinuxBIOS/coreboot, OpenFirmware/OpenBoot, SRM firmware, etc. Just about ANYTHING out there would have been better than Intel's bloated UEFI.

--
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant