Slashdot Mirror

← Back to Stories (view on slashdot.org)

FreeBSD Team Begins Work On Booting On UEFI-Enabled Systems

Posted by timothy on from the is-a-shim-a-shame? dept.

An anonymous reader writes "The FreeBSD project has begun the process of making it possible for the operating system to run alongside Windows 8 on a computer which has secure boot enabled." Linux distros have taken to using a minimal loader, signed by Microsoft, to enable booting on UEFI systems with secure boot. "Indeed we will likely take the Linux shim loader, put our own key in it, and then ask Microsoft to sign it," says developer Marshall McKusick in the linked IT Wire article. "Since Microsoft will have already vetted the shim loader code, we hope that there will be little trouble getting them to sign our version for us."

19 of 248 comments (clear)

  1. Well I'll be... by fustakrakich · · Score: 3, Informative

    I did not know Microsoft won that battle.

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:Well I'll be... by kthreadd · · Score: 3, Funny

      Won what battle? There is no battle. They just managed to get their key into the hardware manufacturers and happen to conveniently sell access to that. Nothing stops anyone else from doing the same.

    2. Re:Well I'll be... by Anonymous Coward · · Score: 3, Insightful

      Hahahahaha. The rich and poor are equally prohibited from sleeping under bridges... Free-market ideology induced brain damage at its best. Or was this sarcasm? Then I am sorry.

    3. Re:Well I'll be... by icebike · · Score: 4, Informative

      No it defeats no point, and Microsoft is free to accept or deny just about anything. Properly implemented secure boot increases your security by letting you decide what the machine should boot and prevent it from booting unknown or potentially malware infected operating system. That is a good feature. It has nothing to do with preventing competition.

      Deciding that one, and only one company can sign shims, can't be considered anything but anticompetitive.

      Then, forcing that company to sign boot shims from Linux and FreeBsd to avoid illegal restraint of trade charges, pretty well eliminates any benefit the plan might have had. Is Microsoft going to sign every backroom version of Linux and every clone of FreeBsd, ot did the just pare down the competition teo a few major distros?

      --
      Sig Battery depleted. Reverting to safe mode.
    4. Re:Well I'll be... by recoiledsnake · · Score: 4, Insightful

      You could start a signing company now, and if people trust you, they will add your keys, and you may even get traction from the OEMs. Nothing in secure boot prevents that except that no one wants to create a signing organization because they don't want to be bothered. In face Secure Boot MS Spec requires OEMs to enable users to add their own keys or even remove Microsoft's if they don't trust it.

      --
      This space for rent.
    5. Re:Well I'll be... by Anonymous Coward · · Score: 3, Insightful

      And whoops, you just lost your license to distribute OEM Windows copies. How unfortunate. But that would never ever happen, right?

    6. Re:Well I'll be... by Rockoon · · Score: 5, Insightful

      you just lost your license to distribute OEM Windows copies.

      No you didn't...

      ..you just lost Windows Certification.

      Another way to lose Windows Certification is not allowing the end user to disable Secure Boot.

      In other words, Windows Certification actually protects your rights.

      --
      "His name was James Damore."
    7. Re:Well I'll be... by moronoxyd · · Score: 3, Informative

      Too bad the user can't manage his own hardware now. We're at the mercy of the mobo manufacturers, as they decide who's keys are trusted by default (ie microsoft ONLY). If I have to go to microsoft in order to be allowed to boot BSD on my own motherboard, then my property rights are being violated.

      You can deactivate secure boot.
      You can add other signing keys to the list used by the UEFI firmware.
      You can remove the Microsoft key.

      So what's your problem?
      Actually, Microsoft DEMANDS all these things from an OEM before they can put the niftly little 'designed for Windows 8' stickers on their machines.

    8. Re:Well I'll be... by Gadget_Guy · · Score: 3, Informative

      Why do the different Linux distributions need to get MS to accept those shims again ?

      To make it easier to install the OS without having to require that people install keys. Since there would be a variety of interfaces in the different motherboards, it would make it difficult to write generic documentation to tell lay people what to do. That hardly makes for a plug-n-play experience, and brings us back to the good-old-days of overly complicated operating system installations.

  2. Re:Why not promote motherboard manufacturers by Arker · · Score: 5, Interesting

    It's UEFI, the Unified Extensible Firmware interface. EUFI is ExtraUterine Fetal Incubation. Very different things.

    The motherboards they are shipping now have a simple disable. So there is no immediate fear of being unable to run Linux on the things. BUT you have to go in and disable it in BIOS which is just completely over the head of most computer users these days. You dont have to make it impossible to deter most people from using it, just a tiny hurdle will divert the herd.

    Right now they are signing the certificates without a problem. But what will they do in a year or five or a decade? Building a business that relies on getting certs signed by MS doesnt seem wise long term. Of course no one thinks long term anymore... a small change in the law here, an easily fabricated incident using a signed bootloader to compromise a business there, and they could easily revoke these keys.

    The other problem is that UEFI is actually really cool tech, we dont want to get rid of it. We want to be able to use it. I should be able to install my own key on my own motherboard so it will only load code that I sign personally. Rather than simply trusting MicroSoft or turning off a great security component that I already paid for and theoretically own.

    --
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Friends don't let friends enable ecmascript.
  3. Loophole by Todd+Knarr · · Score: 4, Interesting

    My bet would be that Microsoft refuses to sign the loader, saying that they can only sign if the loader's coded to only load binaries signed by a trusted authority (ie. Microsoft) and that allowing a loader that can load untrusted (ie. unsigned or not signed by Microsoft) binaries compromises the security of the boot process.

  4. Re:Why not promote motherboard manufacturers by Anonymous Coward · · Score: 5, Insightful

    Conceptually, if the user has access physical access to the computer and the ability to plug shit in, your security is already gone.

    Conceptually, 99.99% of computer users don't even need this kind of security in the first place, so why is it being forced on 100% of the new computers?

    Conceptually UEFI won't stop a single virus which 100% of computer users face daily, and that IS a problem.

    UEFI serves one and only one purpose. It makes it 'easier' to just continue using Windows and more difficult to use any other system.

    Linux doesn't need UEFI. Nobody needs UEFI.

    Stopped shilling lipstick on a pig.

  5. Re:Hmm... by rmdashrf · · Score: 5, Informative

    And that attack vector can completely be negated by having the BIOS read-only by default, while only enabling updates when the user toggles a physical switch when the BIOS needs an update.

    --
    Nihil in publicum sputa.
  6. Re:Windows has been using BSD code for over a deca by gavron · · Score: 5, Insightful

    MS has the LICENSE to use BSD code.

    They don't owe BSD anything.

    Next time you're thinking of whether to license YOUR code using GPL or using something
    that allows MS to use your stuff and give nothing back in return... remember this.

    Ehud

  7. Re:Useless EFI by nukenerd · · Score: 4, Insightful

    I don't see much of a problem - it only affects people who wants to dual boot and that is totally last century. Boot Linux and run Windows in a VM.

    It is not to do with dual boot, it is to do with booting anything at all. This is a motherboard chip feature. Booting from a live CD will be impossible, and even if you wipe your HD, trying to install anything else will be impossible - if Secure Boot is enabled.

    You can disable Secure Boot (FTTB, but I suspect MS will hope to clobber even that in the not too distant future), and I will myself. But it will deter people from trying out Linux tentatively and perhaps liking it. That's how I started, and MS hate people doing that.

  8. Re:Why not promote motherboard manufacturers by SuricouRaven · · Score: 4, Informative

    Just to clarify: UEFI is not the problem. It's just a replacement for the old BIOS system which addresses the decades of accumulated legacy bodging that is the PC. Secure Boot is a feature that UEFI enables. You can have UEFI without Secure Boot.

  9. Re:haven't by aaaaaaargh! · · Score: 5, Insightful

    Absolutely. Both Apple and Microsoft have long recognized that free operating systems are the biggest threat to their business models. Operating systems do not offer enough ways to stay ahead of competition by innovation, once the basic needs are fulfilled new features become mere gimmicks that might be nice to have but are not essential (see history of OS X).

    Both Apple and Microsoft have a well-recorded history of anti-competitive business behavior and have in the past tried by all means to keep the application barrier up. In the 90s Java and Web-browsers were the biggest threats and they successfully averted these by tricky anti-competitive behavior. SCO tried to sue free operating systems out of existence and failed (so far, bogus patent law can change that and new law suits are in the drawer), now GNU/Linux has matured so well that it has become intolerable to Microsoft and Apple. Bear in mind that you can run many Windows programs in Wine already and that GNU/Linux has reached a certain usability threshold putting it roughly on a par with Windows XP in terms of software that end-consumers actually need (and GNU/Linux is much more stable).

    The sole and only purpose of the current secure boot specification is to be the entry ticket to completely locked-down machines with completely locked-down whitelisted software that is only runnable and distributable by obtaining a key from Microsoft or Apple respectively and only with their blessings. That's the long-term goal.

    The current, more modest goal is to make it hard for end-users to install another OS and hard to set up dual boot systems. Microsoft will then urge (=blackmail) hardware makers to produce more consumer boards that can run only Windows, and Apple will start to make their manufacturers produce OSX-only boards, while at the meantime urging manufacturers to sell more expensive motherboards that are not locked down so they can still claim they allow competition. For Microsoft, this is particularly important, because they need to make money with Windows and the "windows tax" is annoying more and more people. So they want to make sure that a board that runs GNU/Linux or BSD systems is more expensive (a 'pro feature', so to say) than a consumer board that only runs Windows plus the OEM fee for Windows. Microsoft is very desperate to keep their huge share of the dwindling desktop market, because they have already lost the mobile market.

    This might all sound exaggerated to you now, but the fact is that these companies plan far more ahead than some people might think.

  10. Re:Why not promote motherboard manufacturers by petermgreen · · Score: 4, Informative

    There is no reason that a traditional PC BIOS can't boot a 3TB drive. The bios just reads the first sector of the drive and runs the code, it doesn't need to care what type of partition table is used. So the 2TB limit of the DOS style partition table is irrelevent to the first stage of booting a PC. AIUI grub2 has no problems being booted by a traditional PC bios and then going on to read a GPT partition table and load linux from it.

    The inability to boot windows on a 3TB GPT drive with a traditional PC bios is entirely microsoft's fault.

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  11. Re:Why not promote motherboard manufacturers by gman003 · · Score: 3, Interesting

    Or you can have a BIOS that addresses the decades of accumulated legacy bodging that is the PC, without UEFI.
    Just put a BIOS that removes all the old cruft of the old BIOS, adds some new features, but is totally minimalistic.

    That's what UEFI is - it drops old cruft (mainly ISA, AGP and such, IIRC), ups the minimum requirements (UEFI can assume some level of graphics support, so no more MDA text mode; likewise, it no longer runs in 16-bit mode), and extends functionality (booting off 2TB+ drives). They broke compatibility in a few places, but they did so, in part, to speed up boot times by moving functionality from the BIOS/UEFI to the OS.

    UEFI, itself, is a big step forward. The only problem is the "Secure Boot", and honestly, the problem is currently theoretical (at least on x86 - ARM is a different story). Secure Boot itself is fine - as long as the user is allowed to add and remove keys, and can enable/disable it, it's at worst unneeded functionality.