Ask Slashdot: Establishing Procurement Policies Regarding Secure Boot?

New submitter Firx writes: My university department has a tradition of selling its used computers and/or repurposing them with Linux for graduate students and science computer labs. With Windows no longer requiring one be able to disable secure boot, my department is writing up a procurement policy to ensure future machines we buy will still have this feature. Part of the draft motion reads: "Be it resolved that computers running or intending to run Microsoft Windows purchased by the department which boot using the Unified Extensible Firmware Interface (UEFI) have the ability to disable the Secure Boot features for both local hard drive and network booting." Is there something further we should be including here and what is the best way to explain the need for this policy to colleagues less technically literate?

Add a test

[gweihir]

Require it, for example, to be installable with Linux with the "current version of the stable Debian installer" at the time of purchase. For an individual contract, that version needs to be specified, of course. This way you have at least somebody to blame if it later turns out this does not work.

Re:Add a test

[mysidia]

Require it, for example, to be installable with Linux with the "current version of the stable Debian installer" at the time of purchase.

(1) Test1: Netboot to CloneZilla Live Image.
(2) Test2: Boot system from IT Rescue USB Stick
(3) Test3: Debian installer from CD and Boot to OS from hard drive following installation

All 3 tests must pass for each system.

Re:Add a test

On what planet do you expect a university to do this for every computer bought? Having been at several universities, it's rare for them to even get around to tagging purchased computers as university property.

Re:Add a test

[mattventura]

You don't have to do it for every single PC purchase, just once for each model.

Re:Add a test

So let's say I'm a professor working on research at this university of yours, and I want a new model, or a new configuration, that hasn't been tested at the school before. Do I have to pay for the IT department to buy the first one for testing? Or are you telling me that I just can't buy it because some idiot in IT says they don't want to bother with this test? Yea, you're going to have a revolt on your hands... anyone that's any good will either completely ignore you or leave.

Reminds me of this university where they suggest that all passwords get changed and all laptops wiped for any foreign travel whatsoever by anyone on campus. There may be some people working on sensitive things that want to be a bit careful when they travel to China or Russia, but do they really expect an English teacher going from the US to Canada to reformat the hard drive because they drove a few hours away? Sure....

Re:Add a test

Assuming the laptop has a SSD:

Boot USB flash drive
Type in "blkdiscard -s /dev/sda".
Done. Laptop wiped.

It would be interesting for DBAN to have this functionality as well.

Re:Add a test

[sjames]

What if IT doesn't want to bother with the purchase at all? What if all major couuriers including USPS up and quit? What if a solar flare wipes out civilization before it arrives?

I would imagine there would be some sort of requirement listed in the P.O.

Re:Add a test

[wbr1]

Until a minor model change it UEFI BIOS update

Re:Add a test

[ZipK]

So let's say I'm a professor working on research at this university of yours, and I want a new model, or a new configuration, that hasn't been tested at the school before. Do I have to pay for the IT department to buy the first one for testing? Or are you telling me that I just can't buy it because some idiot in IT says they don't want to bother with this test?

Standard practice would have you ordering off a punch list developed by your school's procurement group. In the exceptional case that you need to order something other than the preconfigured models, you would get an exception from testing.

Re:Add a test

[castionsosa]

One reason companies buy from Dell and HP is that models don't change. I buy a DL380 G9, I get a DL380G8, and I know what it will have onboard. This is why a lot of companies specify certain models and configs, with special exceptions given for items that are not on this list.

Minor updates tend to get enterprise customers very irritable, especially in environments where each computer has to be virtually identical, or else it becomes an administrative nightmare, especially for having parts on hand (usually local drives used for loading ESXi, power supplies, RAM, etc.)

The nice thing about the enterprise level is that newer machines use UEFI... but it is quite easy to turn off (and oftentimes, is disabled with MBR emulation the default until changed.) If you want Secure UEFI, you turn it on via the BIOS screen, or the web page on the iDRAC/iLO controller.

Re: Add a test

But, what if the student wants one of the other languages to boot. You require denedian, would lock you out of even other version of Linux? Why not state multi-boot capable. Then carry several live disks to test.

Re: Add a test

If a PC can be booted with Debian, one of the most meticulously open-sourced distributions, it can certainly be made to run other Linux distributions. OP's proposal is a lot more reasonable for procurement to satisfy than yours.

Re:Add a test

In the exceptional case that you need to order something other than the preconfigured models, you would get an exception from testing.

So, if you want to go off your list, absolutely no problem? Stupid meaningless list, then.

Re:Add a test

What if IT doesn't want to bother with the purchase at all? What if all major couuriers including USPS up and quit? What if a solar flare wipes out civilization before it arrives?

Good luck dealing with any engineering department.

Also, as someone applying for professor jobs, I swear such an IT policy would be sufficient to make me walk out of an interview.

Re:Add a test

[gweihir]

Are you functionally illiterate or just plain stupid? Why do you think I said "For an individual contract, that version needs to be specified, of course."?

Re:Add a test

[gweihir]

Then I hope very much you do not get any offers.

Re:Add a test

[gweihir]

You obviously have absolutely no experience how this works in the real world. You would, of course, have to write a specific justification. That is already enough to keep th exceptions low.

Re:Add a test

[gl4ss]

no, you add it to the procurement request that the provider of the hardware agrees to. then you shouldn't be even offered.

just test it with a live cd, usb stick boot or whatever the fuck you want then afterwards and if it turns out not to run it then use it to twist the arm of the hardware provider to give money back or whatever for not following the contract,

if you absolutely need to have a surface rt for testing or whatever then you're going to be procuring the hardware through other channels anyways.

Re:Add a test

No, even on a dell R710 - you're actually running in UEFI all the time. What you disable is booting of UEFI executables, and/or the CSM (bios compatability module), depending on your desires.

Re:Add a test

You sound like a prima donna with a PHD... ok you pass the sniff test. you are most definitely a professor. now go take a shower you goddamn pencil neck. you stink! Might wanna take the stick outta yo ass too.

Re:Add a test

[eionmac]

4. Must both work with Knoppix Live Linux while having MS Windows system installed and adjusting partitions with a Gparted or similar probram.
5 be capable of rewritting hard disc to a Linux system for permanent use.
6 Must allow booting of a Live Linux sytem via USB memory (stick or external hard drive) or via a DVD.

Re:Add a test

[EndlessNameless]

So, if you want to go off your list, absolutely no problem? Stupid meaningless list, then.

Yeah, not how it works. The same people who approved the list have to approve your exception. So you need a reason that is more important than the rationale behind the original requirement.

Re:Add a test

[ToddInSF]

Then the procedure has added value.

I love multi-function multi-purpose designs !

Origin

Is there something further we should be including here

Yes. "Be it resolved that due to the known threat of firmware-based rootkits created and deployed by the US National Security Agency, American vendors are disqualified from consideration during procurement."

Re:Origin

[LeadSongDog]

created and deployed by the US

Just out of curiosity, what countries' vendors might be imagined to be potentially safe from inserting such. Iceland? Switzerland? Luxembourg?

Re:Origin

Since all the hardware is inevitably from China, it makes little difference.

Re:Origin

Non USA.

Re: Origin

So.. Everyday life as usual then?

Expalnation

[QuietLagoon]

what is the best way to explain the need for this policy to colleagues less technically literate?

We bought the computers, we should be able to use them as we see fit.

Re:Expalnation

[QuietLagoon]

hopefully, you'll spell better than I did. :)

Re:Expalnation

[fahrbot-bot]

what is the best way to explain the need for this policy to colleagues less technically literate?

We bought the computers, we should be able to use them as we see fit.

Would you want a car that only accepts fuel from one gas station company?

Re:Expalnation

[sims+2]

Why?

Re:Expalnation

A more appropriate analogy would be: Do you want a car that runs only on Gasoline that has the manufacturer's premium additive in it? These PC's will run signed versions of Linux.

Re:Expalnation

Probably because he owns that oil company's stock.

Re:Expalnation

[exomondo]

Would you want a car that only accepts fuel from one gas station company?

This is why car analogies don't work, you have to continuously seek out, purchase and put gas in a car to keep it running meaning that being beholden to one vendor would be extremely cumbersome. You don't have to continously seek out, purchase and install the operating system to keep your computer running.

What you need to do is to make your case for why it matters for a personal computer and re-purposing old systems seems like a valid justification. Because a more appropriate analogy is asking would you want an iPhone or iPad that only runs iOS? Sure, many people do. Would you want a smartphone or tablet that only runs Android? Certainly a hell of a lot of people are just fine with that too.

Linux can UEFI Boot

[Zombie+Ryushu]

Linux can UEFI Boot with and without Secure Boot. With Secure Boot you have to be able to install keys or use a Grub Shim, but I have seen both Toshiba and HP Laptops boot Mageia and RedHat in UEFI and CSM modes.

Re:Linux can UEFI Boot

So, tell me mudkip, Who do you ultimately get those secure boot keys that you mention, from?

Re:Linux can UEFI Boot

[vel-ex-tech]

Oh good grief. Fine.

My mobo allows me to load my own keys. I'm assuming it's not the only UEFI implementation on the face of the planet that allows one to load one's own keys. I'd be secure booting my systemd-free Gentoo install if not for sheer laziness.

Re:Linux can UEFI Boot

Then, how do I recompile a custom kernel and with UEFI Boot and Secure Boot run it?

Re:Linux can UEFI Boot

[vel-ex-tech]

Did you follow a how-to? Any links you'd care to share? Was this part of those distros' installers? I tried to do this with Gentoo but I just don't have the time to learn new things anymore apparently. Thanks in advance

Re:Linux can UEFI Boot

[Junta]

Note that you cannot build your own kernel, nor is it the case that all distributions have done the work to get their builds signed. Note that not all firmware is required to let you install custom keys either.

Re:Linux can UEFI Boot

[wolrahnaes]

Then, how do I recompile a custom kernel and with UEFI Boot and Secure Boot run it?

Depends on how your distro of choice has implemented Secure Boot.

All of the distros with official support are using a shim derived from Red Hat's. That shim is a very simple bootloader which maintains compliance with Secure Boot by only chaining on to verified binaries, but it allows the use of an additional public key which has been compiled in to the binary. Anyone who finds it worth the $99 can have their build signed by Microsoft and will then be able to boot anything signed with the associated private key on top of anything signed with the Microsoft keys the system has built in. It also provides a method to pass the public key down the chain so the next stage bootloader, kernel, and beyond can verify with it as well.

Fedora and Ubuntu stop here. Fedora signs GRUB2 with their key which then verifies the kernel, which then verifies the modules. ( http://mjg59.dreamwidth.org/12... ) Ubuntu jumped on a loophole in the wording of the Secure Boot spec to just use their key to sign a bootloader which will then happily launch an unsigned kernel. ( https://lists.ubuntu.com/archi... )

Suse took things a step further and expanded the shim to support a local key list in the UEFI configuration area. ( https://www.suse.com/communiti... ). Now even a system that lacks the ability to add keys to the firmware's verification process can run a fully signed boot process with custom keys.

Finally one of the main original developers on the shim who has since left Red Hat took Suse's key management code, mixed it with his own continued tinkering, and added a user interface that comes up if you attempt to boot a signed binary that doesn't match an approved key, allowing the user to browse for a key on any accessible storage and add it to the system. ( http://mjg59.dreamwidth.org/20... )

---

So the answer depends on your distro. If you're running Ubuntu, you just compile your new kernel and go have fun because Ubuntu's not yet verifying the kernel (this is apparently becoming optional in 16.04). If you're running Suse, you use whatever tool they offer to add a key to their shim's list. If you're running Fedora, you replace their shim with one of the other variants and either add a key of your own or just go Ubuntu-style and drop it at the kernel.

Of course this is all assuming your system doesn't allow you to change the keys, which I know is a valid theoretical possibility but I still haven't encountered in the real world.

Re:Linux can UEFI Boot

[psyclone]

Thanks for the detail!

Arch Linux uses EFI BOOT STUB which allows you to secure boot with your own keys if you like.

Re:Linux can UEFI Boot

You, maybe. With your current mainboard. Everyone else generally, not so much. So for general distribution other OS distributors are still dependent on a direct competitor to sign their bootcode for them.

Yes, it does indeed mean OS distributors need signatures from a direct competitor. That's fair and reasonable, right? Right?

On top of that, redmond is already slowly turning on the screws. So next upgrade, who knows? Following this and also their earlier business practices, it is not merely conceivable, it is probable, that they'll soon require most hardware to be sold locked down (as they already did with "RT" tablets!), and then you can no longer load your own keys, except maybe if you pay for enterprise support from an enterprise dealer for enterprise rates and so if you want to have your own peecee with loadable keys... you have to buy maybe at least a thousand. They have pulled this trick before, tricks like it multiple times, and there is no reason in the world why they would not again.

So yeah. Good grief. Very fine.

Re:Linux can UEFI Boot

Of course this is all assuming your system doesn't allow you to change the keys, which I know is a valid theoretical possibility but I still haven't encountered in the real world.

When will we learn that this argument is not good enough for this sort of security boondoggle? The fact it is possible and even probable to happen in the future means it needs safeguards against. Preferrably mathematical safeguards, not just the say-so of a party with considerable market power and no obligation to care for anyone its measures leave out in the cold.

Re:Linux can UEFI Boot

[AmiMoJo]

Requiring machines that let you install your own keys sounds like the best options. Secure Boot is actually quite useful for protecting the OS from pre-boot attacks that could otherwise rootkit it. As long as you control it, it's worth having that extra security feature. You could even delete the Microsoft key to prevent students reinstalling Windows.

Re:Linux can UEFI Boot

[EndlessNameless]

No, they're not "dependent on a direct competitor". Do you even know how it works?

Mainboard manufacturers and OEMs can put whatever keys they want into their UEFI firmware for Secure Boot.

For Windows 10 certification, Microsoft requires that their keys be included in the signature database and the KEK database. This lets them boot their own code (signature) and add new software signing keys in the future so newer code can run (KEK). There are no restrictions or requirements pertaining to keys for other vendors or operating systems.

If an OEM decides to be cheap, that is only a problem for their customers. A manufacturer could include only MS keys and provide no means for users to add their own keys to the signature or KEK databases. But that's on the manufacturer alone, and most of them are not that stupid.

Re:Linux can UEFI Boot

[wolrahnaes]

Arch Linux uses EFI BOOT STUB which allows you to secure boot with your own keys if you like.

Yeah, that's what my last paragraph is about. You can do that or sign any other EFI bootloader you prefer with any OS you prefer if your hardware allows changing your keys and you know how to do it.

Re:Linux can UEFI Boot

[wolrahnaes]

When will we learn that this argument is not good enough for this sort of security boondoggle? The fact it is possible and even probable to happen in the future means it needs safeguards against. Preferrably mathematical safeguards, not just the say-so of a party with considerable market power and no obligation to care for anyone its measures leave out in the cold.

I'm not making an argument, just stating a fact.

That said, what this basically comes down to is the age-old practicality vs. idealism problem. A cryptographically verified boot process, as a basic concept, is beneficial to everyone. Bootkits are a real thing and this is a barrier against them.

If we're going to do this, we run very quickly in to the same usability problem as SSL. Most users don't have any interest in verifying and installing certificates, they just want to use the software they've bought. Even the mjg59 public shim that prompts you to install the cert off the boot media if you trust it is too much for the general market. To appease this majority you have to have a certain later of base trusted certificates which can then sign further content. Unfortunately unlike SSL where there's a massive market of domain owners who want to be able to prove they are who they say they are, there's a very small market interested in paying for signed bootloaders. Apple and all the proprietary hardware vendors don't care, they can make their EFI implementations trust whoever they want. As far as generic PC type hardware goes Microsoft is the 800 pound gorilla, with the Linux distros that care about commercial users as a very distant second class and the end-users who actually want to compile kernels somewhere out near Pluto as far as the certificate vendors are concerned.

There just isn't the market to get the certificate vendors to care, which means none of them work with the OEMs to have their certificates trusted, which ends up where we are now with Microsoft's certificate being the only one you can guarantee to be on Secure Boot capable hardware. Without a mandate from some legal authority (unlikely) or from some licensing body in control of something important to PC hardware (more unlikely) I just don't see how the situation ends up any different at this point in time. Any of the big CAs could theoretically get in this game, but why would they care to?

So, do you:

1. Throw out the entire concept, even though it has definite benefits when implemented in a fashion that respects the rights of the owner of the hardware.
2. Figure out some way to mandate that all hardware allow user management of keys.
3. Form some organization that will somehow get enough influence to get their signing key added to the default trust lists of enough major vendors to matter, then operate a signing service of your own.
4. Use the system that exists, that effectively achieves its goals, that generally supports custom keys, and that in the event custom keys are not available the one vendor who's all but guaranteed to be preinstalled offers an open signing service for...

---

To me the current situation is of course not ideal, but I can't see any practical way it could have ended up any better. Expecting every motherboard manufacturer to include keys for all the major distros is absurd. I don't expect major x86 vendors, especially those targeting businesses or the DIY market, to disable key management because it opens them up to nerd rage without any real benefits. Even if they do I don't expect Microsoft to shut down their signing service, nor do I expect them to change keys in such a way that the existing solutions stop working on new hardware because that would also break all existing UEFI Secure Boot compatible Windows install media. It's theoretically possible that all these things combine, but I consider it unlikely enough to not be worth worrying about.

Re:Linux can UEFI Boot

[vel-ex-tech]

On top of that, redmond is already slowly turning on the screws. So next upgrade, who knows?

This is a very legitimate concern, I will admit. It's one reason why updates are disabled on my Windows^H^H^H^H^HArcadeOS 8 install. I was somewhat worried when I learned that UEFI settings can be detected from and changed from an OS.

Tablets?

[whoever57]

"Be it resolved that computers running or intending to run Microsoft Windows purchased by the department which boot using the Unified Extensible Firmware Interface (UEFI) have the ability to disable the Secure Boot features for both local hard drive and network booting."

What about Surface Pro tablets? I think that this policy would preclude their purchase (a good idea IMHO), but others may disagree. You probably need to figure this out before it sinks your attempt to bring in a new policy.

Re:Tablets?

You are able to disable Secure boot on the x86 Surface tablets, I have it disabled on my first gen Surface Pro. Even the newest ones apparently support disabling it according to Microsoft's documentation on them.

No such luck for the ARM Surface tablets.

Not all computers have UEFI

You are both over-specifying the mechanism, and scope.

Not all computers you can buy to run Windows have UEFI, and some otherwise useful devices can't disable it.

2 examples that would be excluded from purchase by how you have phrased this :

- Macs (do not have UEFI, but an Apple fork of EFI)
- iPads (locked boot loader)
- Many Windows 10 tablets/hybrids/ultrabooks e.g. Surface (locked boot loader)
- Windows Phone (locked boot loader)
- Sony Playstation (sometimes used as GPU clusters, but have a locked boot loader )

Now if you want to ban those other device types , thats really up to you. It depends on do you consider a tablet to be a computer or a phone to be a computer, but heck. Increasingly , the number of computers that function as you describe are going to go down, and more and more locked down devices like tablets and hybrids will become the norm in the market.

Why not frame it in terms of why :

"The department believes that it is essential to generate long term utility from computers it buys, and that they shouldn't simply be disposable. We believe that long term use requires flexibility in the operating system used on a computer. We believe that long term use can be achieved in multiple ways - such as reselling used devices to other entities that have need for them, re-purposing computers for graduate students and laboratories, or converting computers for use in instrumentation. This means that wherever possible, computers should be purchased ensuring they have the capability to be unlocked from only running Windows, and running other operating systems such as Linux. This ensures maximum flexibility for our department in generating value from the money we invest in our IT hardware. Exceptions to this need to present a business case and be approved by XXXX"

The committee approving the exceptions is the mechanism to handle your other options.

Re:Not all computers have UEFI

Ubuntu works just fine with a surface and you can turn off secure boot as well

Re:Not all computers have UEFI

[Attila+Dimedici]

And this is why this was asked of slashdot. It may be possible to improve on the policy which the anonymous coward wrote here, but that is a very good start.

Re:Not all computers have UEFI

[c]

It's also worth pointing out that there's a lot of devices which allow the bootloader to be unlocked, but then are no longer covered by the manufacturer's warranty. These should be avoided.

Re:Not all computers have UEFI

[Dr.+Evil]

"This ensures maximum flexibility for our department in generating value from the money we invest in our IT hardware."

That's a big fat loophole. Microsoft and Apple create special deals with universities to "create value". When administrators argue with academics in front of people with budgets and motivated salespeople, it will not go well.

"We leased 1000, Ipad ++ Desktop Education edition machines for the physics lab. All students now require Apple IDs and must agree to EULAs as part of their academic requirements. In return, Apple gives free iCloud accounts to children in need."

I'd scrap the financial considerations. The principle of 'walled gardens' probably run counter to the university's mission statement. Something much stronger is needed:

"General purpose computing being necessary to the academic and creative freedom, privacy, intellectual autonomy and security required of an educated people, the right of the student body to learn without the oversight of a EULA, walled garden or similar restrictions shall not be infringed."

There. Completely unambiguous.

Why mention Windows?

[bws111]

Other than pure FUD, why mention Windows or Microsoft at all? We have hundreds of servers running Linux that have Secure Boot enabled, and our requirements for the next gen of servers is that the Secure Boot can not be disabled. So don't pretend it is just a 'Windows' thing.

Dragging MS into it is really childish. A manufacturer that gets a Windows 10 cert has the choice of allowing Secure Boot to be disabled or not. Are you trying to claim that a manufacturer who DOESN'T get an MS certification is somehow prevented from that option?

Re:Why mention Windows?

Just answer this question: who signed your bootloader ? and what guarantee do you have that your next bootloader will be signed as well, no questions, or money, asked ?

Re:Why mention Windows?

[bws111]

Who signed it? We did. And anyone who has the passwords required to access the UEFI does not have physical access to the servers without accompanied.

Re:Why mention Windows?

[Trogre]

Simple. Microsoft Corporation holds the keys to your Secure Boot chain of trust. Or did you manage to get someone else to sign your bootloader?

Re:Why mention Windows?

[bws111]

The only reason MS has the keys is because everyone else is too lazy to do it right. We sign our own images, and our key is the only one that will boot.

Re:Why mention Windows?

[ilsaloving]

Are you trying to claim that a manufacturer who DOESN'T get an MS certification is somehow prevented from that option?

I think you misread the question. The question was about requirements for purchasing products from vendors, not telling vendors what they are and arn't allowed to do. (That's Microsoft's job)

There's nothing childish about mentioning Microsoft explicitly. They were the ones that championed Secure Boot in the first place, forcing OEMs to implement it for certification. Most major linux vendors have the resources to get their boot keys into the database, but smaller distros probably wouldn't.

Even then, the database is then stored locally in the UEFI, so if there's a Linux distro that's late to the party, they're still screwed with the current generation of hardware unless a bios update is released.

Additionally, Windows 8 certification mandated that it must be possible to disable Secure Boot (after significant outcry about possible lock-in). But for Windows 10 certification that requirement has been quietly dropped again, once again raising that concern about lock-in.

The submitter has stated that their guidelines will require any new hardware to have the ability to disable SecureBoot, certification requirement or not.

The question is, how do you explain that to people who may not understand the technical nuances.

The easiest way I can think of, is to make sure the hardware provides the ability to install Windows 7 (Just because Windows 10 licensing permits downgrade rights, it doesn't follow the hardware will let you), which doesn't support SecureBoot. If you can install Windows 7, you can anything else you want.

Re:Why mention Windows?

False. The reason why MS has the keys is that to have your product certified to run on Windows, this is a must. Same with TPM + TCG 2.0. It was only due to good negotiators on RedHat's part that MS allows their OS to boot, -period- on Secure UEFI computers.

Re:Why mention Windows?

Because initially (and after much bad press) Microsoft wrote in to the specification that you must be able to disable Secure Boot and you must be able to add your own keys to the firmware.

They then changed things to remove the requirement to allow either of these things. This will necessarily lead to machine which can only boot via Secure Boot and only boot using binaries signed using certificate bought from MS. The fact that MS could prevent the competition booting either by refusing to provide a key or providing it under terms that a free and modifiable OS cannot meet is an absurd situation.

It is also absurd that without the ability the enrol your own key in order to run your own built kernel on such a system you would need to *buy* a certificate from Microsoft.

Dragging MS in to it is not childish when they have intentionally written their specification in a way that is actively harmful to the Linux community.

Re:Why mention Windows?

[Lodragandraoidh]

URI to howto plz

Re:Why mention Windows?

[sexconker]

I haven't seen a UEFI that did NOT let you modify the list of permitted signing keys.
My guess is that Dell and other major OEMs don't let you, but if you require that amount of customization you may as well BE the OEM and build your own, choosing a decent mobo.

Re:Why mention Windows?

[psyclone]

Dell allows you to use your own keys in the BIOS, at least on a precision workstation from mid-2015, and I assume everything after.

Re:Why mention Windows?

[sexconker]

Then can somebody point to a desktop mobo that does uefi secure boot and doesn't give the end user key management capabilities?

Re:Why mention Windows?

You were simply lucky that your secure boot machines shipped in "setup" mode. You can't sign your bootloader if they ship in "user" mode. Microsoft allows OEMs to do this for Windows 10.

Re:Why mention Windows?

So you have custom firmware or a custom motherboard? I don't know of any UEFI locked motherboard that doesn't require a MS based key or you to pay MS to make your own key. Please tell me what motherboard you're using so I can buy it.

Re:Why mention Windows?

The whole point of this article is that Microsoft used to require all motherboard to allow the user to add their own keys. That is no longer the case. Expect non-user changeable keys in the near future and mandated locked UEFI a couple years after that. Desktop computers will become as locked down as mobile phone. Their mouths are watering at the prospect of renting everyone their computer, but the change needs to be gradual enough that users won't fight back. Tons of people were saying secure boot was great because Microsoft required it to be user configurable and that they'd never change that. They have.

Re:Why mention Windows?

[sexconker]

So it's FUD, then?
The Taiwanese mobo brands will be churning out mobos with configurable secure boot and PS/2 ports for longer than you care about it.

Keep it generic

As mobile devices and desktops eventually share more in common, it's not unlikely that we'll soon see locked bootloaders on PCs, probably starting with netbook like laptops. I would be more general/generic in the terms.

"Be it resolved that devices running pre-installed operating systems purchased by the department must have the ability to boot third-party software from local storage, or network if no local storage exists."

Re:Keep it generic

"Be it resolved that devices running pre-installed operating systems purchased by the department must have the ability to boot third-party software from local storage, or network if no local storage exists."

i.e. no iPads / Android tablets or smartphones or routers or wi-fi-access points or lab instruments more complex than a thermometer for his entire department.

I'm sure that will go over well. OP will be free as in "no longer has a job".

Why mention "Windows" at all? + exclusions

[davidwr]

"Be it resolved that computers ... purchased by the department which boot using the Unified Extensible Firmware Interface (UEFI) have the ability to disable the Secure Boot features for both local hard drive and network booting."

I would also explicitly exclude "special purpose" computers that your department may purchase for other purposes (e.g. computers that run security cameras, which you may WANT to be locked-down), provided the individual purchase is approved by a review board. I would also allow the same "escape clause" for equipment purchased by your department using outside, restricted funds where the funding restriction contradicts the policy. Such specific exemptions may already be implicit in your organization's structure. If they are, then you do not need to spell them out explicitly.

Put it in the budget

[davidwr]

For computers that can be re-purposed or re-sold, the actual residual value after 3 years (or whatever your "time to fully depreciated" is) significantly greater than zero.

For "locked down" computers, the actual residual value becomes a cost - the cost of having it hauled off as e-waste.

In cases where computers must be locked-down (e.g. due to a grant requirement), the "true cost" should be the buy-in cost + the ongoing maintenance cost - the residual cost (or ... + the disposal cost).

By explicitly calling this out in your requisition process, it will make people think twice before applying for grants that require locked-down computers.

Re:Put it in the budget

[Goldsmith]

This brings up a really interesting issue regarding ownership of the computers. Legally, grantees do not own equipment purchased under a grant, but are by tradition (if an academic institution) given custodianship of the equipment at the end of the grant.

Sale or re-purposing of the equipment as the department is doing may technically be a violation of federal contracting laws (not that anyone will enforce it...).

Re:Implying people don't want Secure Boot?

I don't mind Secure UEFI. But, I like the ability to turn it off and run in MBR mode if needed... for example, to boot a MS-DOS drive so I can do a BIOS flash the "right" way. Or run an OS like Solaris that is required by some applications.

Demonizing Secure Boot.

[westlake]

Will someone please tell me why an institutional purchaser ---- particularly in a mixed OS environment --- isn't that all new systems support Secure Boot.

Re:Demonizing Secure Boot.

[gweihir]

Secure boot is actually a worth a lot less than most people think. In most cases it will cause more hassle than security increase. It is basically an attempt to lock PCs to Windows (eventually), not an attempt to make users more secure. The idea is that when Joe Ordinary tries to install Linux, additional problems surface and he will give up.

Re:Demonizing Secure Boot.

Indeed, this is a more radical and newer version of the same stunt MS pulled with DR-DOS to try to get rid of a competitor.

Re:Demonizing Secure Boot.

[gweihir]

Excellent example. And by the time they were called to task in court, DR-DOS was dead, despite being a vastly superior product.

Re:Demonizing Secure Boot.

[dave420]

That is nonsense and I think you know it. At least, I hope you know it, as the alternative makes you look much worse...

Re:Demonizing Secure Boot.

In most cases it will cause more hassle than security increase.

Exactly. The "secure boot" allows windows to boot - an os with a very bad security record. Last time I checked, you even needed a third-party antivirus utility to survive a network connection for long. And if they keep locking down the boot, linux will be using some windows security hole to boot up. The bios will still think it is booting windows - but it will be a subverted install that runs a linux loader at earliest opportunity. Similiar to how people "jailbreak" their smartphones. Use some OS hole to gain enough privileges to reflash.

Re:Demonizing Secure Boot.

[gweihir]

Nice emotional manipulation approach. Of course entirely invalid and unsophisticated in addition. And, quite frankly, if my expert opinion looks bad to you, then

1) that says certain pretty bad things about you and
2) I do not care. At all. I do _not_ want to be part of your club-of-morons.

There are enough morons out there with no clue about security that are also Dunning-Kruger sufferers, i.e. they have no clue how clueless they are.

Re:Demonizing Secure Boot.

[gweihir]

Indeed. Another excellent argument. If this really was about making users more secure, then there would be a _lot_ of places where that time and effort would have done a lot more good. Hence this clearly is not about making the user more secure. And then we can pretty directly conclude that it is some weak form of DRM, intended to give them more control over the platform.

Security implications

[thogard]

Every year at security conferences, more and more people are showing that once something gets into the secure boot area, it won't ever leave. Nearly every bit of anti-malware in the world won't even detect if something is running in the secure area. Being able to disable it is a security feature. Being able to remove or replace it is even better.

Re:Security implications

[gweihir]

Indeed. and the reason for that is that it is actually not an attempt to make users and systems more secure. It is an attempt to eventually make anything except Windows problematic or impossible to install. User benefits are somewhere between zero and negative.

Install your own keys

Ability to add your own keys, and remove the others.

Fixed that for you

[Aryeh+Goretsky]

Hello,

I would suggest the following amendment to your draft text:

Be it resolved that computers running or intending to run Microsoft Windows purchased by the department which boot using the Unified Extensible Firmware Interface (UEFI) have the ability to disable the Secure Boot feature." REMOVING: s for both local hard drive and network booting.

If you want to put in verbiage saying Secure Boot should be disabled, the language should reflect this in its entirety, not just for what types of devices the computer boots from. Example: A manufacturer who disabled booting from SSDs, USB flash drives or optical media would still be in spec with your requirements, since you only specified hard disk drives and PXE booting in your text.

Also, keep in mind your requirement is not going to work with Windows 10 Mobile devices (phones, phablets and the like) as UEFI with Secure Boot enabled is part of the requirements for devices running that edition of Windows 10.

Regards,

Aryeh Goretsky

"secure boot" adds the need for keys

So make sure every box comes with appropriate keys that can be individually passed on when the box is eventually sold or otherwise disposed of. Perhaps a sticker on the side or something. That, or a guarantee (as noted earlier, a tried and tested guarantee!) that all key material can be emptied out and so a "clean" unencumbered box results. Oh, and you have to take care about the (U)EFI storage windows likes to scribble all over. That might need cleaning too.

BIOS

BIOS compatibility should be ensured, too. I'd suggest as a test Quake for DOS, under latest FreeDOS, in SVGA mode (at least 1024x768). Sound is not mandatory, but still a welcome extra.

Oh look an astroturfer

Or maybe you honestly haven't a clue what secure boot really does and are letting yourself be blinded by the fancy name. Yes, most if not all new systems come with this thing, but that doesn't mean it is automatically a good thing. And OP is asking how to deal with it.

Secure boot is not, never was, about your security. The malware it is said to protect against has little trouble with this measure. It's about locking you down, but that doesn't make you more secure, just more restricted. Go look it up, see how it works and what that means.

Institutions may or may not care but ending up with old equipment that requires keys that have long since vanished (or otherwise cannot be separated out and passed on with the equipment) is worth a lot less than equipment that can be usefully repurposed, sold on, even given away to the workers or some good cause or other. (Even giving things away is worth something. Goodwill is a thing, go look on a nearby balance sheet. Useless gifts can have negative goodwill value, too.)

We already have various good examples, but I'm going to pick "windows RT" which --contrary to windows 7-- required secure boot to be fully engaged on the tablets it was sold on. Now "RT" has been discontinued and the remaining hardware can neither be upgraded nor repurposed with some aftermarket OS. So your discontinued windows tablet may not quite be a brick, its software is outdated and unpatchable, making it unfixably dangerous. So no, secure boot is not to your advantage. It's a destroyer of value, thus costing you money like when you're forced to buy new.

No support for option roms in legacy cards...

The main issue with secure boot that you can't get around by updating the secure boot keys, is that you can't use any PCI/PCIe cards which have options roms, that are not signed. ( Also you can't use add in cards with option roms if you remove microsofts keys as that's what they're signed with and you have no way to resign the card firmware.... )

Be it resolved?

Be it resolved? It's 2016! Who the fuck talks or writes English like that, except lawyers?

How about you make your policies readable and understandable?

Why not just buy Linux computers?

[Not-a-Neg]

I don't understand why the university doesn't simply purchase Linux computers from a major vendor like System76? Save money on costly Microsoft licenses by keeping as many machines as possible running Linux and only install Windows where necessary. If negotiated contracts are a factor, then purchase Linux systems from Dell or HP. They do sell them, you know?!

Become literate about Secure Boot

[sofla]

> what is the best way to explain the need for this policy to colleagues less technically literate?

Secure Boot prevents your boot process from being hijacked. Why would you want to disable that?
With shim and/or preloader and you can Secure Boot any OS that has a UEFI bootloader.

Avoid computers with a Win 10 sticker

[Trax3001BBS]

"Windows 10 hardware must support Secure Boot and won't have to let you turn it off." - or that sticker can't be used.

http://arstechnica.com/informa...