Slashdot Mirror

← Back to Stories (view on slashdot.org)

UEFI Secure Boot Booted From Debian 9 'Stretch' (theregister.co.uk)

Posted by msmash on from the going-forward dept.

Debian's release team has decided to postpone its implementation of Secure Boot. From a report: In a release update from last week, release team member Jonathan Wiltshire wrote that "At a recent team meeting, we decided that support for Secure Boot in the forthcoming Debian 9 'stretch' would no longer be a blocker to release. The likely, although not certain outcome is that stretch will not have Secure Boot support." "We appreciate that this will be a disappointment to many users and developers," he continued, "However, we need to balance that with the limited time available for the volunteer teams working on this feature, and the risk of bugs being introduced through rushed development." The decision not to offer Secure Boot support at release leaves Debian behind Red Hat and Suse, making it the only one of Linux's three main branches not to support the heir-to-BIOS and the many security enhancements it offers.

16 of 168 comments (clear)

  1. RedHat by Aighearach · · Score: 4, Interesting

    This is an example of why 20 years later, I'm still running RedHat/Fedora/Centos family distros.

    I want all my FLOSS software to work. And I want business integration to work too. I don't want to have to choose them because they're not actually in conflict.

    1. Re:RedHat by Anonymous Coward · · Score: 5, Insightful

      UEFI is a successor to BIOS in the same way that systemd is a successor to init. They both "solved" many problems that didn't exist to anybody but their creators and financial supporters. Nobody wanted them, yet somehow they were forced down our throats. Neither came from the bottom-up in grassroots-fashion; both came from the top-down in military-fashion. And yet here we are today, and they've both won.

    2. Re: RedHat by TWX · · Score: 3, Interesting

      Back in the late nineties I convinced my best friend to drop NetBSD and join us on Linux. At the time Linux seemed to be where all of the development was being done to make new hardware work where it didn't do so well in BSD. Now I'm wondering if it's time to reconsider the BSDs.

      --
      Do not look into laser with remaining eye.
    3. Re:RedHat by networkBoy · · Score: 4, Informative

      I have to disagree, at least on the BIOS front.
      BIOS is a mess, hard to code for, pragmatically impossible to patch (how many users will actually do the updates).
      BIOS is a 16 bit system... it _needed_ to go away.
      UEFI may not be perfect, and it may not be the best delivery, but BIOS simply can't support what systems provide these days. > 512 byte disk sectors, SSDs, massive ram, BIOS is crap at all of them. Sure you can shoehorn some support in, but it's still crap. Most systems have been on EFI much longer than most people realize (mid 90's for big systems, 2000 for consumer), and uEFI since 05.

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    4. Re:RedHat by whoever57 · · Score: 3, Informative

      Ah, so you just want to sacrifice package quality and QA, while adopting dependency hell,

      Begone, Troll!

      RedHat/CentOS haven't suffered from dependency hell for years. The adoption of YUM solved the issues.

      --
      The real "Libtards" are the Libertarians!
    5. Re: RedHat by fred6666 · · Score: 3, Informative

      PC hardware support is still years ahead on Linux, especially for stuff such as WiFi adapters and GPU.

    6. Re: RedHat by sl3xd · · Score: 4, Insightful

      Systemd alone has caused me more headaches than anything MS or SCO ever did. In fact it was software from that camp which made me evaluate OpenBSD.

      There are a lot of good ideas in Systemd; overall, I don't disagree with a lot of the overall design goals.

      The implementation, on the other hand, is lacking. My own experience is that systemd has finally reached an "early beta" level of stability. (My desktop system boots correctly about half the time with Systemd. The other half of the time Systemd doesn't start up D-Bus... I can't even shut the system down cleanly, because <drum roll> you need d-bus to shut down with Systemd! Yay!)

      It's a shame systemd was pushed into production for most distributions years ago.

      --
      -- Sometimes you have to turn the lights off in order to see.
  2. What about Non-Secure Boot UEFI Boot? by Zombie+Ryushu · · Score: 4, Interesting

    Several of my boards support UEFI boot, or CSM Boot but the Secure Boot Portion can be turned off (or is absent in the case of one of my boards. I have one of the few early boards that has UEFI but not Secure Boot.). You can do a UEFI Boot without SecureBoot Verification like Macs do,

    1. Re:What about Non-Secure Boot UEFI Boot? by tepples · · Score: 4, Insightful

      If there is a "Windows 10 compatible" sticker for example, you won't be able to run Debian on it.
      If there is a "Windows 8 compatible" sticker, you may or may not be able to, depending on what that OEM decided to do, so will need a bit of research.

      Source?

      Microsoft required x86 and x86-64 PCs with the "Windows 8 compatible" sticker to ship with Secure Boot on but let the owner turn it off in the UEFI configuration form. Microsoft eased this requirement for x86 and x86-64 PCs with the "Windows 10 compatible" sticker: they must ship with Secure Boot on but configurability is up to the preference of the manufacturer. In either case, even if Secure Boot can be turned off, that doesn't mean that things like backlight brightness, audio, WLAN, Bluetooth, and suspend will work correctly.

  3. "Heir-to-BIOS?" by hackel · · Score: 3, Informative

    Lot of FUD being spread in this article. Debian certainly supports UEFI, the *true* "heir-to-BIOS." Secure Boot was a terrible technology from the start. It's disappointing that they weren't able to finish work on it in time, but this certainly isn't the huge issue this article is making it out to be. The majority of Debian installations are going to be in virtualised environments in the first place. Desktop users are probably going to be on testing or another Debian derivative. It kind of makes me angry that Ubuntu didn't contribute this code to Debian straight away, but what can you do.

    1. Re:"Heir-to-BIOS?" by bws111 · · Score: 4, Interesting

      Why is secure boot a 'terrible technology'? We use it quite successfully here. What are the problems with it?

    2. Re:"Heir-to-BIOS?" by bws111 · · Score: 4, Interesting

      1) Why? Because you said so? Exactly what is insecure about it?

      2) Exactly the opposite in our case. We sign our own images. The only code that will run is stuff signed by the appropriate key. That means users, hackers, and especially rogue admins don't get to install their own backdoors. Our stuff remains OURS, not THEIRS. As it should be.

    3. Re:"Heir-to-BIOS?" by bws111 · · Score: 4, Interesting

      We use it to protect important machines (servers, automation controllers, etc) from tampering by external or internal parties. Of course, it is not secure boot by itself that does that, it is in combination with SELinux and IMA. Secure boot, however, is a key component (does no good to have your kernel verify signatures before running things if the kernel itself is not trusted).

    4. Re: "Heir-to-BIOS?" by bws111 · · Score: 3, Insightful

      Nobody said they WERE a big problem, just that they COULD be a big problem. If you can't acknowledge that, clearly you don't know much about security. Which I guess is rather obvious since you ask that dumb question about the keys (hint: no single person has the key, and the people who DO have a portion of the key are quite a bit higher than 'admin', and the whole key never exists anywhere but tamper-resistant hardware).

    5. Re:"Heir-to-BIOS?" by bws111 · · Score: 3, Insightful

      How? I notice a common thread of the anti-secure boot people is that they just make statements with nothing to back them up.

  4. "Secure boot" only ever had one mission by whoever57 · · Score: 4, Insightful

    The mission of "Secure Boot" is not to secure any computers, but to secure Microsoft's revenue stream.

    Yes, you may be able to disable it on your desktop, but will this situation continue? Remember those Surface RT tablets?

    --
    The real "Libtards" are the Libertarians!