×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ubuntu Lays Plans For Getting Past UEFI SecureBoot

timothy posted about 2 years ago | from the first-you-fake-an-injury dept.

Operating Systems 393

An anonymous reader writes "Canonical has laid out their plans for handling UEFI SecureBoot on Ubuntu Linux. Similar to Red Hat paying Microsoft to get past UEFI restrictions, Canonical does have a private UEFI key. Beyond that they will also be switching from GRUB to the more liberal efilinux bootloader, and only require bootloader binaries be signed — and they want to setup their own signing infrastructure separate from Microsoft."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

393 comments

How much of the 'operating system' needs to signed (3, Interesting)

oakgrove (845019) | about 2 years ago | (#40410135)

Does only the kernel need signing or is there more to it than that for Linux?

Re:How much of the 'operating system' needs to sig (4, Informative)

SuricouRaven (1897204) | about 2 years ago | (#40410177)

It is the bootloader that needs signing. The problem is that any bootloader capable of loading more than one (signed) kernel would defeat the purpose of secureboot. I mean the official purpose, protection against rootkits, not the actual purpose.

Re:How much of the 'operating system' needs to sig (5, Informative)

thegarbz (1787294) | about 2 years ago | (#40410247)

This smells of the war against terror. There are actually very few pieces of malware out in circulation which rely on rootkits invoked by the bootloader. It's something which we haven't really seen much of since the viruses of the DOS days. I'd rather take my chances with the malware than have the liberties of doing what I want with my computer taken away.

Re:How much of the 'operating system' needs to sig (4, Insightful)

kav2k (1545689) | about 2 years ago | (#40410331)

There are, however, easy-to-use piracy tools for Windows that do exactly that. I'm pretty sure it's a big chunk of MS motivation for the whole mess.

Re:How much of the 'operating system' needs to sig (2, Interesting)

Anonymous Coward | about 2 years ago | (#40410509)

Absolutely, 100%, this. In doing this, M$ is looking out for its bottom line; it is only tangentially interested in your data security, and then only insofar as it affects said bottom line. The only rootkits "in the wild" that M$ is even remotely concerned about are the ones which circumvent its own activation and policing systems.

Re:How much of the 'operating system' needs to sig (5, Informative)

LordLimecat (1103839) | about 2 years ago | (#40410987)

This smells of the war against terror. There are actually very few pieces of malware out in circulation which rely on rootkits invoked by the bootloader.

Whether or not the reasons they gave are bogus, THIS isnt true. There are TONS of rootkits out there that screw with the bootloader, which is why MBRCheck should be a standard part of everyone's rootkit removal kit. If you ever see a machine with a virus, you must assume the bootloader has been tampered with.

Off the top of my head, Sinowal and TDSS come to mind.

The rootkit would just infect the kernel (2)

tepples (727027) | about 2 years ago | (#40410253)

If the kernel is not signed, the rootkit would just infect the kernel instead of the bootloader.

Re:The rootkit would just infect the kernel (2, Interesting)

Anonymous Coward | about 2 years ago | (#40410333)

I'm less familiar with the workings of Linux, but you generally solve that problem in FreeBSD by setting the kernel modules and the various start up files to be immutable and run the system at secure level 1 or higher.

There's probably still ways of infecting or messing with the boot process, but it's a lot harder when you can't change any of the files to load other code.

Signing the kernel, modules and various start up scripts is probably not a bad idea, but you end up with some trouble figuring out where exactly to draw the line.

Re:The rootkit would just infect the kernel (1)

tepples (727027) | about 2 years ago | (#40410897)

you generally solve that problem in FreeBSD by setting the kernel modules and the various start up files to be immutable

Does Windows honor FreeBSD immutability?

Re:The rootkit would just infect the kernel (1)

Confusador (1783468) | about 2 years ago | (#40410443)

That's a pretty big if, though. Anyone who is worried about that attack vector can use a signed kernel (as I believe MS is), and those who are more concerned about the signing mechanism itself can minimize their exposure. Folks who are really concerned about it will probably be replacing their BIOSes, but if I understand correctly this compromise will maintain the ability to dual boot with Windows.

Re:The rootkit would just infect the kernel (2)

tepples (727027) | about 2 years ago | (#40410871)

Anyone who is worried about that attack vector can use a signed kernel (as I believe MS is)

But unless the bootloader is designed to require a signed kernel, the bootloader can be configured to load a Linux kernel that chain-loads a compromised Windows kernel. And at that point, Microsoft will add the bootloader to the blacklist in a Windows update.

Re:How much of the 'operating system' needs to sig (4, Insightful)

Sloppy (14984) | about 2 years ago | (#40410341)

That's what I like about it. They're not even paying lip service to that bullshit official purpose. Red Hat made it sound like they have drank some of the Koolaide, with all their worrying about how the person who owns the computer might abuse an unsigned module to take control of their computer.

Once you're running your bootloader, then the issue is over. There is no need to further check for any other signatures or try to guarantee that the owner can't run their own code. You have satisfied the requirement and thereby gotten the computer to work.

Re:How much of the 'operating system' needs to sig (1)

Anonymous Coward | about 2 years ago | (#40410439)

No, it's more like Gowachin-style respectful disrespect. They go along with it only to subvert it.

Re:How much of the 'operating system' needs to sig (1)

SuricouRaven (1897204) | about 2 years ago | (#40410453)

That sounds though like just the type of thing Microsoft may use as an excuse to refuse to sign, and they control the one key that you can be confident all computers will accept.

Re:How much of the 'operating system' needs to sig (1)

Anonymous Coward | about 2 years ago | (#40410839)

It isn't really an excuse. The stated purpose of secure boot is to prevent unauthorized and therefore unsigned kernels from running. Why would they authorize something that exists specifically to subvert this? I don't understand why it is so onerous to require the user to simply add a distro signing key to their own PC and get on with their lives. It's not like Linux users don't have to jump through hoops to get stuff working anyway.

Re:How much of the 'operating system' needs to sig (0)

Anonymous Coward | about 2 years ago | (#40410365)

Take off the tin foil hats. This for Trusted boot and Trusted Virtual Environments and hell even the DoD is demanding this feature in new hardware. I don't know about you but I am not of the mind to roll my own Mainframe OS or System P os and getting screwed over by the Signed and Measured boot process. I don't think there is a whole lot of DRM on music to worry about floating around on AIX or Z LPARs either. Both of which required this sort of thing for government workloads

Re:How much of the 'operating system' needs to sig (2)

SuricouRaven (1897204) | about 2 years ago | (#40410437)

Except that it *isn't* for DoD stuff or mainframes or even virtual machines (Where it'd be utterly useless anyway, as the host could twiddle whatever bits it wanted in the VM memory at any time). Microsoft are mandating that Secure Boot be available and enabled by default on all Windows 8 OEM machines, including those sold to people for home use.

Re:How much of the 'operating system' needs to sig (2)

oakgrove (845019) | about 2 years ago | (#40410447)

Nobody is saying secure boot is an inherently bad idea that I see. They're saying they should be able to sign their own stuff and load their keys. I want to but a computer and not some glorified appliance so I happen to agree. I also think its a bit shady that other vendors are in a position where for practical purposes they have to pay Microsoft to get signed.

Re:How much of the 'operating system' needs to sig (0)

Anonymous Coward | about 2 years ago | (#40410623)

If I understood the earlier story on /. correctly, Red Hat is paying Microsoft so their customers have the privilege of running anything *but* Microsoft. That's not even wrong...

Re:How much of the 'operating system' needs to sig (2, Informative)

Anonymous Coward | about 2 years ago | (#40410697)

Nobody is saying secure boot is an inherently bad idea that I see. They're saying they should be able to sign their own stuff and load their keys... I also think its a bit shady that other vendors are in a position where for practical purposes they have to pay Microsoft to get signed.

"Paying Microsoft" actually goes entirely to Verisign, as RedHat clarified previously. But besides that, they definitely don't have to - as Ubuntu is talking about doing, they can always run their own key server. Or load their key manually. Or disable the feature on x86 systems.

Re:How much of the 'operating system' needs to sig (1)

oakgrove (845019) | about 2 years ago | (#40410837)

I'm not really worried so much who the money is going to, the point is that it is going to somebody be it MS, Verisign, or the man in the moon. I don't really care. As far as running your own keyserver, you have to convinece the hardware makers to accept your keys out of the box which is a non-starter with a niche desktop OS like Fedora or Ubuntu. Loading keys manually or disabling the feature is too much to ask the non-technical audience Canonical is going after.

Re:How much of the 'operating system' needs to sig (1)

bws111 (1216812) | about 2 years ago | (#40410807)

No. As soon as Windows kernel comes up it uses the TPM to determine who loaded it. If the answer is not someone Microsoft trusts (ie, UEFI), the system is running in 'unsecure' mode.

Re:How much of the 'operating system' needs to sig (1)

h4rr4r (612664) | about 2 years ago | (#40410971)

How does it know the TPM is the one answering?
Assuming this is the first boot, there must be some way to build a liar TPM.

Re:How much of the 'operating system' needs to sig (1)

LordLimecat (1103839) | about 2 years ago | (#40410957)

Seems to me like the easier solution would have been to actually secure the OS so that no program, kernel or otherwise, has sufficient direct disk access to write a new bootloader. Loading a new bootloader should require booting into a special mode to do so (BIOS level?). I dont believe Ive ever seen a windows update or servicepack that touched the bootloader.

Of course truecrypt et al need to mess with the bootloader, but I dont see why you couldnt simply load it from CD at boot time.

On that note, does anyone know if there are any plans regarding truecrypt etc that need custom bootloaders?

Re:How much of the 'operating system' needs to sig (1)

pantaril (1624521) | about 2 years ago | (#40410181)

Does only the kernel need signing or is there more to it than that for Linux?

Do you even read the summary? Your answer is right there:

Beyond that they will also be switching from GRUB to the more liberal efilinux bootloader, and only require bootloader binaries be signed

Re:How much of the 'operating system' needs to sig (0)

Anonymous Coward | about 2 years ago | (#40410191)

Only the bootloader, if you read the summary. I know reading summary is tough for you folks...

Obama loves my dick. (-1)

Anonymous Coward | about 2 years ago | (#40410137)

:D

UEFI SecureBoot is a catastrophy (5, Insightful)

Anonymous Coward | about 2 years ago | (#40410155)

Along with draconian DRM and anti privacy laws, UEFI SecureBoot is crippling the computer as a tool.

It will take generations and countless wars to undo the damage that is currently being done.

Re:UEFI SecureBoot is a catastrophy (2, Interesting)

gellenburg (61212) | about 2 years ago | (#40410169)

My 24" Core 2 Duo iMac has EFI Boot. It didn't stop me from installing Linux Mint on it last month (full format & repartition of the hard drive, not as a "guest"). Can someone help me understand what's the difference?

Re:UEFI SecureBoot is a catastrophy (-1)

Anonymous Coward | about 2 years ago | (#40410195)

There is no difference. Just more FUD from the Linux boys to cry about why their pet OS never gains any real traction on the desktop.

Re:UEFI SecureBoot is a catastrophy (5, Insightful)

cdwiegand (2267) | about 2 years ago | (#40410209)

Because Apple doesn't care if you load Linux - they're a hardware company (well, user experience company, but anyways). You've already bought their hardware and software. But Microsoft, which has the x86/x64 non-Mac world by its balls, is a software company, so they will do things that strategically make non-Windows software harder. So a similarly-capable Acer, as an example, is going to be more locked down than your Mac.

Hence, I'm slowly finding myself thinking of buying Mac hardware again, even given the higher-than-I-need quality (and price).

Re:UEFI SecureBoot is a catastrophy (1)

Anonymous Coward | about 2 years ago | (#40410401)

Of course they care. If you don't use their operating system you are much less likely to use the services they have tailored to that system, like iTunes and iCloud and iWhatNot.

Re:UEFI SecureBoot is a catastrophy (4, Informative)

jo_ham (604554) | about 2 years ago | (#40410629)

Of course they care. If you don't use their operating system you are much less likely to use the services they have tailored to that system, like iTunes and iCloud and iWhatNot.

No, they really don't - you already bought the hardware. iTunes, iCloud, the app store, the music and movie stores etc exist to sell the hardware.

You can see this by looking at their financial statements (unless you think they're lying on a massive scale, in which case report them to the SEC) - the hardware division, on both the iOS and OS X sides of the equation are where the profit is made.

They'd love you to buy a Mac and run Linux on it - you bought a Mac and gave them 90% of the profit they'd expect to get from you as a customer. The 20-30% margin on a $1-2k purchase is the lion's share of the money they make from you. The $0.30 they make from you every time you buy a song, or the cost they incur by giving you free iCloud access is peanuts in comparison.

Re:UEFI SecureBoot is a catastrophy (1)

houstonbofh (602064) | about 2 years ago | (#40410781)

If iTunes is such a profit center, why haven't they ported it to Linux? Or, if Windows had Rythembox, would they have bothered porting it there?

Re:UEFI SecureBoot is a catastrophy (0)

Anonymous Coward | about 2 years ago | (#40410735)

Macs aren't as open as PCs, even though they're basically near standard x86 boxes. You can't simply put in a new NV or ATI video card, even if you have the drivers, and the card in question has a double sized ROM for BIOS and UEFI mobos. Apple have locked them down to their own cards (very poor choice, and flaky cards - see their forums), plus they're locked to specific year models, even if the slot is PCIe. Before long you're stuck with buying a card from ebay that's been reflowed, or dumping the entire mac pro and starting over with a new one. Exactly what Apple want.

Re:UEFI SecureBoot is a catastrophy (1)

Anonymous Coward | about 2 years ago | (#40410221)

Diffeence, is that a) you will probably need to disable certain features in BIOS, which is scary to users(it is dont argue)
b) not every manufacturer will make it easy for linux, basically making UEFI a lock on for windows.

Re:UEFI SecureBoot is a catastrophy (4, Informative)

am 2k (217885) | about 2 years ago | (#40410225)

Unlike iOS devices, Macs aren't configured (yet) to require a signed bootloader. This is only an optional feature of EFI.

Re:UEFI SecureBoot is a catastrophy (5, Informative)

Anonymous Coward | about 2 years ago | (#40410261)

The difference is that you have an iMac that currently does not use the EFI Secureboot features, as I understand it. If you purchase a Windows 8 certified PC, those are the ones that will be requiring the EFI Secure Boot.

I told my friends & family that I have bought my last Windows PC, shortly after I purchased a Macbook a few years ago...turns out that may have been a good choice...

    I'm not going to encourage PC manufacturers to bow and kowtow to any one software vendors wishes. If I buy my hardware from [insert your favorite PC maker here] and I want to install some oddball software on it, say AROS, or ReactOS, then that is what I should be able to do without having to wage war against EFI or any other "security features" that may prevent me from installing software that I want to use.

That's a bit of a rant...but things like this that don't make sense to me are hot-button issues with me...

Re:UEFI SecureBoot is a catastrophy (0)

Anonymous Coward | about 2 years ago | (#40410823)

You do know that you can turn that secure boot feature off don't you?

Re:UEFI SecureBoot is a catastrophy (1)

h4rr4r (612664) | about 2 years ago | (#40410939)

Only on x86 and only for now. Just wait until this becomes more mainstream. Then you will be able to turn it off, but not use the machine for banking or buying online unless it is on.

Re:UEFI SecureBoot is a catastrophy (4, Funny)

Anonymous Coward | about 2 years ago | (#40410305)

Can someone help me understand what's the difference?

Well let's see...

"My 24" Core 2 Duo iMac has EFI Boot" vs "UEFI SecureBoot is crippling the computer"

hmm...

"My 24" Core 2 Duo iMac has EFI Boot" vs "UEFI SecureBoot is crippling the computer"

ehhh...

"My 24" Core 2 Duo iMac has EFI Boot" vs "UEFI SECURE Boot is crippling the computer"

humm... nope can't see a damned thing different.

Re:UEFI SecureBoot is a catastrophy (1)

Anonymous Coward | about 2 years ago | (#40410425)

Microsoft is having its OEMs lock the EFI down, Apple does not and likely won't (they wanna sell hardware, the software is included anyway). But this is slashdot where we believe Macs are DRM'd to hell and only idiots would buy into Apples iOS walled garden. Derp!

Re:UEFI SecureBoot is a catastrophy (1)

houstonbofh (602064) | about 2 years ago | (#40410803)

But this is slashdot where we believe Macs are DRM'd to hell and only idiots would buy into Apples iOS walled garden. Derp!

Who would have thought that Microsoft could make Apple look open... Wow.

Why is this a problem? (5, Informative)

Anonymous Coward | about 2 years ago | (#40410163)

Shouldn't I be able to load my own private key (or that of my distribution of choice) in the UEFI interface and then sign the bootloader I want with it (or use that of said distribution)? Ideally changing the key would only be possible while a jumper on the board is set.

If I trust Ubuntu, then my computer would reject the Windows bootloader and vice versa. Isn't that how it should be?

Re:Why is this a problem? (1)

oakgrove (845019) | about 2 years ago | (#40410203)

basically, yes. The issue is that represents quite a hurdle for the non technical users ubuntu is going for. As far as locking out Linux, many free software geeks are salivating at the thought of delivering systems that can't easily be with windows.

Re:Why is this a problem? (1)

oakgrove (845019) | about 2 years ago | (#40410239)

That last sentence should read: As far as locking out windows, many free software geeks are salivating at the thought of delivering systems that can't easily be reformatted with windows.

Re:Why is this a problem? (1)

Nerdfest (867930) | about 2 years ago | (#40410655)

I'm under the impression that, unfortunately, Windows will run on those machines, they just can't be sold as "Windows Certified". It would be fantastic if they stopped it from being installed. The hardware vendors would love it as a vast number more machines would be sold.

Re:Why is this a problem? (0)

Anonymous Coward | about 2 years ago | (#40410775)

My Google fu is failing me now but I'm sure there is a way to change the key to lock out windows. If I find it I'll update.

Re:Why is this a problem? (0)

Anonymous Coward | about 2 years ago | (#40410217)

s/private/public/

Surprised.... (2)

Junta (36770) | about 2 years ago | (#40410173)

Seems like this leaves things open for an MS rootkit. A rootkit that happens to have an entry point resembling a linux kernel seems a likely scenario.

Also surprised with efilinux. It can load from block devices only, which omits network boot. I understand that grub2 GPL3 concerns make sense, but you would think they might go with elilo. It may be less 'active', but it is capable of doing more than efilinux, notably network deployment.

Re:Surprised.... (1)

h4rr4r (612664) | about 2 years ago | (#40410913)

It can't load GPXE from a small block device?
That seems like it would solve your netboot concern.

Next -- compilers (5, Insightful)

Anonymous Coward | about 2 years ago | (#40410193)

The next step should be requiring a background check in order to have access to a compiler. Compilers are a subversive tool that is essential to creating malware, the cyberspace equivalent of a chemistry lab. Just as having an unauthorized chemistry lab should automatically make one suspect for creating drugs, explosives or chemical weapons, posession of an unauthorized compiler and of a machine that does not have a secure boot should make one suspect of cyberterrorism.

Of course, this is impossible right now, just as fifty years ago nobody would have taken such a dire view on chemistry. However, the next generation of people raised in fear of pedophiles and terrorists will work hard to make this a reality. And the generation after that will be the blessing of knowing that things have always been like this, since all authorized books will be in electronic format, periodically updated with the best and most recent knowledge about the past.

Since the 7800 (2)

tepples (727027) | about 2 years ago | (#40410287)

The next step should be requiring a background check in order to have access to a compiler.

Microsoft, Nintendo, and Sony already require this for software that runs on their video game consoles.

Re:Next -- compilers (0)

Anonymous Coward | about 2 years ago | (#40410517)

No, they'll just make it so you need $100,000 masters degree in CS to get legal access to a compiler that makes distributable binaries, not so much to stop malware but as a boon to the education industry.

Re:Next -- compilers (0)

Anonymous Coward | about 2 years ago | (#40410931)

Cant an expert essentially write a compiler from nothing?

Why not ignore UEFI? (0)

Anonymous Coward | about 2 years ago | (#40410207)

FOSS/GNU/Linux people will not purchase Windows 8 signed machines anyway. They will be forced to build their own PCs, which is, guess what, what they do already.
This will force more people to build their own or steer clear of any large OEM that wants Windows 8.

Re:Why not ignore UEFI? (4, Insightful)

oakgrove (845019) | about 2 years ago | (#40410315)

How do you presume they build their own laptops and x86 tablets?

Re:Why not ignore UEFI? (2)

Confusador (1783468) | about 2 years ago | (#40410397)

x86 Android tablets shouldn't have this problem. As for laptops, I guess MS is pushing people to buy Macs?

I'm kidding, of course, purists are already buying from System76 or the like, which is why GP says "or steer clear of any large OEM that wants Windows 8." Everyone else will deal with this as RH and Canonical are.

Re:Why not ignore UEFI? (2)

Riceballsan (816702) | about 2 years ago | (#40410567)

I would say further then that, I started on linux when I was 13. At that point I didn't have the budget to purchase my own computer parts, heck I wasn't even using the main system for it (If I recall it was an older moved past it's usefulness dell I used). This hurts the next generation, linux has been working in strides to become more user friendly. Currently linux has moved to the point where I could easily hand my mother a linux mint disk, tell her to boot it up and follow the on screen directions, and her have it installed and fully usable in an hour. Now we are talking a new hurdle involving diving into the bios, entering in a certain password (Provided of course the manufacturer actually provides this password, they might not). With steam being ported to linux in the very near future, webapps starting to replace regular programs etc... it is actually reaching a time where linux may truely be viable for the common folk. The OS matters less and less every day.

Re:Why not ignore UEFI? (1)

jo_ham (604554) | about 2 years ago | (#40410641)

FOSS/GNU/Linux people will not purchase Windows 8 signed machines anyway. They will be forced to build their own PCs, which is, guess what, what they do already.
This will force more people to build their own or steer clear of any large OEM that wants Windows 8.

What components will they use? How much will it cost if they go for special non-UFEI components when the majority of the industry is using UFEI motherboards?

Re:Why not ignore UEFI? (1)

a90Tj2P7 (1533853) | about 2 years ago | (#40410947)

You know (U)EFI has been replacing BIOS slowly but increasingly for over a decade now, right? And that Linux was the first OS to support it? Anyone saying their solution is not to buy UEFI computers or motherboards probably already has one and doesn't know it.

I'd also say that there's probably a lot more people who install Linux on OEM computers than you seem to think.

That's great (0)

Anonymous Coward | about 2 years ago | (#40410241)

Booting our CDs will rely on a loader image signed by Microsoft's ...

I don't think I need to say anything else.

Re:That's great (0)

Anonymous Coward | about 2 years ago | (#40410301)

If a system administrator can't be sure that his Windows machines won't boot other OSes, then what's the point of SecureBoot? If you trust Microsoft, do you expect them to sign other people's boot loaders?

Re:That's great (2)

Riceballsan (816702) | about 2 years ago | (#40410497)

In the context of a system administrator running a company there are no issues with the feature, In terms of a home market where some users may want to dable in linux etc... There is an issue. Believe it or not not every software hobbyist is also a hardware hobbyest. Not everyone who toys with linux has the choice of what hardware they purchase (say teenagers for instance). Now in business class machines, yes lock them down, set them so that without an administrator key they can only run windows, and microsoft office. The issue is will OEMs provide their customers with the key to allow them to even run linux.

Re:That's great (0)

Anonymous Coward | about 2 years ago | (#40410587)

If Microsoft signs a Linux boot loader, will that not make it impossible to lock down a machine so that it can only run Windows?

lol pc users gotta jailbreak their desktops (0, Insightful)

Anonymous Coward | about 2 years ago | (#40410257)

enjoy your microsoft tax, fags.

Re:lol pc users gotta jailbreak their desktops (1)

Anonymous Coward | about 2 years ago | (#40410289)

I hesitate between +5, Troll, or +5, Insightful.

Re:lol pc users gotta jailbreak their desktops (1)

houstonbofh (602064) | about 2 years ago | (#40410889)

Actually, that is kind of an unintended good point. Bypassing this is the BIOS will be easier than a lot of the jail break schemes, and EVERYONE is doing that. I know a little old lady in her 60 with a jail broken phone. We may be over reacting a tad...

So... (2, Insightful)

SuricouRaven (1897204) | about 2 years ago | (#40410291)

In order to compete with Microsoft, they have to beg Microsoft to sign their bootloader? UEFI's secure boot was dubious idea at best, and Microsoft has just hijacked it into a way to greatly inconvenience all the competition under the excuse of security against a threat that barely exists. Red Hat and Fedora might be able to jump through these hoops and beg Microsoft for permission to compete (Which I sure will involve a hefty signing fee for 'administrative costs') but how are the hundreds of smaller distros and niche distros supposed to exist? Right now the only concession made to them is that Microsoft generously permits for secure boot to be disabled (though only on x86, not ARM) - and who here trusts them not to reverse that policy in a few years?

Re:So... (0)

Anonymous Coward | about 2 years ago | (#40410601)

beg Microsoft for permission to compete (Which I sure will involve a hefty signing fee for 'administrative costs')

The $99 goes to Verisign, not Microsoft, once paid you can sign as many binaries as you want

  http://mjg59.dreamwidth.org/12368.html

Re:So... (2)

ZeroSumHappiness (1710320) | about 2 years ago | (#40410699)

As much as I hate MS in all of this, the cost to sign a binary through MS is $99, always and for any binary. The ability to disable secure boot is in the spec. The reason that MS ensured that this ability exists in the spec is to prevent a cry of anti-trust -- they can always point at it and say, "We made sure there was a way for competing operating systems to get installed." Now, of course, they can run the FUD machine claiming that without secure boot enabled Ubhatse (sounds sexy) can be owned, but MS isn't trying to lock out competitors entirely, just to make the door jam a bit. This policy won't be reversed in the current spec of UEFI and if it is MS will undergo another anti-trust case.

Re:So... (1)

Neil Boekend (1854906) | about 2 years ago | (#40410937)

If I understand correctly, once a signed bootloader is installed this bootloader can run any OS. UEFI Secureboot only checks the files loaded from the UEFI "BIOS". Which files are loaded by the files loaded from UEFI isn't checked.
So, assuming the UEFI loads a signed bootloader, the bootloader can run anything it wants.

This needs to be something you can disable (2)

Karmashock (2415832) | about 2 years ago | (#40410323)

I have no problem with security features being put in the bios. But if they could potentially make given OS's incompatible then it has to be something you can turn off.

And if you can turn it off then everyone gets what they want.

MS gets a little security on their malware plagued OS. And everyone else can just shut it off.

Re:This needs to be something you can disable (0)

Anonymous Coward | about 2 years ago | (#40410821)

That's exactly what is happening. For manufactures to be allowed to put the 'designed for windows 8' logo on their products, they MUST allow secure boot to be disabled by the end user, and they MUST allow the end user to add their own keys. Windows RT (for ARM tablets) is a different story.

crazy stuff (3, Insightful)

l3v1 (787564) | about 2 years ago | (#40410377)

I have multipl issues wih this whole uefi secureboot shebang.

How can it happen that one company (however large) can seemingly make most of the manufacturers to comply with their crazy ideas? The option to easily disable uefi secureboot _should_ be there on every and each motherboard (desktop, server or laptop). It should not be the manufacturer (and indirectly Microsoft) who decides what kernel and drivers (regardless f the operating system) a user or developer uses. How would anyone make custom kernels and/or modules (Linux) and/or drivers (e.g. Windows) if signing everything through a 3rd party signing service would be required every time? This is crazy.

Second, I don't like where Fedora/RH and Ubuntu are going with this. Aligning with MS on this issue is definitely not the right way to go and most people start to see this. Yet, nobody seems to want to find a way out, most seem to even have stopped protesting, or asking for mandatory secureboot disable options. There are not only 2 distros out there, there are a lot more of them, and most of them will not go along with MS-signing kernels and drivers. Also, if Ubuntu goes for a secureboot lockdown scheme, they might be good from the enterprise side, moving away from the average users, and that just might be what they want to do.

Some still say this whole thing is a non-issue and too much fuss about nothing, but if it were so, then please, for crying out loud, why is there so much smoke around about the planned existance or non-existance of a secureboot disable option? If manufacturers would just say disabling will be there always, this whole issue would just go away.

The biggest problem still is that most average users can't see the point in all this, simply don't care, thus unwillingly participating in making it worse for those, who do.

Re:crazy stuff (1)

cyber-vandal (148830) | about 2 years ago | (#40410887)

Because despite what the Libertarians, deluded Linux fans and Microsoft apologists will tell you, Microsoft do have a monopoly in this area. There are no realistic alternatives, otherwise there would have been a mass exodus a long time ago, especially in the corporate sector.

wrong information, again! (4, Informative)

Anonymous Coward | about 2 years ago | (#40410403)

Seriously... I read the article the FIRST time this UEFI news was posted from http://mjg59.dreamwidth.org/12368.html [dreamwidth.org], when it was regarding Red Hat, and the edit was already made back then. The money does not go to Microsoft! Why are people still saying this?
It is very misleading to write "Similar to Red Hat paying Microsoft to get past UEFI restrictions" when it is really not the truth.

"Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access edit: The $99 goes to Verisign, not Microsoft - further edit: once paid you can sign as many binaries as you want)"

my bias: I have Linux on all of my systems, no MS OS around here. Please, stop the inaccuracies and write what is true.

It is not a plan. It is surrender. (0)

Anonymous Coward | about 2 years ago | (#40410415)

Lame

Keep your dirty hands off my PC (2)

aglider (2435074) | about 2 years ago | (#40410427)

I want to boot whatever software I want, not what you gracely will allow me.
Hardware is MINE, not yours!

Flash your UEFI (2)

hey_popey (1285712) | about 2 years ago | (#40410441)

Couldn't the buyer of an OEM PC with Windows just flash their UEFI with one allowing disabling the Secure Boot?
This would add just one step to the alternative OS setup!

Re:Flash your UEFI (1)

Megane (129182) | about 2 years ago | (#40410695)

Or you could just disable it in the BIOS configuration.

...unless you're talking about an ARM system, in which case, you're fucked, because it won't run your BIOS flasher because it (the flasher and the BIOS image) isn't signed, and you can't disable secure boot because MS doesn't want you to.

Re:Flash your UEFI (2)

scharkalvin (72228) | about 2 years ago | (#40410925)

There STILL might be a way. Most ARM cpu's support a JTAG debugger and the motherboard might even have the required connector (or connector footprint) on it. You could then still be able to flash the bios using the hardware debugger (JTAG). ARM tools to support jtag are open source and there are many suitable JTAG devices available at reasonable cost. OK not a very non-geek frendly way, but it IS possible.

Re:Flash your UEFI (1)

samjam (256347) | about 2 years ago | (#40410969)

They may need to boot the PC before flashing it; and possible accept a stinking EULA before they get the chance to flash it

UEFI SecureBoot ??? (1)

yvesdandoy (44789) | about 2 years ago | (#40410455)

Yet another Micro$oft tax ... Red Hat is the first one to pay it, who's next in line ???

Re:UEFI SecureBoot ??? (1)

ZeroSumHappiness (1710320) | about 2 years ago | (#40410709)

The tax is $99 per binary signed by MS, total. So if you distribute one copy, yes, it's a $99 tax. If you distribute 99 copies, it's a $1 tax. If you distribute 99 billion copies it's a 1 Zimbabwean dollar tax.

Re:UEFI SecureBoot ??? (-1)

Anonymous Coward | about 2 years ago | (#40410793)

You, with the giant Linux cock in your bleeding asshole. The money is paid to Verisign, not Microsoft. You Linux pieces of shit tell more lies on any given day than Microsoft has in their whole history.

Kill with fire (4, Interesting)

peppepz (1311345) | about 2 years ago | (#40410483)

The right thing to do, would be to send UEFI and ACPI into the hell where they belong (2.045 pages for loading a fucking boot loader into RAM and jumping into it), and switch the PC architecture into using something more human, say, a kind of Open Firmware. For security, the firmware should pop up an alert telling the user that their boot loader has changed, asking him if he agrees with the operation. Which is the same security model that Windows has at runtime. Which is where the end user will catch 99.99999% of malware, since boot viruses in practice don't exist.

But no, instead they'll institute this ludicrous dance of keys which will impair the end user's boot experience (which is what UEFI should really be all about) without adding a gram of security (loadable modules at runtime = zero advantage from using "secure" boot).

Relax--God is just. (-1)

Anonymous Coward | about 2 years ago | (#40410503)

God says...
banished abandonedly commemorated rested perceiveth tip
inured And Give_me_praise thirsteth precisely unchangeably
round quarter occurred XII alive accomplished preeminent
pobox Poland emotion adjusted_for_inflation challenged
fettered fully Ave inviting lo steals dispensing elevation
promising frenzy EDITIONS sounding txt bud uncertain will
obey answerest violets foolish infirmities doleful grumble
profitable soberly removed knowing shepherd's him draws
account hey_thats_right sharp roarest darkenings thwart
shook impaired abyss Knowing resend Wherefore strong punish
convenient funding infant

Have a signed bootloader load an unsigned one (1)

DaysSinceTheDoor (805570) | about 2 years ago | (#40410529)

Why not have a very simple but signed boot loader that turns around and loads an unsigned bootloader like Grub2. I have had to do similar things before when I installed Ubuntu on a Mac.

Ubuntu Founder knows about signing ... (5, Interesting)

os10000 (8303) | about 2 years ago | (#40410611)

Hi Guys & Gals,

before you all get worked up, please remember that Ubuntu was founded by Mark Shuttleworth. Mark became a billionaire by running Thawte. Thawte is a certificate authority for X.509 certificates.

My take is he knows a thing or two about such infrastructures and I also think he is a positive influence for the free software world.

have a good day!

Best news ever for open software/hardware (2)

iamacat (583406) | about 2 years ago | (#40410659)

All of a sudden, a genuine reason to buy Raspberry Pi! Sparc/PowerPC workstations and laptops back in demand as being "better for business/medicine/science" when consumer x86 hardware is restricted to tablet touchscreen OS! PC vendors pissed off by Surface offer custom desktops/laptops for running Linux and FreeBSD and without Windows 8 support!

I for one welcome our new diverse hardware overlords.

booting cd's (5, Interesting)

fluffythedestroyer (2586259) | about 2 years ago | (#40410723)

"Booting our CDs will rely on a loader image signed by Microsoft's WinQual key, for much the same reasons as Fedora: it's a key that, realistically, more or less every off-the-shelf system is going to have,...

So that means if my bootcd's that I create or the ones that I have like Hiren's boot cd, bartpe or any other won't work anymore if its not signed by MS ? That means the IT world will get a kick in the balls with this... like Hiren's will pay for the key

Besides, Microsoft made it clear that arm computers which is loaded with windows 8 will make it impossible to disable the UEFI. in other words, no other OS will be possible. Is it me or it's a very bad idea for all of us...except Microsoft which is clear what their intent is with this crap.

No restrictions (2, Interesting)

Anonymous Coward | about 2 years ago | (#40410891)

I work in a lab where we often need to make a custom build machine. There is no way we will accept any kind of UEFI OS restrictions, nor will we pay an extra fee for their removal. If they wish to do business with us and our partners, then we must have the option to install whatever we like.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...