Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SUSE Slowly Shows UEFI Secure Boot Plan

Soulskill posted about 2 years ago | from the at-a-stately-and-majestic-pace dept.

SuSE 190

itwbennett writes "One blog post at a time, SUSE is revealing its plan for getting SUSE Linux Enterprise Server (SLES) to boot on machines with UEFI Secure Boot. The short version: 'For now, it seems, SLES will implement an approach similar to that used by Fedora,' writes Brian Proffitt. '[Director of the SUSE Linux Enterprise Olaf] Kirch's first blog entry on Tuesday merely introduced the problem of UEFI Secure Boot. Today's blog only specified the use of the shim bootloader.' Just dying to know what's next? Tune in to the SUSE blog."

cancel ×

190 comments

Sorry! There are no comments related to the filter you selected.

Its a trap!!! (1, Offtopic)

FriendlyLurker (50431) | about 2 years ago | (#40924117)

Run!

It is a trap - control over the OS (2, Interesting)

Anonymous Coward | about 2 years ago | (#40924153)

How long until firmware yays or nays the OS your trying to install? Windows 8 Tablet is just a baby step into that future...

Re:It is a trap - control over the OS (2, Informative)

Anonymous Coward | about 2 years ago | (#40925463)

Only for ARM based systems. Microsoft has stated that all Windows 8 branded x86 PCs must have the ability to disable secure boot.

Re:It is a trap - control over the OS (-1)

Anonymous Coward | about 2 years ago | (#40925957)

Next step: limiting x86 to servers only. Sure, you can have a "PC" where you're free to disable secure boot, as long as you're willing to spend $10K and don't mind the lack of audio and USB.

Re:It is a trap - control over the OS (2)

camperdave (969942) | about 2 years ago | (#40926339)

Only for ARM based systems. Microsoft has stated that all Windows 8 branded x86 PCs must have the ability to disable secure boot.

Sure, they say that now. Soon it will be optional, then it will be required that secure boot be unable to be disabled.

Re:It is a trap - control over the OS (1)

fragMasterFlash (989911) | about 2 years ago | (#40927335)

So you think UEFI boot will be harder to root than iOS or Android devices? Look at the custom chipset in the XBox if you want to see what it takes to make a consumer product moderately well protected against being rooted. I have seen nothing in the secure boot specifications that looks as daunting. What scares the heck out of me is the likelyhood UEFI secure boot will end up being compromised without detection and critical infrastructure will be owned before anyone detects it.

Re:It is a trap - control over the OS (2)

SuricouRaven (1897204) | about 2 years ago | (#40927585)

It doesn't have to be uncrackable. It just has to be sufficiently hard that people who are not experienced with linux never get to try it.

Re:Its a trap!!! (1)

Anonymous Coward | about 2 years ago | (#40924257)

I am sure those who wish to break the popularity and open nature of commodity hardware and the OSs that run on it have long studied how best to break what we have achieved so far. UEFI Secure Boot is not so offensive that the Linux distributions "Run!" in fear, but it is pretty obviously that UEFI is just thin edge of the wedge [wikipedia.org] . It is sad that the Linux distributions are bending over so easily, together they might have been a force to be reckoned with... they better f-well not say "we could not have known..." in a few years time, seriously.

Linux does have a spokeperson (4, Insightful)

Taco Cowboy (5327) | about 2 years ago | (#40925349)

It is sad that the Linux distributions are bending over so easily, together they might have been a force to be reckoned with... they better f-well not say "we could not have known..." in a few years time, seriously.

 
What the linux distro distributors have failed to do, the Linux Kernel folks should pick up the slack
 
Do not forget, there exists a spokeperson for Linux - Linus Torvalds
 
It's up to Mr. Torvalds to decide which direction Linux should proceed on this UEFI issue
 

Re:Linux does have a spokeperson (-1)

Anonymous Coward | about 2 years ago | (#40925671)

you just made no sense...are you fucking moron?

Re:Linux does have a spokeperson (0)

Anonymous Coward | about 2 years ago | (#40926357)

Linux is not a bootloader. You might expect Linus to chime in if there were kernel modifications needed to support this, but there really aren't..

Re:Linux does have a spokeperson (1)

exomondo (1725132) | about 2 years ago | (#40927091)

What the linux distro distributors have failed to do, the Linux Kernel folks should pick up the slack

How? What can they do? They are kernel developers, not bootloader developers. Maybe GRUB and LILO developers could get involved but i don't see why the kernel developers have any interest/responsibility in it.

Do not forget, there exists a spokeperson for Linux - Linus Torvalds

And don't forget Linux is just a kernel, Linus is the spokesman for the kernel.

what is the point again? (1)

OrangeTide (124937) | about 2 years ago | (#40924123)

does UEFI secure boot bring any value to users or only to our corporate masters?

Re:what is the point again? (-1)

Anonymous Coward | about 2 years ago | (#40924149)

Sure, it allows IT people to lock down your computer from being tampered with or you getting it chock full of trojans and viruses.

Re:what is the point again? (0)

Anonymous Coward | about 2 years ago | (#40924169)

Riiiiight. It also also absolute control over YOUR computer by third parties. Pleeeaaase.

Re:what is the point again? (0)

Anonymous Coward | about 2 years ago | (#40924267)

Yeah, so much control that the Microsoft certification specifically requires that the OEMs let you disable the option.

Re:what is the point again? (1)

Anonymous Coward | about 2 years ago | (#40924343)

Because Microsoft would never think of pulling an ARM for future releases of Windows. Not in a million years. Can't happen.

Re:what is the point again? (0)

Anonymous Coward | about 2 years ago | (#40924419)

It can't. If they actually want to keep selling it.

Re:what is the point again? (1)

Anonymous Coward | about 2 years ago | (#40924441)

It can't. If they actually want to keep selling it.

Really? Who's going to stop them selling Windows because they require Windows-logoed motherboards to force 'Secure Boot'?

Re:what is the point again? (2)

OrangeTide (124937) | about 2 years ago | (#40924779)

The EU would probably stop them.

Re:what is the point again? (1)

0123456 (636235) | about 2 years ago | (#40926537)

The EU would probably stop them.

So why haven't they stopped Microsoft requiring 'Windows Boot' on ARM?

Re:what is the point again? (1)

exomondo (1725132) | about 2 years ago | (#40926871)

So why haven't they stopped Microsoft requiring 'Windows Boot' on ARM?

Because they obviously don't have a monopoly there, in fact they don't even have any presence in that market additionally the product they are releasing there is not the same as the one in which they have a monopoly. It's the same deal with Windows Phones, they don't have to open that up and provide all their private APIs because they don't have a monopoly in that market. They have a monopoly in x86 desktop/laptop computers (a market that doesn't include ARM computers) - it's all there in the EU and US DOJ filings.

Re:what is the point again? (1)

eric_herm (1231134) | about 2 years ago | (#40927503)

Why would they stop Microsoft and not Apple or Samsung or every people on the market who do this since years on their arm tablet and computer ( also called cellphones ) ?
In fact, why do people care about Microsoft doing it and not Apple ? Where are all those protesters we are seeing on every website, why aren't they doing something radical like burning a Apple store ?

Re:what is the point again? (1)

SuricouRaven (1897204) | about 2 years ago | (#40927609)

Perhaps. After a ten-year court case. Then, once microsoft has destroyed all competition and ensured profits of many billions, the EU can give another record-breaking billion-euro fine.

Re:what is the point again? (1)

LordLimecat (1103839) | about 2 years ago | (#40924787)

DoJ.

Re:what is the point again? (1)

Anonymous Coward | about 2 years ago | (#40924189)

does UEFI secure boot bring any value to users or only to our corporate masters?

Pretty soon you won't be allowed to run any DRM-ed software on a machine which doesn't have it, because it will eliminate most opportunities for hacking the DRM.

Ah, I think I get your point.

Re:what is the point again? (1)

countach (534280) | about 2 years ago | (#40924255)

I think in theory it plugs a malware hole, that the whole OS is secure from the bootloader on up.

Re:what is the point again? (1)

morcego (260031) | about 2 years ago | (#40924593)

Yes. Like the "malware" that allows people to use a pirated copy of Windows 7.
Somehow, I think that is one of the main reasons they went after this "secure boot" thing.

Re:what is the point again? (1)

Nerdfest (867930) | about 2 years ago | (#40925525)

The best thing that could happen to Windows 8 is for people to pirate it. Perhaps they're trying to build up a false sense of value.

Re:what is the point again? (0)

Anonymous Coward | about 2 years ago | (#40925541)

Microsoft has never really gone after people who pirate Windows. Even non-validated copies of Windows work fine and just make the desktop black with a message at the bottom saying that it might not be a genuine copy.

Re:what is the point again? (1)

eric_herm (1231134) | about 2 years ago | (#40927517)

So when Microsoft do not try enough to stop piracy "that's because they want to keep their monopoly at all costs", and when they do "that's because they want to keep their monopoly". There is a moment where logic should apply I think.

Re:what is the point again? (5, Interesting)

gomiam (587421) | about 2 years ago | (#40924627)

Theory is closer to practice in theory than in practice. The facts are clear: UEFI lets someone else decide what you can or can not run in your computer.

Think you can disable it? Think again: who is going to care about your being able to disable it when, eventually, Microsoft requires it to be always on on Intel versions of Windows just like they have done on ARM?

Re:what is the point again? (2)

Gadget_Guy (627405) | about 2 years ago | (#40925077)

Think you can disable it? Think again:

Um, no. It is part of the spec that motherboards must be able to disable UEFI. So if you go out and buy a Windows 8 certified system then you will be able to install any operating system you want. And no amount of bleating about how nobody cares for your right to boot the old fashioned way will change this.

Re:what is the point again? (0)

Anonymous Coward | about 2 years ago | (#40925363)

Re:what is the point again? (0)

Anonymous Coward | about 2 years ago | (#40925447)

It's worth noting that, even in the Wikipedia article you linked, most people agree frogs won't sit still no matter how slowly you boil the water.

Re:what is the point again? (2)

http (589131) | about 2 years ago | (#40926213)

If being able to disable it is part of the UEFI spec, what are those Windows 8 ARM devices using?

Re:what is the point again? (2)

Gadget_Guy (627405) | about 2 years ago | (#40927217)

It is a different spec for ARM than Intel chips. The ARM version of Windows 8 does not have to maintain backwards compatibility with an existing user base. Intel Windows does have a long pedigree, and the OS will work on systems made in 2002. Given that they are trying to support computers that predate UEFI by a decade, then they can't start insisting on secure boot only.

Re:what is the point again? (2)

camperdave (969942) | about 2 years ago | (#40926381)

Think you can disable it? Think again:

Um, no. It is part of the spec that motherboards must be able to disable UEFI. So if you go out and buy a Windows 8 certified system then you will be able to install any operating system you want. And no amount of bleating about how nobody cares for your right to boot the old fashioned way will change this.

It is part of the spec AT THE MOMENT, but that doesn't mean it will remain part of the spec.

Re:what is the point again? (1)

eric_herm (1231134) | about 2 years ago | (#40927601)

yeah, that's like saying "sure free speech is part of the consitituion, but it can be changed so our liberty are endangered". Saying "this can be changed later" is a totally useless statement. Maybe saying "maybe the spec will later mandate a anal probe to start my computer" is equally as accurate, since based on non existant facts and still true, because we have the technology for doing that ( ok, not exactly, because there is no ready to use probe for that, but nothing prevent to build them ).

So sure, basing your present on whatever could happen without proof ( and i mean, real proof, not supposed one ) is idiotic.

Microsoft requires secure boot with UEFI because the whole industry for arm tablet already does, each with their own way. So the main point is to have 1 single thing to support, and not local variation, which make sense from a engineering point of view. Without stuff like SB on arm, I think Microsoft would have asked for a locked bootloader anyway, only to prevent movies copying and others demands that Apple surely make to the content industry. Without this, content provider would have said "no", and they would have lost a rather important competitive advantage ( if not a strategic one, since tablet are marketed as comsuption devices primarly, like "reading paper on the couch", or "watching streamed movies" ). Or even for non content related industry, there is games and Apple tout the fact that piracy is higher on Android to lure people into developping for their platform ( and thus get money when games are doing well ).

So face it, the battle was played when people accepted ios devices. The rest is just industry following those who succeeded.

Re:what is the point again? (3, Informative)

phantomfive (622387) | about 2 years ago | (#40926611)

As someone who's gotten Linux to boot on an EFI machine, I can tell you that motherboards do not always implement the full specification.

Generally they do what is necessary to boot Windows, and once that's working, call it good. They have no motivation to test and make sure disabling UEFI works.

Re:what is the point again? (0)

Anonymous Coward | about 2 years ago | (#40927027)

who is going to care about your being able to disable it when, eventually, Microsoft requires it to be always on on Intel versions of Windows just like they have done on ARM?

They could have done that with BIOS 20 years ago but they didn't and they can't do it on X86 version because they'd get a government smackdown just like they have in the past with anti competitive tactics.

Re:what is the point again? (0)

Anonymous Coward | about 2 years ago | (#40925139)

Or you could not use a computer logged in as super user.

The malware hole remains as long as anyone can install third party applications on their own computer.

Re:what is the point again? (1)

Billly Gates (198444) | about 2 years ago | (#40924755)

Yes. It keeps my computer secure from rootkits and with Office 2013 and win 7 I can put restrictions on files in groups and have documents timebomb which is nice too.

I do not like the implementation of this as an OEM or MS can decide for me which OS to sign. This would be great if keys could be installed from the internet using something like SOA so that way I could run Linux or even my own os signed! That probably wont happen in future releases of UEFI but one can hope.

Microsoft Linux (-1, Flamebait)

Forty Two Tenfold (1134125) | about 2 years ago | (#40924141)

Fuck SuSE. Fuck Novell. Fuck slashvertisements.

Re:Microsoft Linux (0)

Anonymous Coward | about 2 years ago | (#40924151)

But most of all: Fuck trolls.

Re:Microsoft Linux (1)

Johann Lau (1040920) | about 2 years ago | (#40924183)

Don't knock it till you tried it. I mean, people have no qualms talking about Ubuntu with a straight face here... wtf is up with that?! OpenSUSE is as awesome as they can be in a crappy world.

Re:Microsoft Linux (1)

Forty Two Tenfold (1134125) | about 2 years ago | (#40927383)

Don't knock it till you tried it.

Guess what, I'm servicing SuSE in corporate environment. We're moving on, though. To Debian.

Re:Microsoft Linux (0)

Anonymous Coward | about 2 years ago | (#40924609)

Fuck trolls like you, moron. SUSE has nothing to Novell after Attachmate and Microsoft is committing to open source a lot, you undercomplete idiot!

Re:Microsoft Linux (1)

Forty Two Tenfold (1134125) | about 2 years ago | (#40927879)

Microsoft is committing to open source

Beware of Greeks bearing gifts

here's hoping.. (1)

Johann Lau (1040920) | about 2 years ago | (#40924163)

There are two ways of getting there. One is to work with hardware vendors to have them endorse a SUSE key which we then sign the boot loader with. The other way is to go through Microsoft's Windows Logo Certification program to have the boot loader certified and have Microsoft recognize our signing key (i.e. have it signed with their KEK). We are currently evaluating both approaches, and may eventually even pursue both in parallel.

Seeing how Microsoft is currently pissing off Hardware vendors (and surface isn't even out, so I guess the worst is still to come), I sure hope the first of those two options will come to pass. I'm not sure if I dare be optimistic, this whole thing crazy to begin with. I mean, who the fuck is Microsoft's Windows Logo Certification anyway, and why are they putting their penis in my soup? Waiter?!?!

Re:here's hoping.. (-1)

Anonymous Coward | about 2 years ago | (#40924479)

Did you know? The word "hardware" is not a proper noun and you are not Emily Dickinson. Go back to second grade.

Re:here's hoping.. (2)

Johann Lau (1040920) | about 2 years ago | (#40924721)

Yeah, I know that. Do you know what random typos are?

I'm getting tired of passive-aggressive gestures of submission by AC's.. I mean, I get it, but still.

Re:here's hoping.. (1)

camperdave (969942) | about 2 years ago | (#40926427)

Did you know? The word "hardware" is not a proper noun...

Some people [ancientfaces.com] would like to have a word with you.

There's a totally open source verified boot (3, Insightful)

Anonymous Coward | about 2 years ago | (#40924217)

running on Chromebooks. All source is there. You can download it and study it and build something good on it.

So what are the "open source OS companies" putting all their effort into? Satisfying a closed, proprietary system designed to lock users in. Very disappointing.

Re:There's a totally open source verified boot (3, Interesting)

AdamWill (604569) | about 2 years ago | (#40924379)

UEFI is a standard. It's not a codebase. There's no reason there can't be F/OSS implementations of UEFI, and indeed Secure Boot - SB relies on asymmetrical key signing, which of course can be perfectly well implemented by F/OSS code. In fact, I think there's a partial F/OSS implementation of UEFI and SB for qemu already.

Re:There's a totally open source verified boot (0)

Anonymous Coward | about 2 years ago | (#40924507)

No offense intended, but you don't understand the problem if you are saying this. You're just propagating misinformation.

Ron Minnich

Re:There's a totally open source verified boot (0)

Anonymous Coward | about 2 years ago | (#40925685)

this is /. understanding 99.9% of comments are misinformation is the first rule to /. club; and yes that guy is a moron who doesnt understand the problem

Re:There's a totally open source verified boot (1)

eric_herm (1231134) | about 2 years ago | (#40927627)

The next rule is that "if this is your first night on the /. club, you must post misinformation comments"

Re:There's a totally open source verified boot (0)

Anonymous Coward | about 2 years ago | (#40924513)

Yeah, you just need to install your own BIOS on your motherboard before you can boot your OS. That's so simple.

Re:There's a totally open source verified boot (0)

Anonymous Coward | about 2 years ago | (#40924847)

and see how far the various "Open" bios has gotten. :P http://en.wikipedia.org/wiki/OpenBIOS

All that fighting for nothing? (4, Insightful)

Anonymous Coward | about 2 years ago | (#40924493)

I don't get it.

So after several decades of fighting for free software (and computer freedom in general), all these distributions are just going to roll over on command for Microsoft?

You know what? Anyone who goes along with this UEFI bullshit is a fucking traitor, a coward, and a goddam disgrace to the open source community.

Playing along here is NOT THE ANSWER. Doing NOTHING is the only appropriate course of action. Why? Simple, because then you're shifting the problem to the hardware manufactures who are going to get shafted in sales because their stuff doesn't run Linux OOTB (not without configuring UEFI first). They're going to realize this mighty fast and either produce cheaper "Linux" versions of their motherboards without UEFI restrictions (or even better, without UEFI at all)- or just drop the whole Secure Boot thing all together.

Again, playing along with this mockery is the WORST POSSIBLE THING anyone could do. It's like letting the Germans into your country during 1945 because they promised they'd only ask for your papers when you're entering or leaving your own city. How long do you think it'll be until they have the same guards stationed everywhere? Train stations, food stores, clothe stores... How long before you're walking down the street in your own community and you're getting stopped for papers, only blocks away from your house?

I'm sick and tired of people saying "it's only the bootloader man, chill". Yeah, it might be today. What about tomorrow, when they drop the ability to manually disable Secure Boot permanently? What then, huh? Well, then Microsoft has the power to revoke your keys and doom your operating system to death. After everything Linux has been for, after everything Linux has stood for- why the fuck would you EVER want to give Microsoft this power?

Fedora, Ubuntu, and SUSE can kiss my fucking ass. All these distributions are a disgrace. A total fucking disgrace. The least they could do is show some goddam balls, stand up and say "No, we're not going to be your bitch". So what if your users have to manually disable Secure Boot for now. At least then they'll realize what is going on here and you might actually educate a few of them as to why CLOSED PLATFORMS ARE BAD.

-AC

Re:All that fighting for nothing? (-1)

LordLimecat (1103839) | about 2 years ago | (#40924923)

You know what? Anyone who goes along with this UEFI bullshit is a fucking traitor, a coward,

Says the AC. You have something to say, say it as yourself.

It's like letting the Germans into your country during 1945

Yea, its exactly like that. Any credibility you had just flew out the window.

Re:All that fighting for nothing? (2)

Chaonici (1913646) | about 2 years ago | (#40925225)

Erm, the person who posted the message is not as important as the message's content. In fact, the identity of the poster is almost completely irrelevant.

Re:All that fighting for nothing? (-1)

Anonymous Coward | about 2 years ago | (#40925565)

Disagree.

If Charles Manson said to drop by for a beer would your thought process be the same as if Prince Charles did the same?

Re:All that fighting for nothing? (0)

Anonymous Coward | about 2 years ago | (#40926767)

Sure. Manson is a decrepit old man in prison. He's probably even more harmless than Charles.

Re:All that fighting for nothing? (1)

LordLimecat (1103839) | about 2 years ago | (#40926055)

To make statements as bold as his without actually standing behind them damages the credibility of the statement itself, and makes one suspect trolling. When said AC proceeds to Godwin the whole discussion and compare a situation in IT to World War 2, it becomes clear why ACs are generally reviled.

One of the reasons to post AC is that you know your post is so ridiculous and out there that theres a 50/50 chance it will get flagged as the flamebait that it is. GP basically said "if you dont agree with me youre WW2 France, and Microsoft is Hitler". If that doesnt deserve a karma penalty I dont know what does.

Re:All that fighting for nothing? (1)

epyT-R (613989) | about 2 years ago | (#40926093)

his argument is spot on.. obviously since the only thing you could critique was his anonymity and his nazi reference...and honestly, the former is perfectly acceptable in a free society, and the latter isn't all that far off base.

Re:All that fighting for nothing? (0)

Anonymous Coward | about 2 years ago | (#40925423)

You're free to stick with gNewSense and Trisquel.

Re:All that fighting for nothing? (1)

kiwimate (458274) | about 2 years ago | (#40925537)

Anyone who goes along with this UEFI bullshit is a fucking traitor, a coward, and a goddam disgrace to the open source community.

Ah, well at least you're putting forth a calm and rational argument.

Doing NOTHING is the only appropriate course of action. Why? Simple, because then you're shifting the problem to the hardware manufactures who are going to get shafted in sales because their stuff doesn't run Linux OOTB (not without configuring UEFI first).

This argument isn't going to fly. Most hardware manufacturers don't care about Linux. How long have Slashdotters bemoaned the lack of major manufacturer Linux options, or complained about the small forays by Walmart and Dell which are then pulled back?

It's like letting the Germans into your country during 1945

This kind of commentary is not doing your argument any favors. You're shooting yourself in the foot; you obliterate any useful point you may have.

The least they could do is show some goddam balls, stand up and say "No, we're not going to be your bitch".

Says the anonymous coward.

I have several times observed a tech expert, making a totally valid point that was 100% correct, fail utterly to win support for his argument because he made his point while raving and going over the edge.

Ranting is not the answer. You end up marginalizing anyone who's not already part of the faithful. Doing nothing is not the answer. People who you want to switch to Linux will see it doesn't work on their new system and won't have any sensible explanation as to why this should be. If that's the first picture they get, and there's no help, then they think "Linux can't even install/boot up/get started without some mucking around? What else is going to go wrong?".

Then again, you're probably not going to listen and I really don't care. So, rant away, and continue wondering why you don't make any inroads.

Re:All that fighting for nothing? (1)

epyT-R (613989) | about 2 years ago | (#40926209)

Ah, well at least you're putting forth a calm and rational argument.

It is rational. It just isn't calm.

This argument isn't going to fly. Most hardware manufacturers don't care about Linux. How long have Slashdotters bemoaned the lack of major manufacturer Linux options, or complained about the small forays by Walmart and Dell which are then pulled back?

agreed. this argument doesn't make much sense.

This kind of commentary is not doing your argument any favors. You're shooting yourself in the foot; you obliterate any useful point you may have.

why? the whole nazi police state reference is a perfect analogy with the top down lock down that is signed UEFI. Sure, today, it can be disabled, but the slippery slope does apply here.

Says the anonymous coward.

In free societies, anonymity is perfectly acceptable. the argument stands or falls on its own. demanding id just demands an argument from authority. the only thing you might gain is slightly higher confidence in the speaker, but that doesn't prove anything either.

I have several times observed a tech expert, making a totally valid point that was 100% correct, fail utterly to win support for his argument because he made his point while raving and going over the edge.

In cases where someone is ranting, it is most likely serious, with high stakes, and the group is about to make a terrible decision. In such circumstances, these listeners are idiots for not taking sound advice because the format didn't stroke their egos sufficiently/allow them to save face/hurt their oversensitive feelings.

Re:All that fighting for nothing? (1)

camperdave (969942) | about 2 years ago | (#40926631)

It's like letting the Germans into your country during 1945

Learn a little history. In 1945, the War was ending. The Allied Forces were squeezing Germany like a lemon. Hitler was ordering that all industries, military installations, machine shops, transportation facilities and communications facilities in Germany be destroyed. German military leaders were committing suicide left, right, and center. There were probably untold thousands of German civilians fleeing the country in 1945. None of them would have been stopping people and asking for papers. They would have been glad to get out alive.

Re:All that fighting for nothing? (2)

westlake (615356) | about 2 years ago | (#40926773)

I don't get it.
So after several decades of fighting for free software (and computer freedom in general), all these distributions are just going to roll over on command for Microsoft?

Secure Boot is not new.

Another case of trusted boot is the One Laptop per Child XO laptop which will only boot from software signed by a private cryptographic key known only to the OLPC non-profit organisation. However, the laptop and the OLPC organisation provide a way to disable the restrictions, by requesting a "developer key" unique to that laptop, over the Internet, waiting 24 hours to receive it, installing it, and running the firmware command "disable-security". The stated goal is to deter mass theft of laptops from children or via distribution channels, by making the laptops refuse to boot, making it hard to reprogram them so they will boot and delaying the issuance of developer keys to allow time to check whether a key-requesting laptop had been stolen.

Hardware restrictions [wikipedia.org]

Secure Boot makes a great deal of sense.

Secure Boot is biting the geek in the ass because of his pathetic dependence on affordable hardware designed and built for the mass market Windows platform and because he has had damn little influence or control over the explosive evolution of a mobile market defined and shaped by Apple.

You do not gain converts to Linux by disabling low-level hardware security in Windows.

You do not gain converts to Linux by encouraging Windows users to dual boot into Linux.

Damn near everything client side in FOSS is ported to Windows or begins as a native Windows app. There are strange, inexplicable, glitches. Try explaining to a Windows user why audio and video support isn't part isn't part of the default install of the Chromium browser...

You gain converts to Linux through strong OEM support and promotion and broad retail distribution of high quality Linux systems. The bottom feeders are no longer welcome even at Walmart.

Re:All that fighting for nothing? (1)

flyingfsck (986395) | about 2 years ago | (#40927369)

Hmm, I think only Argentina let Germans into their country in 1945.

Slashdot has gone batsh*t crazy (5, Informative)

Anonymous Coward | about 2 years ago | (#40924501)

I'm used to a little bit of healthy paranoia here, but the amount of FUD and flat-out misinformation in Slashdot's UEFI reporting is frankly astonishing. Let's get a few things straight.

UEFI is not a Microsoft technology. It is an industry standard intended intended to replace the archaic x86 BIOS. Microsoft participated in the standard, as did Slashdot favorites Red Hat, Canonical, IBM, and AMD. You can freely download the full specification [uefi.org] from the uefi.org website.

Secure Boot is part of the larger UEFI specification. See section 27 for the technical details. Of particular interest to Slashdot readers will be section 27.7 which describes the key update mechanism.

Secure Boot is intended to solve the real-world security problem of boot-time malware. No operating system can defend against malware at boot-time; this would be equivalent to defending against the hardware itself. If it helps, imagine how you would defeat a keylogger embedded in your keyboard.

Secure Boot uses code-signing to defeat boot-time malware. This is the optimal solution and should be full-proof provided (1) the machine is physically secured, and (2) the private keys are secure. (I am defining "full-proof" here to mean the keys and hashes involved are adequately difficuly to brute-force with modern hardware. I am also explicitly discounting scenarios outside of UEFI's area-of-responsibility, such as vulnerabilities in the operating system's signed image.)

For some real irony, see the Slashdot article Windows 8 Secure Boot Defeated [slashdot.org] . Both the headline and much of the discussion in this article were flat-out wrong. The exploit in question targetted the legacy BIOS and MBR. This is exactly the problem that Secure Boot addresses, and it reinforces the need for this technology.

Secure Boot is not a DRM scheme, nor it is explicitly a tool for Microsoft lock-in. Remember that on x86 platforms, the end-user can edit the key database, and can disable Secure Boot entirely. I concur that Microsoft's treatment of ARM is a dick move, but is also typical for other vendors in that market segment. In either case, remember that Secure Boot is a logical solution to a real-world problem affecting all operating systems, and evaluate it on this merit first.

Just because the technology can be mis-used is no reason to completely boycott it. For my part, I intend to use Secure Boot when it becomes generally available, but only buy parts that allow me to edit the key database.

Links:
UEFI membership list: http://www.uefi.org/join/list/ [uefi.org]
UEFI specification: http://www.uefi.org/specs/agreement [uefi.org]

Re:Slashdot has gone batsh*t crazy (5, Insightful)

gomiam (587421) | about 2 years ago | (#40924781)

UEFI is not a Microsoft technology. It is an industry standard intended intended to replace the archaic x86 BIOS.

OOXMLz [wikipedia.org] is a standard as well. Your point being?

Secure Boot uses code-signing to defeat boot-time malware. This is the optimal solution and should be full-proof provided (1) the machine is physically secured, and (2) the private keys are secure.

I guess you meant fool-proof. And it is. It is fool-proof against all those fools who want to decide to run their own code on the computer without having to ask permission beforehand.

Secure Boot is not a DRM scheme, nor it is explicitly a tool for Microsoft lock-in.

True, and yet... it can be used as such. Excuse me, I meant it is already being used as such (see Windows 8 on ARM).

Just because the technology can be mis-used is no reason to completely boycott it. For my part, I intend to use Secure Boot when it becomes generally available, but only buy parts that allow me to edit the key database.

You are free to decide what to use. Just tell me: what will you do when the parts that allow you to edit the key database stop being manufactured? What will you do when, say, the graphics cards you want to use require UEFI to protect their HDMI hardware? It will happen, and rather sooner than later.

Remember: it's not paranoia when they are out to get you. And they are, oh how they are.

Re:Slashdot has gone batsh*t crazy (2)

Joe_Dragon (2206452) | about 2 years ago | (#40925337)

Video cards have HDCP now and they don't need UEFI to lock it down.

Re:Slashdot has gone batsh*t crazy (3, Interesting)

guruevi (827432) | about 2 years ago | (#40927469)

But HDCP is also weak and has already been defeated. Secure Boot could make it hard for instance to put in a driver that would accept non-HDCP links.

The problem is that Secure Boot is a solution looking for a problem. Boot-time malware can already be detected in software, is really hard to pull off, can be secured by not allowing software other than the OS to access the boot records and wouldn't be a benefit to anyone if it was undetectable.

Re:Slashdot has gone batsh*t crazy (2, Insightful)

Anonymous Coward | about 2 years ago | (#40925379)

But it is paranoia when you assume people are out to get you and ignore the facts of the matter. Facts like:

1. UEFI Secure Boot is only required for Windows 8 Logo certification. It will not affect OEMs selling Linux machines, servers or hobbyist hardware.
2. Linux is now a multi-billion dollar market. Do you really think hardware makers are really going to stop supporting Linux? They'd basically lose all the major enterprises in the world over night.
3. The Secure Boot specification requires that it can be disabled. This isn't just for open source nuts, it's also for Windows admins who want to downgrade an OS or run imaging software or run tests from a USB drive. If OEMs locked down the hardware so those tasks couldn't be completed they would go out of business.

If you think secure boot is going to take over and prevent people from running the software/OS they want, then you are being paranoid.

Re:Slashdot has gone batsh*t crazy (0)

Anonymous Coward | about 2 years ago | (#40926249)

1. UEFI Secure Boot is only required for Windows 8 Logo certification. It will not affect OEMs selling Linux machines, servers or hobbyist hardware.

Right now at the moment it will not affect OEMs no, but why give convicted monopolists the tools that may eventually be used to lock out competition to begin with? It's like hiring a drug addict to guard the police evidence locker, of course it'll work for the first couple of days, but you know that he's going to get in there eventually.

2. Linux is now a multi-billion dollar market. Do you really think hardware makers are really going to stop supporting Linux? They'd basically lose all the major enterprises in the world over night.

Wrong. Linux in the ENTERPRISE is a multi-billion dollar market. Nobody is making any money (directly) off of home Linux users, nor care if they are the ones being locked out of their hardware.

3. The Secure Boot specification requires that it can be disabled. This isn't just for open source nuts, it's also for Windows admins who want to downgrade an OS or run imaging software or run tests from a USB drive. If OEMs locked down the hardware so those tasks couldn't be completed they would go out of business.

Specifications can and will be changed. The fact that you're calling people who use open source 'nuts' already shows how much you care about that topic, so you're trying to convince people who do take open source seriously that Secure Boot is not that bad, while not having a vested interest in open source yourself, but apparently do have a vested interest in Secure Boot.

The Windows admins who need to downgrade an OS, will eventually be able to do that for the first few years, until the hardware gets written off and hardware is brought in that ONLY runs the latest and greatest, but that doesn't matter of course, because the older version of Windows will not be supported anyway anymore...

Re:Slashdot has gone batsh*t crazy (0)

Anonymous Coward | about 2 years ago | (#40927205)

OOXMLz [wikipedia.org] is a standard as well. Your point being?

I'm not sure how he could have made it more obvious, OOXMLz is not an industry standard (which is one of his qualifiers) and was developed solely by Microsoft, which again he quite clearly pointed out that is not the case with UEFI. I'm not sure he could have been much clearer, i've bolded the relevant parts of his post if that helps you:

It is an industry standard intended intended to replace the archaic x86 BIOS. -- See how he says 'industry standard'? OOXMLz is not an industry standard.

Microsoft participated in the standard, as did Slashdot favorites Red Hat, Canonical, IBM, and AMD. -- See how he says Microsoft participated in the standard as did a number of other companies? Microsoft created the OOXMLz standard on their own without participation of other companies.

Re:Slashdot has gone batsh*t crazy (1)

kiwimate (458274) | about 2 years ago | (#40925611)

Excellent post. I have several times thought about pointing out these same points on UEFI, but always gave up. I figured "no point - it'll get modded down because people don't want to hear".

Re:Slashdot has gone batsh*t crazy (0)

Anonymous Coward | about 2 years ago | (#40926177)

Secure Boot is not a DRM scheme, nor it is explicitly a tool for Microsoft lock-in. [...] Just because the technology can be mis-used is no reason to completely boycott it.

My fear is that, once Secure Boot is widely implemented, Microsoft will start refusing Windows licenses to hardware manufacturers who allow the end-user to install their own keys in order to install a new OS. You seem to know what you're talking about. Could you please tell me: is this possible?

Re:Slashdot has gone batsh*t crazy (1)

lostfayth (1184371) | about 2 years ago | (#40926629)

They could refuse to certify their hardware, which would likely cost them any discounts on licensing. They would not be able to use windows update to update drivers. See: http://msdn.microsoft.com/en-us/library/windows/hardware/hh924782 [microsoft.com]

Windows could be changed in such a way as not to allow installation on uncertified hardware. Likely not insurmountable, but not trivial for the average user.

The tinfoil hat could be screwed on too tight, but then again..

Re:Slashdot has gone batsh*t crazy (1)

KingMotley (944240) | about 2 years ago | (#40927457)

If Microsoft forced vendors, or even coerced them into something like that, there would be more antitrust trials both in the US, the EU, and probably a few other countries. It wouldn't be profitable no matter what, so they won't do it even if you think Microsoft is out to get you. It really is that simple.

Re:Slashdot has gone batsh*t crazy (1)

lostfayth (1184371) | about 2 years ago | (#40927661)

Yet it is possible, which was the question that was asked. The repercussions (legal and otherwise) would be swift, currently.

Re:Slashdot has gone batsh*t crazy (1)

eric_herm (1231134) | about 2 years ago | (#40927715)

And since vendors are microsoft primary clients ( remember, you do not buy a windows license most of the time, you buy a computer where someone negociated windows license for you ), it would be rather stupid to screw your own clients. It usually doesn't end well, especially when competition ( chromebook, canonical ) are ready to provides anything to make you miserable.

Re:Slashdot has gone batsh*t crazy (0)

Anonymous Coward | about 2 years ago | (#40927101)

Thank you. How different is UEFI from OpenBIOS or GRUB2?

It might be easy enough for us.... (5, Insightful)

complete loony (663508) | about 2 years ago | (#40925169)

Disabling secure boot, or manually installing a new vendor key, may be easy enough for us. But it adds another large hurdle for joe average user to try another operating system. That alone is reason enough to complain about it and object to it.

As it stands now the UEFI standard doesn't specify how the user can install a custom trusted key.

IMHO, hardware vendors should be required to leave the trusted key set empty from the factory. UEFI should then have a standard prompt to enable secure boot and install a key found on bootable media. If Microsoft were forced to guide the user through the same process that a linux installation would require, this process would get the attention it deserves to make it as user friendly and standardised as possible.

Re:It might be easy enough for us.... (0)

Anonymous Coward | about 2 years ago | (#40925739)

>Disabling secure boot, or manually installing a new vendor key, may be easy enough for us. But it adds another large hurdle for joe average user to try another operating system.

So you are asking us to imagine a user who is clever enough to find a new OS and go through the learning curve to install and use it but not clever enough to turn off one standardized firmware setting? LOL

Re:It might be easy enough for us.... (2)

complete loony (663508) | about 2 years ago | (#40926479)

There are a couple of ways to get a linux install working right now. You could boot a liveCD or USB, which obviously requires you to obtain the correct media and tweak the boot order in the BIOS first. Getting the user to tweak UEFI probably won't add too much difficulty for someone who can already accomplish this, but it is an additional step that may have great big scary warnings all over it.

But what about running something like ubuntu's windows installer? This reboots into linux from a virtual disk that it builds in a file on your windows partition. Is that easy enough for a user to try? But that can't reliably work with secure boot unless they've signed their boot loader with a key already known and trusted by the BIOS. And currently that will mean you get it signed by microsoft or it just doesn't work.

Re:It might be easy enough for us.... (1)

Missing.Matter (1845576) | about 2 years ago | (#40925755)

I wonder if you might be able to estimate how many "average joe users" attempt to install other operating systems. Anyone who even know consider installing Linux is pretty much by definition not average.

Re:It might be easy enough for us.... (0)

Anonymous Coward | about 2 years ago | (#40925899)

Your point being that it's ok to make it harder for them because they're not in the majority?

Re:It might be easy enough for us.... (1)

bws111 (1216812) | about 2 years ago | (#40926815)

Absolutely, why not? Nobody is required to produce something just because you want it. No doubt some people would find it very interesting to be able to modify how the processor in their computer works (change the pipelining, add scalar processors, etc). Does that mean that processor manufacturers should be 'required' to only build processors out of discrete components? Is it OK for them to make it harder for people to modify the processor by using chips?

Re:It might be easy enough for us.... (1)

exomondo (1725132) | about 2 years ago | (#40927241)

I'd sure as hell like a CPU with an unlocked multiplier...but of course I know the demand for such a thing is very low and as such they are much more expensive because they target a tiny market segment. It sucks sure, but niche products for niche markets.

Re:It might be easy enough for us.... (2)

waveclaw (43274) | about 2 years ago | (#40926707)

Joe average user doesn't know Linux exists, but let's pretend he's heard of it somewhere - maybe due to a huge marketing push by a vendor.

With virtualization, joe average user can try another operating system even in the world of UEFI's Secure boot model. Even today Linux distros become just another "app" joe can download to joe's Microsoft desktop and run.

There are some downsides to this. Any killer app for Linux becomes also a killer app for Windows. The experience of moving from Metro or Aero to something like GNOME 3 is likely to deter joe average user from trying that again.

Of course, as a Convicted Monopolist, Microsoft can report these Linuxes as viruses or trojans and refuse to run Linux virtual machines. Microsoft is also free to ban virtualized Linux distributions from the Windows Marketplace. Then joe is rather stuck. He's not going to some ugly website talking about Open-this and Free-that just to download something the size of a large movie that doesn't involve tits or explosions.

Booting Linux was once just the providence of the enthusiast. Today major Linux Distributions are as easy as if not easier to install on supported hardware than Microsoft Windows. But that window is quickly closing.

There is no telling how complicated or difficult disabling secure boot or installing a new vendor key will be in the future. I have a Sun Sparcstation 2 on which I have to program the boot PROM each time I power it on. Sure, it's just a couple dozen lines of Fourth. But there's a reason I never boot that space heater anymore. Even in the cold of winter.

Re:It might be easy enough for us.... (1)

exomondo (1725132) | about 2 years ago | (#40927273)

Of course, as a Convicted Monopolist, Microsoft can report these Linuxes as viruses or trojans and refuse to run Linux virtual machines.

No, as a convicted monopolist they are under much more scrutiny than other companies such that they don't abuse their position. I don't understand this perception that they are a convicted monopolist and somehow that means they can get away with anti-competitive practices, it means the opposite, they are a convicted monopolist so every competitive move they make is scrutinized by the US and EU.

Re:It might be easy enough for us.... (0)

Anonymous Coward | about 2 years ago | (#40927921)

Mod parent funny

Re:It might be easy enough for us.... (0)

Anonymous Coward | about 2 years ago | (#40927957)

Teh US? ORLY?

Re:It might be easy enough for us.... (1)

westlake (615356) | about 2 years ago | (#40927647)

Joe average user doesn't know Linux exists, but let's pretend he's heard of it somewhere

Booting Linux was once just the providence of the enthusiast.

If Joe Average doesn't know Linux exists, then booting Linux remains the sole province of the enthusiast.

For Joe, maintaining two operating systems, software libraries, and skill sets has all the appeal of root canal. What he needs to see is the "killer app" that makes the pain worthwhile. The FOSS app that hasn't been ported to Windows.

Name one.

Doesn't seem so bad (1)

SealBeater (143912) | about 2 years ago | (#40927037)

Maybe this is more of an issue with machines that have Windows pre-installed but I'm upgrading my motherboard and it has UEFI and the gentoo wiki doesn't make it seem so bad.

http://en.gentoo-wiki.com/wiki/UEFI [gentoo-wiki.com]

Laptops, of course are going to be an issue.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>