×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Linux Foundation Offers Solution for UEFI Secure Boot

Soulskill posted about a year and a half ago | from the sidestep-and-ignore dept.

Security 308

Ever since news broke last year that Microsoft would require Windows 8 machines to have UEFI secure boot enabled, there were concerns that it would be used to block the installation of other operating systems, such as Linux distributions. Now, reader dgharmon sends this quote from Ars Technica about a new defense against that outcome: "The Linux Foundation has announced plans to provide a general purpose solution suitable for use by Linux and other non-Microsoft operating systems. The group has produced a minimal bootloader that won't boot any operating system directly. Instead, it will transfer control to any other bootloader — signed or unsigned — so that can boot an operating system." The announcement adds, "The pre-bootloader will employ a 'present user'; test to ensure that it cannot be used as a vector for any type of UEFI malware to target secure systems. This pre-bootloader can be used either to boot a CD/DVD installer or LiveCD distribution or even boot an installed operating system in secure mode for any distribution that chooses to use it."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

308 comments

BOOT ME IN THE ARSE, BABY !! (-1, Offtopic)

Anonymous Coward | about a year and a half ago | (#41630107)

Yeah, baby !!

Re:BOOT ME IN THE ARSE, BABY !! (-1)

Anonymous Coward | about a year and a half ago | (#41630275)

My butthoal brings David Boises to the Bard
and your mom is uh effin tard
and your mom is uh effin tard
I could do you but your butt is large.

So why even bother with secure boot (5, Insightful)

Anonymous Coward | about a year and a half ago | (#41630117)

As per subject

Re:So why even bother with secure boot (5, Interesting)

GameboyRMH (1153867) | about a year and a half ago | (#41630141)

Exactly. Malware authors can use this. So we've come full-circle and only gained a big heap of complexity. Which is the best we could hope for once this idiotic idea got going.

Re:So why even bother with secure boot (4, Insightful)

Joce640k (829181) | about a year and a half ago | (#41630471)

Exactly. Malware authors can use this.

Not if everything in the startup chain has to be correctly signed ... something which a malware author can't do.

Re:So why even bother with secure boot (3, Interesting)

GameboyRMH (1153867) | about a year and a half ago | (#41630587)

They didn't seem to have any problem setting up boot sector viruses without UEFI secure boot, so if they can get a signed bootloader, why should they now? And signing the startup chain will remove even MORE user freedoms, it's a chicken-and-egg problem that won't end until the OS is at least as locked down as iOS.

Re:So why even bother with secure boot (0)

Anonymous Coward | about a year and a half ago | (#41630619)

Stuxnet/Flame/Whatever was signed by a compromised MS key.

Re:So why even bother with secure boot (4, Informative)

BLKMGK (34057) | about a year and a half ago | (#41630859)

Not exactly, it was signed with a weak key produced by one of their remote desktop solutions that allowed licensing of components. Microsoft has since revoked those keys and bumped up the minimum allowed key size to stop this in the future. This was NOT a case of someone stealing a Microsoft key left in the parking lot.....

Re:So why even bother with secure boot (3, Interesting)

smitty_one_each (243267) | about a year and a half ago | (#41630837)

If you've got a closed system of bits, then enough time, hardware, and interest should yield a way to jailbreak it.
So the real value would seem to be found in upping the time, hardware, and interest requirements.
What could well happen is that, in making Windows really painful to integrate with other systems, Redmond kills their sales.
And wouldn't that just suck Puget Sound dry?

Re:So why even bother with secure boot (3, Insightful)

Just Brew It! (636086) | about a year and a half ago | (#41630635)

RTFA. I think you'd notice if your Windows PC suddenly started displaying a Linux Foundation splash screen and waiting for you to hit Enter before booting the OS.

Re:So why even bother with secure boot (4, Interesting)

GameboyRMH (1153867) | about a year and a half ago | (#41630725)

And what will the average noob user do? Hit Enter to use their computer or use a Windows recovery disk* to fix the bootloader? And if they do hit Enter and the computer apparently works fine, what do you think they'll do then?

*Not sold with many PCs, must be burned from the hard disk

Re:So why even bother with secure boot (4, Funny)

just_another_sean (919159) | about a year and a half ago | (#41630867)

Become a Linux user?

Re:So why even bother with secure boot (0)

Robert Zenz (1680268) | about a year and a half ago | (#41630899)

That would be an interesting virus: "Well, I had a virus, and it installed Linux right over my Windows". On the downside, because of the...uhhhh...technological challenged crowd Linux would become synonymous with Virus...maybe an idea for Ballmer? So that he can finally attest his "Linux is cancer" claim.

Re:So why even bother with secure boot (0)

Anonymous Coward | about a year and a half ago | (#41630981)

And if the software is open sourced (it doesn't mention that in the article) the source code is available for anyone to download and modify. How long would it take for the malware/virus/etc authors to remove the splash screen and required input, and still find a way to keep the code signed?

Re:So why even bother with secure boot (1)

Anonymous Coward | about a year and a half ago | (#41630205)

Well, yes, since this is about undoing the damage done by Secure Boot, you're right.
But the people doing this have no power over vendors' decisions to enforce Secure Boot on their systems.

Re:So why even bother with secure boot (1)

Z00L00K (682162) | about a year and a half ago | (#41630229)

And it's my computer and if my computer has features that I can't access, disable or modify - like the encryption chip - then I have a problem with that.

If I need to change key depending on OS - then make it easy - like requesting a password for changing to another chain of keys.

Re:So why even bother with secure boot (1)

godrik (1287354) | about a year and a half ago | (#41630809)

I don't want a secure boot. I just want to be able to boot whatever I feel like booting.

Re:So why even bother with secure boot (1)

BLKMGK (34057) | about a year and a half ago | (#41630823)

Did you miss the part about a present user test? It means someone will be presented a message and asked to approve before boot proceeds. Sounds like a good way to go to me however it will certainly screw up a server reboot lol.

Re:So why even bother with secure boot (1)

Megane (129182) | about a year and a half ago | (#41631031)

Just make a USB-based watchdog device which periodically sends an enter key press, and is suppressed by a task running on the server. While this could be installed with physical access to the computer, it is unlikely that it could be done remotely. (Then again, if you are lucky enough that your target has the right USB device installed, and you can do a live upgrade of its firmware...)

Re:So why even bother with secure boot (1)

Anonymous Coward | about a year and a half ago | (#41630957)

There really wasn't any reason for it. Only the doomsayers thought secure boot would matter, the rest of us knew it would have a workaround before it was publicly released.

In a setting where many consumers are mildly paranoid about data theft (not enough to do something themselves, just enough to annoy salesmen at best Buy), secure boot is another bullet point in the advertising. For the many who do not care, it means nothing either way. For the rest of us, it means nothing because we know it has already been resolved.

just let microsoft die (-1, Troll)

Anonymous Coward | about a year and a half ago | (#41630133)

we've come this far in our fight against everything microsoft why cave in now? just don't buy products from companies that enforce UEFI.

Apple...You're next.

Re:just let microsoft die (5, Funny)

GameboyRMH (1153867) | about a year and a half ago | (#41630169)

You target MS before Apple? That's like shooting at a vicious pomeranian nipping at your heels while a wolf is leaping for your throat.

Re:just let microsoft die (0)

Anonymous Coward | about a year and a half ago | (#41630193)

Damnit you insightful bastard, I just spent my last mod point on another topic.

Re:just let microsoft die (4, Funny)

Anonymous Coward | about a year and a half ago | (#41630351)

That's ridiculous.. they're both wolves, just one is in really sexy sheeps clothing.

Re:just let microsoft die (1)

ByOhTek (1181381) | about a year and a half ago | (#41630443)

Your Scottish, aren't you?

(sorry, I have a friend who's a Scottsman who loves to make jokes about Scotts and sheep...)

No true Scottsman (5, Funny)

Dareth (47614) | about a year and a half ago | (#41630535)

No true Scottsman jokes about sheep.

Re:No true Scottsman (1)

ByOhTek (1181381) | about a year and a half ago | (#41630637)

OK. I could have been mistaken in thinking they were jokes. They could well have been life (or even previous weekend stories).

Re:just let microsoft die (4, Funny)

somersault (912633) | about a year and a half ago | (#41630857)

I'm Scottish, and it's written Scotsman/Scots by the way.

Anyway, back to the topic at hand; I have to say that I don't know what you're talking about. I'd say that at least 80% of sheep aren't that sexually attractive.

Re:just let microsoft die (1)

somersault (912633) | about a year and a half ago | (#41630353)

So far Apple only really care about and have control over their own products. Microsoft are trying to control everything else, which is something like 90% of general purpose PCs.

Re:just let microsoft die (3, Interesting)

GameboyRMH (1153867) | about a year and a half ago | (#41630401)

Apple is attacking the consumer's expectation of software freedom. You can't go any lower that that without a brain implant.

Re:just let microsoft die (4, Interesting)

ByOhTek (1181381) | about a year and a half ago | (#41630485)

I think it's worse than that.

Apple is building /their/ product and trying to get everyone to adapt their needs to it. At least MS is trying to make it's product general purpose (if ineptly in some cases), and allow people to have options at every level except the OS. Apple tries to restrict options at ALL levels.

Re:just let microsoft die (1)

somersault (912633) | about a year and a half ago | (#41630633)

Okay, it's a bit weird that I'm defending Apple here, but before the iPhone most people didn't even install apps on their phones. I did personally, but Apple actually increased people's expectations of their phones. Yes they keep a tight reign on their market, but for those people who actually care, there is Android. I have 3 Android powered devices that I use regularly, and I much prefer them to the Apple alternatives.

Most people don't care about software freedom, and never have. There is no "expectation" from anyone apart from us geeks.

Also I just RTFA and I saw this:

"Although Microsoft's stipulations require also that x86/x64 systems provide an option to disable Secure Boot"

This is completely different to what I'd expected after the anger and fear that I've seen here over the Secure Boot thing. It sounds like just another BIOS option. Anyone who wants to try out Linux probably also is aware how to edit BIOS settings. Or they can use a VM if they want to take the easiest route, that will presumably completely bypass Secure Boot too.

Re:just let microsoft die (1)

Nerdfest (867930) | about a year and a half ago | (#41630405)

It's true. Someone said nobody except a small subset of nerds even cares. If all the developers who use MacBooks stopped buying them, it would be a big hit for Apple. Corporations would need to do it to get Microsoft's attention. Of course, Apple may not care at this point. You need a MacBook to develop for iOS, and that seems to be the only platform they really care about these days.

Re:just let microsoft die (1)

shentino (1139071) | about a year and a half ago | (#41630605)

And also points out that the vicious pomeranian is taking advantage of the situation by adding insult to injury picking on your heels when you've already got your hands ful dealing with the wolf.

Don't cut the pomeranian any slack just because the wolf happens to be bigger.

Pardon the pun, but dogpiling on someone already under attack is a pretty cheap tactic.

Re:just let microsoft die (3, Insightful)

Anonymous Coward | about a year and a half ago | (#41630185)

cause, no one else except for a small subset of geeks even care

Re:just let microsoft die (0, Troll)

Anonymous Coward | about a year and a half ago | (#41630201)

Yeah, you've beat them down from 97% of installs to 90% of installs. You've come so far in this fight. LOLzzz!!!
 
Anyone who uses Apple? You have nothing to worry about since the loss of marketshare that MS has suffered in the last 20 years is mostly due to Apple products.
 
Linux is teh failboat.

Re:just let microsoft die (0)

Anonymous Coward | about a year and a half ago | (#41630403)

Linux is teh failboat.

Only if you measure it in terms of raw marketshare.

Personally I don't care much for the marketshare penis waving. Linux does me just fine, really it's the only OS I regularly use. Because it's not trying to pay 10,000 peoples salaries it wont got away even if the market share stays where it is.

This idea that linux needs to be on every machine is tiresome. It just needs to work for those who want to use it.

Re:just let microsoft die (2)

LordNightwalker (256873) | about a year and a half ago | (#41630563)

Personally I don't care much for the marketshare penis waving. Linux does me just fine

Good thing I wasn't drinking anything when I read this... ;)

Re:just let microsoft die (0)

Anonymous Coward | about a year and a half ago | (#41630313)

That's funny. I've been dual booting OS X and Linux ever since the Intel transtion without any problems. Maybe it's because UEFI and Secure Boot are not the same thing.

Re:just let microsoft die (2)

aaron552 (1621603) | about a year and a half ago | (#41630377)

Maybe it's because UEFI and Secure Boot are not the same thing.

That is correct. AFAIK, Secure Boot is an optional feature of UEFI

Re:just let microsoft die (2)

ByOhTek (1181381) | about a year and a half ago | (#41630599)

I suspect the vast majority of people who would be interested in your suggestion probably already pirate windows, if they use it at all. The negligible loss of sales you are promoting wouldn't even be an annoyance to MS.

Unfortunately, with the desktop losing a lot of ground, and that being the only really customizable platform (face it, DIY notebooks don't have nearly the variety of options, especially in the most important component - the motherboard), we won't see the option we would have seen a few years ago. Namely bios that will allow you to turn Secure Boot on or off. The vendors that cater to DIYers tend to be a lot more interested in the segment of the market you are discussing.

Frosty pee foam (-1)

Anonymous Coward | about a year and a half ago | (#41630137)

Forst!

Re:Frosty pee foam (-1)

Anonymous Coward | about a year and a half ago | (#41630305)

lolful

Virtualization (2)

sakkathotmagaa (2728241) | about a year and a half ago | (#41630147)

This just got me thinking - can windows 8 run in as a virtual machine, in say, VirtualBox or VMWare player? Will current 'virtual' bootloaders be able to boot it?

Re:Virtualization (4, Interesting)

afidel (530433) | about a year and a half ago | (#41630355)

Windows 8 doesn't require SecureBoot, otherwise their enterprise adoption would be 0% instead of the likely 1-5%. Windows 8/Server 2012 works under ESXi 5.0 with patches and is supported under 5.1.

Re:Virtualization (3, Informative)

lord_rob the only on (859100) | about a year and a half ago | (#41630653)

I've installed and run Windows 8 correctly in VBOX on my Debian SID. I mean Win 8 final (RTM, not the CTP this version doesn't work).
It was just a glance at the OS though because I was expecting a real crap, and I wasn't deceived ...

Unsuitable for server use? (5, Interesting)

Chrisq (894406) | about a year and a half ago | (#41630189)

From TFA:

To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge

Doesn't this mean it is unsuitable for server use - or any "headless" operation such as MythTV?

Re:Unsuitable for server use? (1)

Anonymous Coward | about a year and a half ago | (#41630319)

I'm sure they'll end up making it optional, for the uses you mentioned. Plus hopefully you'll be able to just buy a server without the secure boot crap.

Re:Unsuitable for server use? (0)

Anonymous Coward | about a year and a half ago | (#41630901)

You know, or push out your own key via ILO.

Re:Unsuitable for server use? (2)

drinkypoo (153816) | about a year and a half ago | (#41630327)

I hope they mean before it boots for the first time... because otherwise, yes, this is crap.

Re:Unsuitable for server use? (2)

GameboyRMH (1153867) | about a year and a half ago | (#41630373)

On servers you'll just have to disable the secure boot feature, no problem for sysadmins, and anyone running a home server should have the skill to do the same, although this could give MS and advantage on HTPCs and home servers run by noobs.

Re:Unsuitable for server use? (0)

Anonymous Coward | about a year and a half ago | (#41630397)

Yeah doesn't sound like a good idea...

Re:Unsuitable for server use? (4, Informative)

LordNightwalker (256873) | about a year and a half ago | (#41630705)

From TFA:

To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge

Doesn't this mean it is unsuitable for server use - or any "headless" operation such as MythTV?

From TFA:

To facilitate repeat booting (and to make the pre-bootloader useful for booting hard disks as well as USB keys or DVDs) the pre-bootloader will also check to see if the platform is booting in Setup Mode and if it is, will ask the user for permission to install the signature of loader.efi into the authorized signatures database. If the user gives permission, the signature will be installed and loader.efi will then boot up without any present user tests on all subsequent occasions even after the platform is placed back into secure boot mode.

So they offer a solution for your problem, but user input is required for this as well.

Re:Unsuitable for server use? (1)

Chrisq (894406) | about a year and a half ago | (#41630747)

From TFA:

To address this, the Linux Foundation bootloader will present its own splash screen and require user input before it actually boots. In this way, it can't be silently installed and used to hand control to a rootkit without the user's knowledge

Doesn't this mean it is unsuitable for server use - or any "headless" operation such as MythTV?

From TFA:

To facilitate repeat booting (and to make the pre-bootloader useful for booting hard disks as well as USB keys or DVDs) the pre-bootloader will also check to see if the platform is booting in Setup Mode and if it is, will ask the user for permission to install the signature of loader.efi into the authorized signatures database. If the user gives permission, the signature will be installed and loader.efi will then boot up without any present user tests on all subsequent occasions even after the platform is placed back into secure boot mode.

So they offer a solution for your problem, but user input is required for this as well.

OK, so what's to stop me installing a compromised version of Windows? If you can disable all warnings then isn't this bypassing any advantage of a secure boot?

What's to stop you turning Secure Boot off? (0)

Anonymous Coward | about a year and a half ago | (#41630855)

And then when this is "addressed" by making it not possible to turn off AT ALL, you now have a sanctioned monopoly of Windows Only PCs. Again.

Now, if this happens, you're STILL in a problem. Why are viruses so "bad"? Because they take your data and delete it. Well if I am the virus writer and I already HAVE your computer, you've already lost. If you are worried about your personal information being taken, if I have your computer then Secure Boot doesn't secure the disk drive from being read and you've already lost.

So what, precisely, does the scare of "what's to stop me installing a compromised version of Windows?" got to do with this if you need to be sitting at the keyboard to install a compromised version of Windows?

Re:Unsuitable for server use? (1)

LordNightwalker (256873) | about a year and a half ago | (#41630915)

OK, so what's to stop me installing a compromised version of Windows? If you can disable all warnings then isn't this bypassing any advantage of a secure boot?

Well, if you insist on installing a compromised version of Windows and allow it to boot, isn't that your problem? As long as others can't trick you into installing it by sending you some malware, I consider it a non-issue.

Re:Unsuitable for server use? (1)

BLKMGK (34057) | about a year and a half ago | (#41630999)

Yeah it does, and no I don't expect an option to skip the check else they would never sign it and revoke the key as has already been done in the driver world. If you've got a server or Myth box I would expect you to uncheck the option that requires secure boot and not sweat any of this as it wouldn't help you anyway since its currently only a Microsoft option.

Re:Unsuitable for server use? (1)

ilsaloving (1534307) | about a year and a half ago | (#41631017)

Then either disable SecureBoot entirely, which makes you no worse off than you are now, or use a distribution that provides proper secureboot keys like Redhat. Companies, et al, who need to have secure operations should like this option very much.

Slave of MS (2, Insightful)

Faisal Rehman (2424374) | about a year and a half ago | (#41630233)

LF became slave of MS and now working under its decisions: "the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader". Bad decision.

Re:Slave of MS (1)

shentino (1139071) | about a year and a half ago | (#41630649)

What choice do they have?

MS already got out of the anti-trust nuke we lobbed at it and is still grabbing OEMs by the balls.

mjg59.dreamwidth.org (4, Informative)

bfree (113420) | about a year and a half ago | (#41630245)

Linux Foundation approach to Secure Boot [dreamwidth.org]
James Bottomley just published a description of the Linux Foundation's Secure Boot plan [hansenpartnership.com], which is pretty much as I outlined in the second point here [dreamwidth.org] - it's a bootloader that will boot untrusted images as long as a physically present end-user hits a key on every boot, and if a user switches their machine to setup mode it'll enrol the hash of the bootloader in order to avoid prompting again. In other words, it's less useful than shim. Just use shim instead.

Further UEFI bootloader work [dreamwidth.org]
A couple of people have asked whether we're planning on implementing the Linux Foundation approach of simply asking the user whether they want to boot an unsigned file. We've considered it, but at the moment are leaning towards "no" - it's simply too easy to use to trick naive users into running untrusted code. Users are trained to click through pretty much any security prompt that they see, and if an attacker replaces a legitimate bootloader with one that asks them to press "y" to make their computer work, they'll press "y". If that bootloader then launches a trojaned Windows bootloader that launches a trojaned Windows kernel, that's kind of a problem. This could be somewhat mitigated by limiting this feature to removable media, and we're seriously considering that, but there are still some risks associated. We might just end up writing the code but disabling it at build time, and then anyone who wants to distribute with that policy can do so at their own risk.

Re:mjg59.dreamwidth.org (2)

pscottdv (676889) | about a year and a half ago | (#41630345)

In other words, it's less useful than shim. Just use shim instead.

You forgot to add this:

For [shim] to be useful you'll need it to be signed by Microsoft, so you'll also need a WinQual account.

Re:mjg59.dreamwidth.org (1)

bfree (113420) | about a year and a half ago | (#41630467)

I'm not sure where your second quote comes from? Yes, shim (or the LF thing) needs to be signed by Microsoft, but the idea here of both these options is that one person/group gets the first-stage bootloader signed (i.e. shim) and then others can use it as a blob which can then be told by a physically present user to trust other items which are not signed by Microsoft. The "here" link in my first post provides a good chunk of extra info.

The solution is simple (5, Insightful)

Anonymous Coward | about a year and a half ago | (#41630293)

The solution is simple. Simply do not purchase ANY computer that requires secure boot, or does not allow you do disable it!

Personally, I think this is a "feature" that is going to come back and bite MS in the derriere.. At least I hope so! :-)

For newbies (4, Insightful)

Chemisor (97276) | about a year and a half ago | (#41630553)

Your solution of any value mostly to newbies who are incapable of going to the BIOS and typing in a new signing key (yes, all BIOS manufacturers worth buying, like ASUS, offer this option). I, for one, will not purchase any computer without secure boot. I like having a trusted hardware root. I like the fact that no malware can get in the boot process without my consent.

Re:The solution is simple (0)

Anonymous Coward | about a year and a half ago | (#41630797)

The solution is simple.

do not purchase ANY computer that requires secure boot

ALL OEM computers that ship with Windows 8 MUST require secure boot. (That covers all the major manufacturers.)

do not purchase ANY computer that does not allow you do disable it

x86: FOR NOW, Microsoft requires that secure boot can be user-disabled.
arm: Microsoft requires that secure boot cannot be user-disabled.

So (4, Funny)

Hatta (162192) | about a year and a half ago | (#41630309)

When I turn on my PC, it will boot the pre-boot loader, which will then boot grub, which will then boot my initrd which will finally boot Linux. Can we put any more steps in there?

Re:So (1)

GameboyRMH (1153867) | about a year and a half ago | (#41630423)

Yes you'll have to press a key to approve the Linux bootloader, every time it boots. Not kidding, RTFA.

Re:So (3, Insightful)

ledow (319597) | about a year and a half ago | (#41630607)

Every time it CHANGES. RTFA properly.

Re:So (0)

Anonymous Coward | about a year and a half ago | (#41630789)

Which means there's somewhere bit(s) that can be flipped so that the bootloader recognises the malware bootloader as already accepted.

Re:So (3, Insightful)

bonniot (633930) | about a year and a half ago | (#41630645)

Yes you'll have to press a key to approve the Linux bootloader, every time it boots. Not kidding, RTFA.

I don't think so. From TFA: "To facilitate repeat booting (and to make the pre-bootloader useful for booting hard disks as well as USB keys or DVDs) the pre-bootloader will also check to see if the platform is booting in Setup Mode and if it is, will ask the user for permission to install the signature of loader.efi into the authorized signatures database. If the user gives permission, the signature will be installed and loader.efi will then boot up without any present user tests on all subsequent occasions even after the platform is placed back into secure boot mode."

Re:So (1)

Bill Barth (49178) | about a year and a half ago | (#41630871)

Which is great unless you have 5000 nodes that you need to PXE.

Re:So (0)

Anonymous Coward | about a year and a half ago | (#41630991)

at which point, you can probably afford a signed bootloader or better hardware or something.

Re:So (0)

Anonymous Coward | about a year and a half ago | (#41630661)

initrd is not a bootloader - just ramdisk for vmlinuz!
grub loads vmlinuz and the initrd. Later it starts to run vmlinuz. Kernel then does a lot of stuff like switch CPU to protected mode. At some point kernel will launch init program/script from initrd. This script/program usualy will load some modules and switch "/" and lauch /sbin/init on target "/".

btw. initrd can be build in kernel soo you do not need it in grub.conf or grub2.conf if you use grub2.

That's why I dumped Linux for Xzibix (1)

Anonymous Coward | about a year and a half ago | (#41630671)

Yo dawg!

I heard you like boot loaders. So we put a boot loader in your boot loader so you can boot up while you boot up!

Re:So (1)

ledow (319597) | about a year and a half ago | (#41630701)

All of which will happen in a fraction of a second if you don't have boot prompts enabled.

And all of which is nothing compared to the hoops that most system go through to get from switch-on to full operation on the CPU (real-> protected mode, etc.).

Re:So (0)

Anonymous Coward | about a year and a half ago | (#41630781)

You could try the opposite:
http://www.coreboot.org/Welcome_to_coreboot

For FSCK's sake (-1)

Anonymous Coward | about a year and a half ago | (#41630419)

Fuck It, I never post on slashdot anymore but I just have to comment on the stupidity of this.

Essentially, this means that this whole damn "Secure Boot" (as if anyone actually believed it was secure) can be circumvented. So, big deal, the Linux Foundation's version has some safeguards etc, etc.

This damn thing is hardware based, so updates will be few and far between. I predict you'll be able to take any executable and "patch" it to run at boot, the same way people have been patching Console video games to run (or at least, used to in the good 'ol Dreamcast days, Ive not been active in that scene for quite some time).

Goodamn it. All this shit is is extra complexity, less control over your own system, and a really, really, retarded approach to security. At some point, users will have to take responsibility for what they do on a computer. The less companies try to hide that fact, the faster the security mindedness of the average joe will increase. ... I aint even mad tho.

Can Linux binaries be signed? (0)

Anonymous Coward | about a year and a half ago | (#41630421)

I'm ok with the concept of signed code at the hardware level, as long as keys can be totally maintained by the user.

I don't know enough about UEFI though to know what's required to sign binaries. Can Linux be signed? Can software from repositories be signed in a GPG kind of fashion?

If I have to enter a key in the BIOS and sign a kernel with a related key in order to install Linux, I could potentially live with that, and it actually might have a few security uses.

No, linux can't be signed (1)

Anonymous Coward | about a year and a half ago | (#41630489)

Because you can compile with slightly different options and now the signature is different and won't boot. You can't sign the changes because the private keys allowed to sign are not given to you and the BIOS needs updating to accept any new ones, so expect to have to prove your existence and pay a LOT of money to get your keys added in to all the UEFI machines.

Re:No, linux can't be signed (1)

Anonymous Coward | about a year and a half ago | (#41630727)

I understand all that, but it the user can use any key in the BIOS though a process which _requires_ an actual person with physical access, I still don't see why it can't be done... similarly to how you can add trusted keys for SSL to your browser - something with only advanced users would ever do.

Allow the user to generate keys and sign his/her own binaries with whatever private key. Make it so rootkits still can't do this because it requires a real person.

I don't see how this would be any less secure, as only people who know what UEFI is would ever do this. This way there could actually be some point of UEFI with less technical drawback (not counting usability drawbacks, but certain things could be automated).

Open Source Community (2)

helix2301 (1105613) | about a year and a half ago | (#41630447)

This classic took Microsoft years to develop this technology and it takes the open source community less then a year I love the power of the open source community.

Re:Open Source Community (2)

ledow (319597) | about a year and a half ago | (#41630513)

By buying a key from Microsoft.

Yeah. Nice way to work around this horrendous locking-down technology and promoting openness of hardware and all software (from BIOS up). "Let's buy a key to their proprietary lock-in systems that they can revoke at any time."

Re:Open Source Community (1)

somersault (912633) | about a year and a half ago | (#41630785)

You should keep reading the article until it no longer means what you currently think it means.

Boot sector viruses? Zero fucks given (2, Insightful)

GameboyRMH (1153867) | about a year and a half ago | (#41630527)

Boot sector viruses are the rarest form of virus, require root permissions to infect, and aren't especially hard to remove. And we've handed over a big chunk of freedom and made things worse for everyone to fight this minor annoyance (yeah right). This is worse than the computer equivalent of the PATRIOT act.

Yo dawg, I heard you like bootloades, (1)

Anonymous Coward | about a year and a half ago | (#41630641)

so we put bootloaders in your bootloaders.

There is a general truth to consider... (3, Interesting)

3seas (184403) | about a year and a half ago | (#41630681)

If we make it, we can break it. Making secure boot just more locks to keep honest people out and more headaches for honest people to deal with.

Perhaps the real question here is why do people continue with Windows, when there are other options that have better general security?

Re:There is a general truth to consider... (0)

Anonymous Coward | about a year and a half ago | (#41630889)

Ease of use. Ease of installation(comes preinstalled on most computers). Familiarity.

This could enable 'Piracy' (1)

daniel.benoy (1810984) | about a year and a half ago | (#41630765)

There are methods which exist where you can 'spoof' your machine's hardware to appear as though it's a genuine Windows OEM, using a 'wrapper' boot loader.

A secure UEFI prevents that method, and a hack needs to be found in the Windows boot-up chain of trust (Much like how you would hack an XBox 360, which is very hard.)

Since the most recent UEFI standards permit the option to turn off secure boot on intel machines, some might consider this to all be moot anyway, since people will be running unsigned code whether this 'pre-loader' exists or not. However, the UEFI standard merely *permits* an insecure mode. It doesn't enforce it. The hardware manufacturers are allowed to require secure mode, if they so choose, and still remain complaint with UEFI. Also, the ARM UEFI standard completely forbids an insecure mode, and Linux runs there too, so the Linux Foundation should by all rights be planning on getting a similar loader signed on ARM as well.

Long story short, if Microsoft chooses to sign this, it would be a win for both Linux, and for people who like to get unauthorized copies of Windows. Perhaps this means they will refuse to sign it, and invent some excuse that it will compromise their user's security or something equally absurd.

Srsly, what is wrong with you people? (1, Interesting)

erikvcl (43470) | about a year and a half ago | (#41630827)

Why are you fighting secure boot? Secure boot is a GOOD thing. Making sure your BIOS/UEFI and boot loader haven't been tampered with is a GOOD thing. Let's figure a good way to make Linux work with it. I'm glad that Microsoft is taking this attack vector seriously.

What's in it for Micro$oft ? (0)

Anonymous Coward | about a year and a half ago | (#41630841)

And what exactly compels microsoft to add this key ?
Or add it and fsck it up so that it 'just happens to fail sir' ?

Wake on LAN: Press any key to continue ... (1)

zapyon (575974) | about a year and a half ago | (#41630965)

Yeah, great. How are non-MS operating systems going to use this mechanism for remotely initiated booting, as in WOL? Does that mean non-MS shops will have night shift "specialists" on-site to press the Any Key whenever required?

Seems to me that MS has finally given Linux the boot :-(

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...