Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Matthew Garrett Makes Available Secure Bootloader For Linux Distros

timothy posted about a year and a half ago | from the working-with-the-work-around dept.

DRM 274

TrueSatan writes "Matthew Garrett, formerly of Red Hat, is providing a shim bootloader that will allow installation/booting of secure boot enabled computers. The shim is designed to chain boot GRUB (Grand Universal Bootloader) without the need for a distribution to obtain a key from Microsoft. Garrett asks that further contacts regarding the shim be made to him and not to Red Hat as he no longer works there and they may not have knowledge of the product."

cancel ×

274 comments

Yay! (5, Interesting)

wgoodman (1109297) | about a year and a half ago | (#42153915)

I'm really proud of him and I really hope that there is no ensuing lawsuit for violating some sort of propitiatory BS.

Re:Yay! (5, Funny)

Anonymous Coward | about a year and a half ago | (#42154013)

violating some sort of propitiatory BS

Yeah I really hate all that appeasing the gods BS, too.

Re:Yay! (1, Informative)

Russianspi (1129469) | about a year and a half ago | (#42154127)

I'm dying for a mod point here. I don't care if you're an AC. That's FUNNY!

Re:Yay! (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42154713)

You should never care if it is an AC.

It is the message that is important, not the messenger. Why, after 11 years of using this site, should I register an account? My words stay the same. All it would be good for is group validation through karma whoring. I'd rather be ignored out of irrational bias than lauded for conforming to groupthink.

Re:Yay! (1)

philip.paradis (2580427) | about a year and a half ago | (#42154281)

Given that conciliatory is a synonym for propitiatory, I suspect any scenarios involving Red Hat becoming litigious are unlikely to involve Red Hat acting in a conciliatory fashion on the matter at any point in the next decade or so thereafter.

Re:Yay! (4, Interesting)

Anonymous Coward | about a year and a half ago | (#42154669)

He violated nothing. The better question to ask is "who the hell does MS think it is?" They don't and cannot control the HW manufacturers. Nothing stops independent HW dealers in Asia or wherever from selling directly to consumers. Look at Google, Amazon, and other large companies. They design and buy their HW direct from the manufacturer, cutting out the middle man. Cutting out the middle man is ALWAYS the right thing to do. No one is entitled to a profit. No one has the right to demand I buy from them and their overly-capitalist markup system. Screw all that.

I am going to start looking into buying from the source, even as a consumer. I have the right to buy from the source just like a company. I'm tired of dealing with the MS tax on computers. MS was and is a monopoly. I have used Linux as my home desktop/laptop system since 1998 and now this is happening. Screw any and all who would attempt to even try and dictate my actions with HW I've paid money for.

Re:Yay! (5, Funny)

Anonymous Coward | about a year and a half ago | (#42155031)

Cutting out the middle man is ALWAYS the right thing to do.

Next time you're sick, I'll call the undertaker.

Today is World AIDS Day (-1, Flamebait)

Anonymous Coward | about a year and a half ago | (#42153927)

So hug the nearest faggot, cause he's probably going to die from AIDS.

How does this work? (2)

knuthin (2255242) | about a year and a half ago | (#42153969)

Can anyone explain me like I am 5, how this must be working? Or speculate?

Re:How does this work? (5, Informative)

Kergan (780543) | about a year and a half ago | (#42154043)

In simplistic terms, it's a bit like on iOS devices: they'll only boot software that is signed by Apple, thus preventing low-level viruses and such from tampering with the OS.

In more complicated terms, I'll defer to the wiki page [wikipedia.org] .

Re:How does this work? (4, Insightful)

schitso (2541028) | about a year and a half ago | (#42154055)

thus preventing people from using their hardware as they see fit.

FTFY

Re:How does this work? (-1)

Anonymous Coward | about a year and a half ago | (#42154149)

thus preventing schitso from using their hardware as they see fit, which would see every bash session beginning with "sudo su" if he hadn't already been using root as a regular account.

FTFY.

Re:How does this work? (1)

Nerdfest (867930) | about a year and a half ago | (#42154377)

Right, because you have no right to do that with a device you supposedly own.

Re:How does this work? (4, Informative)

scheme (19778) | about a year and a half ago | (#42154961)

Right, because you have no right to do that with a device you supposedly own.

The specs already require that the x86 EFI allows you to load your own key. This is just something to let you install and use linux or other OSes without having to go through the process of loading your own keys into the bios and instead using the ms key that's already been loaded.

Re:How does this work? (2)

mystikkman (1487801) | about a year and a half ago | (#42155091)

This is a losing battle, there are too many uninformed posters who can't understand such technical matters. You reply to one and 5 other posts come up saying the same wrong things and still modded up. This is happening since a year, there's no use. The smart neckbeards have been replaced by 14 year old kids who don't know what they're talking about and only read headlines and other raving modded retarded rants by the likes of BMO.

Re:How does this work? (0)

Anonymous Coward | about a year and a half ago | (#42154453)

Why the fuck would anyone do sudo su?
Even a retard like you should know about sudo -i.

Re:How does this work? (1)

Anonymous Coward | about a year and a half ago | (#42154447)

Had to look FTFY up, so I'll fix that for you:
definition FTFY: Fixed that for you

Re:How does this work? (1)

mystikkman (1487801) | about a year and a half ago | (#42155067)

"thus preventing Romanian hackers from installing undetectable bootkits on your dad's computer"

Fixed that for you

Re:How does this work? (1)

knuthin (2255242) | about a year and a half ago | (#42155085)

No. I don't mean UEFI. I mean the bootloader. How can it work without the key that all distributions are supposed to have (the one that first Fedora and later Ubuntu, OpenSUSE and Linux Foundation were paying Microsoft/Verisign for)?

RedHat Ftw! (1)

Anonymous Coward | about a year and a half ago | (#42153971)

Kudos for Matthew Garrett!

Clarification (2)

ClaraBow (212734) | about a year and a half ago | (#42153981)

Will someone one please clarify for me if we will always be able to buy computers without a securebootloader, or will I have to deal with this shit sometime down the road. Thanks!

Re:Clarification (0)

Anonymous Coward | about a year and a half ago | (#42153997)

It was mandated that all computers produced starting in 2015 must have secure boot.

Re:Clarification (1)

BenJury (977929) | about a year and a half ago | (#42154967)

Mandated by whom? MS might be requiring it for Windows 8 certification, but thats a far cry from 'all computers'.

Re:Clarification (1, Funny)

Anonymous Coward | about a year and a half ago | (#42154019)

Well, since Micro$oft requires that any Windoze 8 certified computers must use secure boot, it's very likely you'll get to enjoy this bullshit as well.

Read all about it: http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/statement/campaigns/secure-boot-vs-restricted-boot [fsf.org]

Re:Clarification (5, Funny)

MysteriousPreacher (702266) | about a year and a half ago | (#42154191)

Micro$oft and Windoze? Have you recently emerged from 15 years in stasis? To bring you up to date...

Madonna is still shit and now looks like Iggy Pop.
9/11
Year of Linux on the desktop is imminent
The president's black
The Rolling Stones aren't dead
We sent cool shit to Mars
World didn't end but will end again later this month

Re:Clarification (0)

Anonymous Coward | about a year and a half ago | (#42154279)

wow, that's funny!

Re:Clarification (1)

neokushan (932374) | about a year and a half ago | (#42154335)

....I need more mod points.

Re:Clarification (4, Insightful)

Nerdfest (867930) | about a year and a half ago | (#42154397)

Of course you can add to that list:
  - Microsoft still doing things to suppress competition.
  - Apple has joined them.

They earned that dollar sign. The OS is a bit better behaved than 15 years ago, although NT was pretty quick.

Re:Clarification (4, Funny)

serviscope_minor (664417) | about a year and a half ago | (#42154959)

And Duke Nukem Forever was released.

Re:Clarification (2)

MysteriousPreacher (702266) | about a year and a half ago | (#42155083)

And Duke Nukem Forever was released.

Steady on there. We don't want to overwhelm him.

Must ship with a way to turn off Secure Boot (4, Informative)

tepples (727027) | about a year and a half ago | (#42154585)

Computers that ship with Windows 8 for x86 or x86-64 must ship with Secure Boot turned on but (importantly) must ship with a way to turn it off.

Re:Must ship with a way to turn off Secure Boot (1)

Anonymous Coward | about a year and a half ago | (#42154649)

For now... my friend.. for now...

Do not forget - we are talking about Microsoft here, so be prepared to get stabbed in the back (and have to pay for that privilege) in the near future...

Re:Clarification (1)

Anonymous Coward | about a year and a half ago | (#42154469)

I have never been one to steal software, but if I am not going to be allowed to have control over what I run on my machine, I will be downloading W7 and installing it. It is bad enough that we are having to fight fro our freedoms with governments, but to also have to do this with corporations is too much.

Kudos (4, Funny)

cheesybagel (670288) | about a year and a half ago | (#42153995)

The man delivered! I really hate not being able to use GRUB or some other bootloader anymore. Why the heck can't I choose what to install on the computer I bought with my own money? Imagine you were Linux Torvalds trying to write your own operating system but in a computer with UEFI enabled.

The way to get the key is also particularly weird. It's like Microsoft has gone out of their way to make it so you need to use Windows to get a key. .CAB files, Silverlight applications, .exe to generate a key, etc.

You can't even choose not to enable UEFI anymore. I bought a 3 TB hard disk recently and the BIOS isn't able to see anything above 2 TB on a non-UEFI system without GPT partitions.

Re:Kudos (2)

cheesybagel (670288) | about a year and a half ago | (#42154005)

s/Linux/Linus/ Sorry dude.

Re:Kudos (4, Informative)

recoiledsnake (879048) | about a year and a half ago | (#42154081)

First UEFI != UEFI Secure Boot.

Second, you can turn off Secure Boot in the settings. So, I am guessing the young Mr. Torvalds would be smart enough to do that.

Third, the keys are editable, i.e you can remove Microsoft's key and add your own or Linux's key if you don't trust Microsoft and that'll stop your machine from ever booting Windows. Thus, you're really in control of your computer. The defaults are setup that way to stop undetectable bootkits infecting your mom's computers because just wants to run Excel and doesn't know or care about signing keys and hashes.

There is so much FUD and misinformation being spread by stupid people.

Re:Kudos (4, Informative)

bmo (77928) | about a year and a half ago | (#42154143)

But to get your own key, you have to shell out 99 bucks.

That's fucking galling. It's a tax.

--
BMO

Re:Kudos (4, Informative)

jonwil (467024) | about a year and a half ago | (#42154219)

No.
The $99 fee is if you want to get stuff signed with the default Microsoft keys (or rather, with a chain-of-trust that ties back to the default Microsoft keys)

Anyone can load new keys into the UEFI boot key-store no problems via the BIOS options.

Re:Kudos (4, Interesting)

cheesybagel (670288) | about a year and a half ago | (#42154347)

The Microsoft key comes pre-loaded with every BIOS. Try installing your own key in the UEFI boot key store and see how easy that is. Microsoft users just pop in a DVD and install. Linux users can't do that.

Re:Kudos (1)

recoiledsnake (879048) | about a year and a half ago | (#42154939)

First of all, adding keys should NOT be with a simple click or else malware will just instruct users to do that to watch DancingBunnies.exe

Second of all, it isn't that bad, There are GUI screens navigatable with a mouse(unlike BIOS) where you can input/remove keys. Perhaps you have ideas to make it easier while still maintaining security, instead of just kneejerk bashing and conspiracy theories of "OH THEY'RE GONNA GET US OMG".

If there are users incapable of doing that, do you really expect to be able to install Linux without blowing through the Windows partition or even search for and install drivers?

Re:Kudos (1)

neokushan (932374) | about a year and a half ago | (#42154351)

I don't suppose you (or anyone else) knows if these options (loading keys, disabling secure boot, etc.) will be available from all OEMs or is it something they can choose to not implement if they want?

I know with Windows RT, it's all locked down with no way to change it but that's not a "real" PC in any term.

Re:Kudos (1)

PPH (736903) | about a year and a half ago | (#42154739)

I know with Windows RT, it's all locked down with no way to change it but that's not a "real" PC in any term.

Right. Its not a "real" PC. Its an ARM based mobile device.

Because Microsoft smells the death of "real" PCs and the market's migration to mobile and to ARM, away from Intel. So, sure, you can still have your beige tower and run whatever OS you want on it.

Re:Kudos (1)

neokushan (932374) | about a year and a half ago | (#42154805)

Apparently I need to qualify my statement further: Windows RT is generally built on some sort of a SoC rather than assembling together components in the traditional sense (CPU, Motherboard, RAM, etc.). Different ARM SoC's tend to use customised code left, right and centre which includes the boot code so it's expected that it'll be as locked down as the likes of smartphones, routers, set top boxes, etc.
At least with traditional x86 PC's, they'll (hopefully) still be made up of off-the-shelf components from people like Gigabyte, Asus, et all.

Re:Kudos (0)

Anonymous Coward | about a year and a half ago | (#42154361)

Concluding, it's not a matter of if, but when, rootkits will sign themselves with a MS signed key.

Re:Kudos (0)

Anonymous Coward | about a year and a half ago | (#42154379)

surely adding your own key would not require that?

getting a signed key maybe ...

honeatly dont know ...

Re:Kudos (1, Informative)

recoiledsnake (879048) | about a year and a half ago | (#42154887)

First, that's to get your own binary get signed with the default installed Microsoft key, so it's meant for distributors, not users who can add/remove keys without any cost.

Also, if you think Microsoft is trying to make any money from the $99 you're sorely mistaken.

Read this and I hope you have enough reading comprehension skills to under the reasoning behind Microsoft's fee.

http://indiegames.com/2012/09/valves_solution_for_steam_gree.html [indiegames.com]

If there was no fee, every Russian malware author will apply thousand times to get boot keys defeating the whole thing, not to mention the money can be tracked down in the future if the key is maliciously used.

In other words, another bog standard stupid uninformed kneejerk karmawhoring typical retarded Slashdot anti-MS post from you. lurn2read. Don't you feel stupid making such idiotic posts?

Making No Sense (0)

Anonymous Coward | about a year and a half ago | (#42154025)

So, Garret has created a boot loader shim that doesn't require signing, that then chainloads a bootloader that finally loads the OS or chainloads another bootloader?

1. How does this shim work without being signed? Clearly he's found a weakness in secure boot that he is exploiting.

2. If vulnerabilities exist that permit unsigned exploits, what's the point of secureboot? (Rhetorical)

3. If this is an exploit, how long will it be before the vulnerability is fixed and this shim is worthless?

Re:Making No Sense (0)

Anonymous Coward | about a year and a half ago | (#42154057)

RTFA?

this is intended for distributions that want to support secure boot but don't want to deal with Microsoft

Re:Making No Sense (2, Informative)

Anonymous Coward | about a year and a half ago | (#42154071)

Read his blog, he explains it all.

Basically, the Shim is signed with the Microsoft key, it will load on any system which trusts that key (i.e. every system out there).
The Shim will then load anything that's signed with any of the keys in the secure boot trust database, but it will also allow you to add keys to that trust database yourself.

For example: if you try to boot from a SuSe install DVD is will first start the Shim (which is trusted, because it's signed by Microsoft). The Shim will then ask you if you want to load whatever the DVD is trying to start, optionally installing the key used to sign what you're trying to start.

The end result is that John Q. User just needs to be told to push the 'Enroll key' button when he's installing SuSe/RedHat/Debian/... He doesn't need to be told how to disable Secure Boot, or how to install the SuSe/RedHat/Debian/... key into his system (which would be different for every system).

Re:Making No Sense (0)

Anonymous Coward | about a year and a half ago | (#42154259)

Interesting that this guy got his shim signed by Microsoft with none of the drama of the Linux Foundation who went out of their way to avoid using Microsoft products.

Re:Making No Sense (1)

lister king of smeg (2481612) | about a year and a half ago | (#42154821)

easy answer ms tried screwing with the linux guys. they however just saw some programmers name on this application and signed it. MS is run by chair throwing anticompetitive dicks. if you start from that base assumption it all make perfect since.

Fuck secure boot. (4, Insightful)

bmo (77928) | about a year and a half ago | (#42154031)

I find it disappointing that instead of actively fighting secure boot and making a BIG PUBLIC STINK about it and embarrassing everyone involved in implementing this, the community is aquiescing to the concept and "working with it."

Stallman is right, guys, and anyone endorsing Trusted Computing 2.0 by either actively participating in the distribution of it, or tacit approval needs to be publicly humiliated and embarassed into doing the right thing.

Secure boot was never about protecting the end user.

--
BMO

Re:Fuck secure boot. (3, Insightful)

budr (111245) | about a year and a half ago | (#42154083)

What BMO said. Where's a +10 when you need it.

Re:Fuck secure boot. (1)

Anonymous Coward | about a year and a half ago | (#42154093)

If you follow the money, it's actually about protecting IT from corporate users. No more, no less. You don't need a conspiracy to explain it when a billion dollar problem is staring you in the face.

Re:Fuck secure boot. (4, Insightful)

zakeria (1031430) | about a year and a half ago | (#42154111)

exactly; this is just another attempt to stifle and forthcoming competition in the OS development arena and at the same time helping to cement the belief in people that the PC only has one true OS that should be running on the machine namely Microsoft Windows!

Re:Fuck secure boot. (1)

eexaa (1252378) | about a year and a half ago | (#42154141)

Don't frown upon this please. It is usually better to first show that any resistance is futile, before politely asking not to put such weird and unusuable features into production machines.

Re:Fuck secure boot. (2)

bmo (77928) | about a year and a half ago | (#42154179)

There was a time when the community embarassed Intel into not putting serial numbers into their processors.

I miss that time.

We have become soft.

--
BMO

Re:Fuck secure boot. (1)

bytesex (112972) | about a year and a half ago | (#42154173)

Because secure boot actually has real, nice consequences, open source or not?

Re:Fuck secure boot. (2, Interesting)

bmo (77928) | about a year and a half ago | (#42154243)

If you could generate a self-signed key for free, then I would have less of a problem with this.

But to get a key, you have to pay a notary and prostrate yourself before Microsoft and get their blessing, for 99 bucks. It's a tax on kernel builders and hobbyists who compile their own kernels with experimental patches - a tax on progress for BSD, Linux, Haiku, everyone who isn't Microsoft. It's also a hoop to jump through deliberately engineered to scare the less informed and to make it inconveniient to use a different OS for end users.

It doesn't protect end users one bit, because boot loading malware is scarce these days since it's just easier to attack the user with his own permissions, never bothering to escalate from userspace to kernel space. Because it's "good enough." There are enough dumb users out there that will click on anything to get a purple cow for Farmville that engineering a boot hijacker is too much like work for the botnet herder. Basically because there is no antivirus out there that can protect a computer from Layer 8 dumbassery.

It's a tax, an inconvenience, and it does absolutely nothing in reality to protect the end user.

Yet you see no problem with this.

--
BMO

Re:Fuck secure boot. (1)

Anonymous Coward | about a year and a half ago | (#42154367)

Then you should have no problem with this.

The $99 dollar option gets your bootloader signed by Microsoft, with their key.

The free option allows you to generate your own key. This can be manually installed into the UEFI bios, at which point any bootloader you sign with it just works. This offers protection to linux too, as once you install the Debian key or whoever, you're safe from hypervisor malware attacks. I'm sure that if the linux community stops shouting and actually generates and publishes UEFI public keys, you'll find that a lot of the manufacturers will start pre-installing those keys (Dell certainly will on their business ranges)

Re:Fuck secure boot. (1, Insightful)

bmo (77928) | about a year and a half ago | (#42154427)

>The free option allows you to generate your own key.

With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?

>you're safe from hypervisor malware attacks.

This is an unrealistic attack and to present it as plausible and likely is laughable, since more mundane and common attacks are far more likely to be an actual problem. It's like recommending that I go outside every day with a hardhat to avoid falling meteors when the actual threat to my safety is people speeding through the neighborhood and not stopping at stop signs as I attempt to cross the street.

>I'm sure that if the linux community stops shouting

We should never stop shouting.

>official distro keys

The point of Linux for a lot of people is the ability to do your own kernels, your own bootloaders and your own software. This is the key to the rapid evoloution of Linux. Requiring everyone who does this to supplicate at the Altar of Redmond and give burnt offerings of $99 USD, is nuts, insulting, and is clearly an attack designed to take the steam out of the innovation in the Linux world. Fuck that noise.

>you'll find that a lot of the manufacturers will start pre-installing those keys

That's a really big IF there, especially since it's known that Microsoft is willing to strong-arm everyone it can.

>business range machines

I don't feel like paying for enterprise support for my own personal laptop, and I should not have to just to be able to install my own OS.

Go away.

--
BMO

Secure Boot in custom mode (3, Informative)

tepples (727027) | about a year and a half ago | (#42154609)

With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?

By setting Secure Boot to custom mode and installing the self-signed key. Microsoft requires makers of x86 and x86-64 PCs to allow neutering Secure Boot as a condition for Windows 8 certification, just like Google requires a device to have Android Debug Bridge open as a condition for access to the Google Play Store. The strict game-console-style lockdown is only for Windows RT.

Re:Secure Boot in custom mode (2)

bmo (77928) | about a year and a half ago | (#42155015)

>The strict game-console-style lockdown is only for Windows RT.

As if this makes it ok.

An ARM computer is just as much a real computer as one with an IA64 processor in it, especially when the new ARM processors coming out support 64 bit computing

Why shouldn't I be able to put Linux or any other OS compiled for ARM on an ARM machine? An ARM laptop running Linux would be a nice thing with longer battery life than what can be found with Intel processors. Why do I have to supplicate and offer $$ to Redmond, from where I did not acquire the OS?

Brushing this off as if it doesn't matter "because you Linux guys only care about i386 and IA64" is disingenuous.

And like I said earlier, just because one company (apple) does it, doesn't mean it's OK for other companies to follow suit. Apple perverted the concept of a repository. This is not supposed to be a blueprint for other companies.

--
BMO

Re:Secure Boot in custom mode (1, Flamebait)

recoiledsnake (879048) | about a year and a half ago | (#42155037)

Give it up,BMO is probably a PHB, he does not understand technical stuff, so he just trolls the karmawhoring Slashdot line by writing retarded anti-MS stuff and calling people paid shills. It's useless as trying to explain quantum mechanics to an amoeba.

Re:Fuck secure boot. (4, Informative)

Multiplicity (2498210) | about a year and a half ago | (#42154373)

No, no, no. You got it wrong.

I hate this whole kerfuffle as much as everybody, but the part about not being able to load self signed keys isn't correct. You can load self-signed keys into the UEFI boot key-store right from the UEFI UI. Of course that will prevent Windows 8+ from booting, but that's another story. You can disable it altogether, with the same result.

So you can either disable secure boot or have your own chain of trust separated from Microsoft and boot other OSes. BUT if you want to boot Windows 8+ you have to enable it and use Microsoft's chain of trust, and is in THAT case, when you want to also boot other OSes you must have the other OSes bootloaders signed by Microsoft.

This shim bootloader represents a convenience to the users of that specific case (which indeed is the most common one). They have a "generic" Microsoft-signed bootloader along with some tools to extend a chain of trust from that bootloader to another one, and this second one won't have to get through the dreaded certification process (which indeed forces you to use Windows).

The problem here is NOT UEFI / SECURE BOOT. The problem is MICROSOFT CERTIFICATION PROGRAM. That's where they boicott the whole industry, and where they should be given a fight. That stupid certification process they combined with a twisted use of the new capabilities of UEFI. Make no mistakes, shouldn't UEFI exist today, they would still be looking for ways to exploit their certification program to make manufacturers do anything they want, just so they can bless them with being "Win compatible". THAT is the great lie right there, by which they have the industry inexplicably grabbed by the balls.

The solution of course would be everyone giving the finger to Microsoft on their fucking certification program, and a more open competition would arise. I very much want to see how long they last on that environment.

Re:Fuck secure boot. (0)

Anonymous Coward | about a year and a half ago | (#42154519)

There seems to be a very easy remedy to this in the U.S. It is called AntiTrust and this should be pursued against Microsoft.

Re:Fuck secure boot. (1)

Truekaiser (724672) | about a year and a half ago | (#42154791)

No. The last time that happened was only because Microsoft was not playing the regulatory capture game. Before the whole bundling internet explorer with windows antitrust case. Microsoft did not lobby that much if at all in Washington.

They have since learned that to not get targeted with any antitrust junk they must lobby the feds. They have done so to the point that many ex Microsoft, and possibly future Microsoft employee's* are running the needed groups that instead of targeting Microsoft for this 'clear' antitrust breach. They are running around trying to bring a case against microsfot's chief rival google over their text ad's.

If you want 'any' sort of antitrust regulation to apply to you. Move to Europe, their system is less corrupt.

*This is how regulatory capture works, People who leave company's lets say in this case a giant software company. Leave on good terms, they only left to work in the government because the government position while temporary offered a better deal. BUT to not burn any bridges, since they know and the companies know they will be going right back to working for them once their position ends. They will do NOTHING to anger them even to the point of doing what the companies say.

Re:Fuck secure boot. (1, Insightful)

jonwil (467024) | about a year and a half ago | (#42154239)

secure boot is in no way "Trusted Computing 2.0" and Microsoft requires OEMs shipping Windows 8 to provide both options for the user to turn secure boot off completly AND for the user to install new keys of their choice.

Also, Secure Boot is very much about protecting the end user. It stops unknown/untrusted/unwanted low-level code running including many of the new breed of viruses that infect the master boot record to make it harder for anti-virus programs to defeat them.

Now if a manufacturer of x86 PCs started selling PCs where secure boot was on and there was no way to turn it off or to enroll new keys, THEN I would start complaining.

Re:Fuck secure boot. (4, Informative)

bmo (77928) | about a year and a half ago | (#42154265)

" Microsoft requires OEMs shipping Windows 8 to provide both options for the user to turn secure boot off completly AND for the user to install new keys of their choice."

A half truth is a whole lie.

Stop lying.

The other half of the truth is that on ARM devices, Secure Boot is ABSOLUTELY REQUIRED AND MUST NEVER BE TURNED OFF

Shill.

--
BMO

Windows RT is not called Windows 8 (1)

tepples (727027) | about a year and a half ago | (#42154627)

Microsoft requires OEMs shipping Windows 8 to provide both options for the user to turn secure boot off completly AND for the user to install new keys of their choice.

The other half of the truth is that on ARM devices, Secure Boot is ABSOLUTELY REQUIRED

And the gripping half [catb.org] is that the operating system for devices with an ARM CPU is not called Windows 8. It is called Windows RT (for 10" screens) or Windows Phone 8 (for 4" screens).

Re:Fuck secure boot. (1, Insightful)

recoiledsnake (879048) | about a year and a half ago | (#42154989)

I love it how Windows RT tablets(which are supposed to be DoA anyway according to Slashdotters) are somehow "ARM devices" but the iPads and Android tablets, Kindle Fires, Nooks with locked bootloaders with 99% marketshare in mobile are just iPads and Android tablets, Kindle Fires, Nooks. Win32 software which is a big reason for the monopoly won't even run on Windows RT. And then they call for government intervention. Meanwhile Apple is locking everything down but the fanboys keep the discussion down. Why do people get their panties in a twist when it's MS while Apple is decimating freedom by implementing Palladium(see app store) and unable to keep their locked iDevices in stock? Yelling in bold only makes you sound more retarded.

Re:Fuck secure boot. (1)

bingoUV (1066850) | about a year and a half ago | (#42154271)

Yes, Germany has just annexed Austria. Nothing to worry. It is a long way to UK. Germany is sure to attack Poland too, but nothing to worry they are east European bastards that need a good spanking anyway.

Next year : OMG, we lost half RAF to fight Germany, we should have supported Poland /Austria and nipped it in the bud. Too late.

Secure boot is about protecting the end user? Because malware writers are too dumb to follow Matthew's public instructions, right?

Re:Fuck secure boot. (1)

jonwil (467024) | about a year and a half ago | (#42154333)

The whole point is that the bootloader shim will only load further code if the key used to sign that code is in the shim's internal (and unchangeable once the system has actually booted from what I can tell) list of valid keys. Since the malware authors probably dont have any of the keys likely to be in that list, if there is an attempt to boot (via the shim) a piece of malware, the shim bootloader would see that its signed with something not in its database and prompt the user "hey, this isn't signed, do you want to enroll its signing key?"

Re:Fuck secure boot. (2)

bingoUV (1066850) | about a year and a half ago | (#42154375)

Yes, and Microsoft has immunized users against questions from their computer using UAC so the user will say yes, do what you want and let me do my work. So yes, genius.

Re:Fuck secure boot. (1)

TheLink (130905) | about a year and a half ago | (#42154411)

And most of the malware currently out in the wild would be thwarted by secureboot? I doubt it since they exploit stuff (browser, flash, pdf, dumb users) that's nothing to do with secureboot at all.

And by the time the malware has enough power to change the boot up stuff, your OS is so pwned that secureboot will make no difference if the malware author knows what he's doing.

So as far as I can see, it's not about protecting the user.

Re:Fuck secure boot. (0)

jonwil (467024) | about a year and a half ago | (#42154471)

The secureboot stuff CANNOT be changed from within the running OS no matter how good the malware author is. The firmware (which controls ALL accesses to the secure boot storage area) will not let the OS change it.

Re:Fuck secure boot. (2)

bmo (77928) | about a year and a half ago | (#42154559)

You didn't read past his first sentence.

You don't need to infect the boot to hose the user. It's so much easier to hose the user through normal channels - piracy, troans, spyware, annoyware (toolbars, etc) and "legitimate" software that has "we'll hose you when we like" in the privacy statement that never gets read.

Step 1. Take a popular software package. Bundle malware with it that passes the top 10 scanners.
Step 2. Upload to usenet, direct download sites, and torrents.
Step 3. Wait.
Step 4. Botnet. There isn't even a ????????? here.

Infected boots are a minuscule problem.

--
BMO

Re:Fuck secure boot. (2)

digitalaudiorock (1130835) | about a year and a half ago | (#42154245)

Oh to have mod points!...If people keep working around this crap rather than voting with their wallets they're saying it's OK. Everyone who gives a shit about this MUST refuse to buy any computer with secure boot...period.

Re:Fuck secure boot. (1)

Nerdfest (867930) | about a year and a half ago | (#42154429)

I'd like to know why there's all this outrage about this, but iOS devices which are even worse get a pass. Someone above said you can actually install your own key and remove the Microsoft ones as well.

Re:Fuck secure boot. (1)

Nerdfest (867930) | about a year and a half ago | (#42154439)

I'd also like to clarify that by "someone above" I meant a previous commenter, not FSM. Sorry for the confusion.

Re:Fuck secure boot. (1)

bmo (77928) | about a year and a half ago | (#42154479)

>but iOS devices which are even worse get a pass

No they don't, not from the technorati. The lumpenproletariat don't care, but that's because they don't know and don't want to know.

Just because Apple does it doesn't make it right for Microsoft to do it.

"Timmy, stop hitting Audrey on the playground! It's not nice!"
"But moooom, Bobby was hitting Audrey too!"

Fucking schoolyard mentality.

--
BMO

Re:Fuck secure boot. (1)

Nerdfest (867930) | about a year and a half ago | (#42154491)

I'm not saying it's right, I'm saying people should call Apple on it as well. Apple is defended regularly here, which is a somewhat technically literate site.

Re:Fuck secure boot. (1)

tepples (727027) | about a year and a half ago | (#42154675)

No they don't, not from the technorati. The lumpenproletariat don't care, but that's because they don't know and don't want to know.

The problem here is that marketing a product to the technorati and only the technorati is often unprofitable. The proles dictate what enjoys economies of scale. Otherwise, for example, there would be more video games targeted at members of the technorati who want to replace a video game console with a home theater PC. Instead, because of tradition, video games in console-style genres tend to be released only for PlayStation 3 and Xbox 360 and not ported to the PC, despite that PCs use an operating system that's compatible with the Xbox 360's controllers and APIs, and even Intel's integrated graphics can play a PS3-class game [anandtech.com] .

Re:Fuck secure boot. (1)

DRJlaw (946416) | about a year and a half ago | (#42154667)

I find it disappointing that instead of actively fighting secure boot and making a BIG PUBLIC STINK about it and embarrassing everyone involved in implementing this, the community is aquiescing to the concept and "working with it."

Stallman is right, guys, and anyone endorsing Trusted Computing 2.0 by either actively participating in the distribution of it, or tacit approval needs to be publicly humiliated and embarassed into doing the right thing.

We will tolerate no dissent! Not only will we refuse to use this, but we will ensure that nobody who disagrees with us (or simply doesn't give a rat's ass about our fundamentalist take on software freedom) will be able to even have the opportunity to use this!

FREEDOM! (for us, not for you... you're too stupid to be allowed the choice).

Re:Fuck secure boot. (1)

westlake (615356) | about a year and a half ago | (#42154715)

I find it disappointing that instead of actively fighting secure boot and making a BIG PUBLIC STINK about it and embarrassing everyone involved in implementing this, the community is aquiescing to the concept and "working with it."

The community is not united against secure boot. There are real benefits for the user.

One security threat that has been getting a lot of interest lately is the ability to ensure the integrity of the early boot sequence - the handoff of control from the lowest level system firmware (traditionally provided by the hardware vendor) through to the operating system kernel. This is important because there have increasingly been real-world exploits where fraudulently modified early boot code has introduced vulnerabilities into the operating system.

To confront this challenge, the upcoming generation of system firmware, referred to as Unified Extensible Firmware Interface (UEFI) secure boot, has capabilities in the system startup sequence designed to only pass control to operating system software that can be confirmed to be not tampered with. The mechanism used to confirm the integrity of operating system software is not novel, rather it uses traditional key signing and variations of checksumming. While these mechanisms have traditionally been used higher up in the software stack and later in the startup sequence - what is new is the fact that these validation checks are expected to now be available at the earliest points in the system startup sequence. Performing the checks early is crucial as it provides a safe, verified starting point.

UEFI Secure Boot [redhat.com] [Tim Burke, vice president, Linux Engineering, Red Hat]

Re:Fuck secure boot. (0)

recoiledsnake (879048) | about a year and a half ago | (#42155019)

Because Apple did it first and fanboys fell over themselves with the OOH SHINY stuff. And now, everyone points to Apple and says we need more security to keep malware out.

The battle is lost, the train has left the station the cat is out of the bag etc. and the reason is people like you are only fixated on gnashing teeth against Microsoft on Slashdot but give other companies a free pass.

Re:Fuck secure boot. (0)

bmo (77928) | about a year and a half ago | (#42155033)

>but give other companies a free pass.

No. Fuck you.

Take your sweeping generalization and shove it squarely up your ass, RS.

--
BMO

Doesn't work (4, Insightful)

Anonymous Coward | about a year and a half ago | (#42154213)

I happen to have a computer with Secure Boot enabled by default. Matthew Garrett's boot loader doesn't work while Secure Boot is enabled. The reason being that the machine will not (repeat not) boot from any device except the hard drive unless Secure Boot is first disabled. The steps to load any OS, with or without Secure Boot support, goes like this:

Enter into UEFI control panel.
Disable Secure Boot
Enable Legacy boot options
Enable specific Legacy device, such as DVD drive
Save settings and reboot.
Change boot device to DVD

If Secure Boot is turned on, "Legacy" devices can not be used to boot the computer. Therefore having this boot loader doesn't do any good on machines with Secure Boot enabled. It has to be turned off just to access the installation media.

Re:Doesn't work (0)

Anonymous Coward | about a year and a half ago | (#42154483)

Why are you talking about dvds? I haven't booted from one of those in years.
Everything is usb sticks and external hard drives now.

Do not disagree with Garrett (0, Troll)

JonJ (907502) | about a year and a half ago | (#42154275)

Or else he'll post ad-hominem personal attacks about you on his blog. He is the sole reason I migrated away from Fedora to Ubuntu/Debian.

Re:Do not disagree with Garrett (1)

bmo (77928) | about a year and a half ago | (#42154327)

"Or else he'll post ad-hominem personal attacks about you on his blog"

And this matters why?

--
BMO

Re:Do not disagree with Garrett (3, Interesting)

Anonymous Coward | about a year and a half ago | (#42154449)

Why does it matter? Because it could ruin your reputation, even wreck your career?
http://www.itwire.com/business-it-news/open-source/57290-garrett-slams-tso-as-rape-apologist

Garrett is scum.

Re:Do not disagree with Garrett (0)

Anonymous Coward | about a year and a half ago | (#42154341)

EVERY distro has its asshole....

Re:Do not disagree with Garrett (0)

Anonymous Coward | about a year and a half ago | (#42154563)

You do realize you just did an ad hominem?

Re:Do not disagree with Garrett (0)

Anonymous Coward | about a year and a half ago | (#42154697)

Not at all.

The idea that pointing out somebody's ad hominem's is itself such an ad hominem that it can't be done...is the greatest fallacy of all.

It would require us to be silent towards whatever vile bile spewed out of certain persons without speaking up.

No thank you.

Re:Do not disagree with Garrett (0)

Anonymous Coward | about a year and a half ago | (#42154707)

I know, Garrett would be proud.

Re:Do not disagree with Garrett (0)

Anonymous Coward | about a year and a half ago | (#42154767)

Or else he'll post ad-hominem personal attacks about you on his blog. He is the sole reason I migrated away from Fedora to Ubuntu/Debian.

Next time you leave Fedora try to make it because it is a joke of a Linux distro not because someone else who works for the company that produced it does things you don't like.

Re:Do not disagree with Garrett (0)

Anonymous Coward | about a year and a half ago | (#42154881)

Also check out his previous minding over, and I'm not kidding, hexadecimal magic numbers in kernel source code. Yeah. He did it twice, once for Microsoft and once for a less memorable company.

While I'm not so dense as to call his technical capacity into question over such matters (we have review for this sort of thing, right?), I also hope he's exchanging the perception of his good judgement for mad pussy on the reg, and not just per instance. The style in which he writes about his justification for doing the secure boot legwork suggests a fatalism that's more typical of people who've given up on some of their independent thought.

What's the point of secure boot? (1)

loufoque (1400831) | about a year and a half ago | (#42154343)

What's the point of secure boot, if you can just use this bootloader to boot anything you want?

Re:What's the point of secure boot? (1)

Anonymous Coward | about a year and a half ago | (#42154413)

Keeping it so you can boot anything YOU want, not anything some random virus or trojan wants.

A difficult needle to thread, but hardly inconceivable.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...