Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UEFI Secure Boot Pre-Bootloader Rewritten To Boot All Linux Versions

timothy posted about a year and a half ago | from the next-level-reached dept.

Linux 185

hypnosec writes "The Linux Foundation's UEFI secure boot pre-bootloader is still in the works, and has been modified substantially so that it allows any Linux version to boot through UEFI secure boot. The reason for modifying the pre-bootloader was that the current version of the loader wouldn't work with Gummiboot, which was designed to boot kernels using BootServices->LoadImage(). Further, the original pre-bootloader had been written using 'PE/Coff link loading to defeat the secure boot checks.' As it stands, anything run by the original pre-bootloader must also be link-loaded to defeat secure boot, and Gummiboot, which is not a link-loader, didn't work in this scenario. This is the reason a re-write of the pre-bootloader was required and now it supports booting of all versions of Linux." Also in UEFI news: Linus Torvalds announced today that the flaw which was bricking some Samsung laptops if booted into Linux has been dealt with.

cancel ×

185 comments

Microsoft controls compoter booting (5, Insightful)

ozmanjusri (601766) | about a year and a half ago | (#42769829)

The redesigned bootloader has already been submitted to Microsoft for singing and once the signed version is received, The Linux Foundation is planning to provide it for free.

Why in hell did the world give Microsoft control over computer bootup hardware?

That's just insane.

Re:Microsoft controls compoter booting (5, Insightful)

Xipher (868293) | about a year and a half ago | (#42769845)

The alternative is to try and get every motherboard manufacturer to accept a singing key from them. Having Microsoft sign it means they don't have to deal with that headache.

Re:Microsoft controls compoter booting (5, Funny)

Zemran (3101) | about a year and a half ago | (#42769915)

I love the idea of singing motherboards :-) it would be much better than this stupid idea that is being forced on us in order to make more money for M$...

Re:Microsoft controls compoter booting (5, Funny)

Anonymous Coward | about a year and a half ago | (#42770141)

It'd be loads more fun to troubleshoot as well.

fur elise - bad ram check
oh fortuna - check video card

etc etc.

Much easier than beep codes and instills a bit of culture too.

Re:Microsoft controls compoter booting (5, Funny)

ami.one (897193) | about a year and a half ago | (#42770291)

Reminds of the old days when a linux kernel compile would take 6 hours and we were trying some modifications for VIA hardware which required hundreds of tries with minor changes in the driver codes - so we would start the compile with a script to play two different types of music on Error or Success, and then go to sleep.

If in the middle of the night it was dire straits then we would get up and debug/fix the errors and start a compile again; if it was some soothing instrumental we would continue sleeping knowing that its compiled.

Re:Microsoft controls compoter booting (0)

Anonymous Coward | about a year and a half ago | (#42770859)

Why wouldn't you simply recompile the module in question?

Re:Microsoft controls compoter booting (3, Interesting)

ami.one (897193) | about a year and a half ago | (#42771041)

That didn't work because we were developing a thin client type of consumer device on VIA micro boards which had to do network boot with the kernel delivered by the ISP over the network and it was not possible to have a mounted rootfs - so almost everything required was in the kernel. On top of that VIA had notoriously difficult code for its drivers which would get modified by us with almost no knowledge & just trial and error. Good times.

Re:Microsoft controls compoter booting (5, Funny)

Anonymous Coward | about a year and a half ago | (#42770703)

Standard boot message:
"Is this the real life?
Is this just fantasy?
Caught in a landslide
No escape from reality..."

Oh so many lines from that song would make great kernel error messages.

Re:Microsoft controls compoter booting (-1)

Anonymous Coward | about a year and a half ago | (#42770733)

Standard boot message: "Is this the real life? Is this just fantasy? Caught in a landslide No escape from reality..."

Oh so many lines from that song would make great kernel error messages.

too bad it was made by a fag. he died of AIDS because that's what fags do. what a fag.

Re:Microsoft controls compoter booting (0)

mcgrew (92797) | about a year and a half ago | (#42770975)

Oh, for mod points...

Re:Microsoft controls compoter booting (1)

Anonymous Coward | about a year and a half ago | (#42771119)

There were actually a couple of motherboards that did this back in the day for certain POST errors. There's a technet article about it somewhere since people generally freaked out and assumed the tune was being played by a boot virus.

Re:Microsoft controls compoter booting (0)

Anonymous Coward | about a year and a half ago | (#42770765)

I love the idea of singing motherboards :-) it would be much better than this stupid idea that is being forced on us in order to make more money for M$...

Are they anything like the singing cactus in The Three Amigos?

Alternatives (5, Insightful)

fyngyrz (762201) | about a year and a half ago | (#42769979)

Well, actually, another alternative is for motherboard manufacturers to continue to make motherboards that boot the same way as they have for some time. So older, fully functional operating systems can continue to boot.

Of course, this would allow us to continue to use those fully functional OSs, and remove a goodly portion of the incentive to upgrade... so one might, if one were cynical, imagine that there is a corporate motive at work here.

Re:Alternatives (4, Informative)

Anonymous Coward | about a year and a half ago | (#42770339)

Which they do. Every motherboard out there can have its secure boot disabled by the user, in addition they should all accept custom keys.

Re:Alternatives (1)

Anonymous Coward | about a year and a half ago | (#42770677)

Microsoft requires this for x86/64 (for Windows 8 certification) and forbids it for ARM (for Windows RT). So no, not every motherboard will allow the user to disable secure boot.

Re:Alternatives (0)

Anonymous Coward | about a year and a half ago | (#42771015)

Because tablets are always the bastion of openness, right?

There it really matters, things are as they should be.

Re:Alternatives (3, Informative)

nojayuk (567177) | about a year and a half ago | (#42770481)

Not implementing UEFI means the mobos can't be used in a production environment where they can receive the coveted "Windows 8 Ready" approval for millions of customers in the coming years. Continuing with the older BIOS system means they can easily boot alternative OSes for a few thousand enthusiast customers (who can in fact use UEFI anyway) but they lose the much bigger market. Decisions decisions...

Mobos are megacheap for what they do because of the numbers of each model that are built; a custom mobo with classic BIOS to specifically support Linux or other open OSes would cost hundreds of bucks per unit produced in limited quantities. At that point a cost-benefit analysis says "pay the damn Microsoft tax already!"

Re:Alternatives (4, Interesting)

Simon Brooke (45012) | about a year and a half ago | (#42770719)

Mobos are megacheap for what they do because of the numbers of each model that are built; a custom mobo with classic BIOS to specifically support Linux or other open OSes would cost hundreds of bucks per unit produced in limited quantities. At that point a cost-benefit analysis says "pay the damn Microsoft tax already!"

While in practice the pragmatics of the situation are that you are right, in principal I believe that we should be talking to the anti-trust authorities - both sides of the Atlantic - because this is very clear abuse of monopoly. Unless, of course, Microsoft irrevocably commits to authorise any version of any competing operating system for free, in which case the whole point of secure boot has just vanished.

Re:Microsoft controls compoter booting (3, Insightful)

exomondo (1725132) | about a year and a half ago | (#42770435)

The alternative is to try and get every motherboard manufacturer to accept a singing key from them. Having Microsoft sign it means they don't have to deal with that headache.

Or to not use secureboot motherboards or just turn secureboot off and continue on as we do now, hell if you really wanted to use windows 8 you still could, it doesn't need secureboot either, it doesn't even need UEFI.

Re:Microsoft controls compoter booting (2)

mrchaotica (681592) | about a year and a half ago | (#42770925)

  1. Step 1: Create SecureBoot, and make it "optional"
  2. Step 2: Make SecureBoot mandatory on ARM
  3. Step 3: As the market continues to shift towards phones and tablets, let x86 compatibility become obsolete
  4. Step 4: There is no step 4; Linux is now locked out of all new hardware

We're at step 2 already and step 3 is inevitable. That means we've already lost.

Re: Microsoft controls compoter booting (1)

sonamchauhan (587356) | about a year and a half ago | (#42770605)

Uh, no... Merely getting the top 20 motherboard manufacturers to do thiat would do just fine...

In fact after 4 or 5 include the keys, the rest will be scrambling over each other to "let their computers run Linux"

Signatures can be revoked. Is it more difficult (or attractive) for 20 manufacturers to revoke keys, or for Microsoft to?

Re:Microsoft controls compoter booting (4, Interesting)

ZorinLynx (31751) | about a year and a half ago | (#42771095)

Why not allow the owner of the motherboard to sign their own code? This could be done at OS install, then if any malware modifies the code, it won't boot.

Giving control to the manufacturer just sounds wrong.

Re:Microsoft controls compoter booting (4, Insightful)

fph il quozientatore (971015) | about a year and a half ago | (#42769855)

Why in hell did the world give Microsoft control over computer bootup hardware? That's just insane.

I am curious - with a huge SSL signing and authorities infrastructure in place, why did no one ever think to use it? That's probably horribly broken in many other ways, but at least it will only take one solution to solve both problems, when someone manages to fix SSL.

Re:Microsoft controls compoter booting (4, Interesting)

Anonymous Coward | about a year and a half ago | (#42770179)

I think you mean if someone manages to fix SSL. The huge number of SSL signing authorities is its biggest weakness IMHO.

Re:Microsoft controls compoter booting (5, Insightful)

SuricouRaven (1897204) | about a year and a half ago | (#42769891)

Because Microsoft demanded OEMs give it that control, or else lose their access to dirt-cheap OEM windows licenses. As it is impossible to sell a computer without Windows outside of a very small niche - most users don't even know what an OS is - that gives Microsoft such bargaining power that when they demand, OEMs have no choice but to comply.

Re:Microsoft controls compoter booting (1)

Anonymous Coward | about a year and a half ago | (#42770203)

As it is impossible to sell a computer without Windows outside of a very small niche

I think Apple would disagee, or at least say that it's a nicely sized small niche.

Re:Microsoft controls compoter booting (1)

PRMan (959735) | about a year and a half ago | (#42770329)

But it also cuts down on phone support for boot sector viruses, which take significant resources for the manufacturers. So Microsoft probably didn't have to twist their arms much.

Re:Microsoft controls compoter booting (1)

ozmanjusri (601766) | about a year and a half ago | (#42770429)

But it also cuts down on phone support for boot sector viruses,

Such as?

It's not a common vector any more.

Re:Microsoft controls compoter booting (0)

Anonymous Coward | about a year and a half ago | (#42770471)

As it is impossible to sell a computer without Windows outside of a very small niche - most users don't even know what an OS is - that gives Microsoft such bargaining power that when they demand, OEMs have no choice but to comply.

That is completely false, see Apple [apple.com] , System76 [system76.com] , Dell [ubuntu.com] , Zareason [zareason.com] and others. That is a pretty sizeable 'niche', but of course Microsoft have that much control because end users want Microsoft's product and those OEMs are invested in building products for them and (outside of Apple) those vendors of the alternative operating systems - and their supporters - spend all their time focussed on what Microsoft is doing and whinging about it rather than producing a product that people actually *want* to use. The only thing stopping Linux adoption is Linux and its community, just look at what happened when a competent company with a focus on the user took Linux and made it palatable for the masses - they squashed Microsoft and RIM in the smartphone market! Desktop Linux distros are built by developers for developers, that's why the vast majority of non-developers don't use them.

Re:Microsoft controls compoter booting (4, Insightful)

Bob9113 (14996) | about a year and a half ago | (#42769925)

Why in hell did the world give Microsoft control over computer bootup hardware?

Because our government leaders voted that the risk of allowing corporations to inhibit competition was less threatening than the risk of allowing the government to regulate such behavior. It reflects the laissez-faire notion that corrupt elected officials are more dangerous than corrupt corporate executives. Though, in practice, our lax policy regarding such anti-free-market behavior is the result of corrupt corporate executives financing corrupt elected officials.

Re:Microsoft controls compoter booting (3, Informative)

bcmm (768152) | about a year and a half ago | (#42770309)

It's a misdirection. We direct our anger at untouchable faceless corporations instead of individuals who are actually vulnerable at election time.

Re:Microsoft controls compoter booting (0)

Anonymous Coward | about a year and a half ago | (#42770315)

Leaders? You misspelled voters.

Millions of voters think Gov = bad. And therefore small government = less bad.

The voters prefer to solve the problem the wrong way, by changing the quantity and not the quality. Many of the elected happily make Big Gov smaller and send the jobs to contractors.

Re:Microsoft controls compoter booting (2, Informative)

Anonymous Coward | about a year and a half ago | (#42769969)

Because the alternative is to sign with your own key and enter that into the UEFI firmware. Which you can do. The complaint from some parties is that users are too stupid to do so, so bootloaders 'must' be signed with an existing key.

Re:Microsoft controls compoter booting (2)

maxwell demon (590494) | about a year and a half ago | (#42770689)

How would entering a bootloader key into an UEFI input box be more complicated than typing a product key into an installer input box, which apparently users managed to do for quite some time?

Re:Microsoft controls compoter booting (1)

Anonymous Coward | about a year and a half ago | (#42771165)

Users don't install operating systems.

Re:Microsoft controls compoter booting (2)

maxwell demon (590494) | about a year and a half ago | (#42771203)

Users who don't install an operating system also won't need to add a key to the firmware.

Re:Microsoft controls compoter booting (0)

Anonymous Coward | about a year and a half ago | (#42771199)

It isn't, but that's never gotten in the way of FUD before.

Re:Microsoft controls compoter booting (5, Interesting)

Mike Frett (2811077) | about a year and a half ago | (#42769971)

I actually sent a very long and detailed letter the DOJ about this and how it constitutes a violation of the Sherman Act. Not Five (5) minutes after sending I received a generic reply about how Microsoft was not in violation of anything.

With all the E-Mail these people receive and the sheer size of my Letter, there is no way in hell the DOJ read my Letter that fast. What they did was see the word 'Microsoft' and instantly reject it.

Next week my lawyer is cutting me a deal to rewrite my letter and send it by other means to the right people, we'll see what happens then. Of course I have no money to fight anybody in court, but at least I am trying to get a response that isn't generic.

Re:Microsoft controls compoter booting (5, Interesting)

EvilIdler (21087) | about a year and a half ago | (#42769989)

That could potentially be an article of its own. Hope you post it everywhere :)

Re:Microsoft controls compoter booting (0)

Anonymous Coward | about a year and a half ago | (#42770019)

Microsoft is in bed with the US government at high levels so i don't think your letter will go anywhere.

Re:Microsoft controls compoter booting (3, Interesting)

mrbluze (1034940) | about a year and a half ago | (#42770153)

Microsoft is in bed with the US government at high levels so i don't think your letter will go anywhere.

This is significant. What is the difference between having your computer pwned by some kind of boot-time virus that feeds your info to criminals, to having your computer pwned by some kind of government official who is also a criminal?

There is no other way to look at this situation than to accept that it is an abrogation of a basic freedom - to run whatever the hell we want on hardware we paid for

Re:Microsoft controls compoter booting (1)

rocket rancher (447670) | about a year and a half ago | (#42770655)

Microsoft is in bed with the US government at high levels so i don't think your letter will go anywhere.

This is significant. What is the difference between having your computer pwned by some kind of boot-time virus that feeds your info to criminals, to having your computer pwned by some kind of government official who is also a criminal?

There is no other way to look at this situation than to accept that it is an abrogation of a basic freedom - to run whatever the hell we want on hardware we paid for

Your heart is in the right place, but I think you are missing an important piece of the big picture. You do not have any basic freedoms -- you have only those freedoms that the law allows you to have, along with the the ones you choose to exercise in defiance of the law. Your freedoms change as the law changes, so the idea of a "basic" freedom is a bit of what Gilbert Ryle called a category mistake -- it's a non-starter if you are trying to premise an argument with it. That is reality. You certainly can choose to exercise your freedom to *attempt* to run whatever the hell you want on the hardware you paid for -- and that choice is *always* available to you -- but you don't automatically have the corresponding freedom to be successful at it, especially if society (corporations and their bottom-line thinking are legally classed in the US as people thanks to Citizens United, so they are by definition part of society) decides that it is in society's best interest (read: bad for the bottom line) that you should not have the freedom to be successful at it.

Re:Microsoft controls compoter booting (1)

KingMotley (944240) | about a year and a half ago | (#42770041)

My guess would be that the DOJ has already thoroughly investigated secure boot, and hence they didn't really need to read your arguments in detail in order to determine where you are wrong. It wouldn't take more than a few seconds to scan your email and see that you were complaining about Microsoft and secure boot and throw it away.

Re:Microsoft controls compoter booting (3, Insightful)

Patch86 (1465427) | about a year and a half ago | (#42770085)

If he was wrong, it would be nice if they could respond to each point he raised and tell him why he was wrong. Getting a reply which says "trust us, don't worry about it" is always going to be unsatisfying.

Re:Microsoft controls compoter booting (1, Insightful)

KingMotley (944240) | about a year and a half ago | (#42770137)

If he wants to find out why he is wrong, perhaps he should be consulting with a lawyer. No offense, but I don't want to pay for a DOJ that staffs an extra 2,000 people just so that they can read every piece of email that comes in, and respond back with a detailed analysis of all the legal mistakes made.

They are doing exactly what they should be doing. They group up emails that pertains to specific subjects then determine which ones they need to look into based on the number of people affected, the seriousness of the accusations, and the realistic ability to make a case. Apparently in this case, the DOJ has already looked at the issue, from some of the most informed lawyers in the country and have determined that they haven't violated any laws. Along comes Mr. Anonymous, and writes a big ass letter. Do they really need to read every point he tried to make when it most likely boils down to one legal mistake after another?

I haven't read Mr. Fretts letter, but I can only imagine it goes something like:
Dear DOJ,
        Microsoft is evil and they broke a bunch of laws including the Sherman one. As you well know, they don't have anyone named Sherman, so they are in clear violation and need to be fined, disbanded, all their source code made public domain, and all assets sold off and dived up between all the people running linux because I'm butt hurt.
{insert 3 more pages about there being no one named Sherman}
Thank you,
Mr. Fretts.

Re:Microsoft controls compoter booting (2)

ozmanjusri (601766) | about a year and a half ago | (#42770199)

No offense, but I don't want to pay for a DOJ that staffs an extra 2,000 people just so that they can read every piece of email that comes in, and respond back with a detailed analysis of all the legal mistakes made.

If they've already done the investigation, they should include the findings in the automated boilerplate response to any question about secure boot. No additional staff needed.

Re:Microsoft controls compoter booting (0)

Anonymous Coward | about a year and a half ago | (#42770415)

If they've already done the investigation, they should include the findings in the automated boilerplate response to any question about secure boot. No additional staff needed.

Explaining basic anti-trust law to people who clearly do not understand it is not their job.

Re:Microsoft controls compoter booting (0)

Anonymous Coward | about a year and a half ago | (#42770593)

You can get those findings through a FOIA request if you really want them and they aren't for some reason exempt. There is real cost associated with having "broilerplate responses" to every potential question that someone could possibly want to know about. The only way this doesn't cost a ton of money is if for some reason you want them to treat your request in a manner that is different from how they would treat a letter from any other member of the public.

Re:Microsoft controls compoter booting (4, Insightful)

martin-boundary (547041) | about a year and a half ago | (#42770363)

No offense, but I don't want to pay for a DOJ that staffs an extra 2,000 people just so that they can read every piece of email that comes in, and respond back with a detailed analysis of all the legal mistakes made.

I'd prefer they waste their money on that, than use it to prosecute hackers who copy science papers. The money, once in the budget, will be spent regardless. If it _won't_ be spent on serving the public, it _will_ get spent on selfish career making schemes.

Re:Microsoft controls compoter booting (1)

Anonymous Coward | about a year and a half ago | (#42770509)

If he wants to find out why he is wrong, perhaps he should be consulting with a lawyer. ...

The guy said: "Next week my lawyer is cutting me a deal to rewrite my letter and send it by other means to the right people, we'll see what happens then. Of course I have no money to fight anybody in court, but at least I am trying to get a response that isn't generic."

Apparently in this case, the DOJ has already looked at the issue, from some of the most informed lawyers in the country and have determined that they haven't violated any laws.

Tell me how that's working out with all the recent bank fraud...

Re:Microsoft controls compoter booting (0)

Anonymous Coward | about a year and a half ago | (#42770591)

Yes, that would be terrific. DOJ officials should get into point for point Slashdot/reddit style pissing matches with every neckbeard who chooses to write a letter. Better yet, they should also write point by point responses to all the 911 conspiracy theorists about the speed of freefall and burning temperature of jet fuel. It would be productive in one thing- the govt would seize to a halt dealing with all the stupidity.

Re:Microsoft controls compoter booting (1)

segedunum (883035) | about a year and a half ago | (#42770475)

My guess would be that the DOJ has already thoroughly investigated secure boot

ROTFL.

Re:Microsoft controls compoter booting (0)

Anonymous Coward | about a year and a half ago | (#42770397)

I actually sent a very long and detailed letter the DOJ about this and how it constitutes a violation of the Sherman Act.

Link?

Re:Microsoft controls compoter booting (1)

Kevin108 (760520) | about a year and a half ago | (#42770517)

If this has legs I'm sure you could work with the EFF to get an action item going for contacting our disconnected elected.

Re:Microsoft controls compoter booting (1)

Anonymous Coward | about a year and a half ago | (#42770615)

I just read a story the other day where a guy rented a store front to the ATF for a completely "failed" sting operation and they left owing him $15,000 in back rent. When he asked them to pay they sent him a letter explaining that harrassing a federal agent is a serious issue and he needs to stop immediatly.

ATF [jsonline.com]

The government isn't there to help you. Thats why I don't get when people say we need more regulation because it always hurts the little guy and they won't listen to you. With business at least you can choose to not buy from them.

Re:Microsoft controls compoter booting (1)

Sulphur (1548251) | about a year and a half ago | (#42770735)

I actually sent a very long and detailed letter the DOJ about this and how it constitutes a violation of the Sherman Act. Not Five (5) minutes after sending I received a generic reply about how Microsoft was not in violation of anything.

With all the E-Mail these people receive and the sheer size of my Letter, there is no way in hell the DOJ read my Letter that fast. What they did was see the word 'Microsoft' and instantly reject it.

Next week my lawyer is cutting me a deal to rewrite my letter and send it by other means to the right people, we'll see what happens then. Of course I have no money to fight anybody in court, but at least I am trying to get a response that isn't generic.

Microsoft is proprietary and not generic.

Re:Microsoft controls compoter booting (0)

Anonymous Coward | about a year and a half ago | (#42770055)

I'm sure China will provide hardware that allows non-MS OS. I will buy Apple which is just as bad, before I am forced into buying into MS-only machine.

Re:Microsoft controls compoter booting (2, Interesting)

sl4shd0rk (755837) | about a year and a half ago | (#42770099)

Why in hell did the world give Microsoft control over computer bootup hardware?

The world didnt. Microsoft, along with a handful of major hardware vendors did. This is what monopolies do.

Re:Microsoft controls compoter booting (1)

GameboyRMH (1153867) | about a year and a half ago | (#42770255)

Because collectively we're a bunch of dumb bastards, that's why.

But the good news is that this new multi-bootloader is effectively a crack for UEFI secure boot. Virus writers could use it for boot sector viruses, putting the situation right back where it stood before, but with more complexity...which is probably the best we could hope for at this point. Boot sector viruses were an extreme rarity before, and I don't see them being any more common now that most Windows users aren't running with admin privileges all the time.

Re:Microsoft controls compoter booting (0)

Anonymous Coward | about a year and a half ago | (#42770505)

If this bootloader is used for viruses then Microsoft will blacklist it and you won't be able to use it.
The next bootloader will then need to be more secure until we have no more boot sector viruses.

Re:Microsoft controls compoter booting (0)

Anonymous Coward | about a year and a half ago | (#42770853)

An end user could freely remove the Linux certs so that virus writers couldn't install an unwanted bootloader. Hopefully most motherboard manufacturers have an option to disable certs so we don't need to out-right remove them.

Re:Microsoft controls compoter booting (2)

isorox (205688) | about a year and a half ago | (#42770347)

The redesigned bootloader has already been submitted to Microsoft for singing and once the signed version is received, The Linux Foundation is planning to provide it for free.

Why in hell did the world give Microsoft control over computer bootup hardware?

That's just insane.

The idea was suggested 16 years ago, you have Stallman to blame.

Dan would eventually find out about the free kernels, even entire free operating systems, that had existed around the turn of the century. But not only were they illegal, like debuggers—you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that. [gnu.org]

Re:Microsoft controls compoter booting (1)

c (8461) | about a year and a half ago | (#42770561)

Why in hell did the world give Microsoft control over computer bootup hardware?

That's just insane.

In return, the world got some marketing incentives for shipping Windows 8 on their computers.

That's just... wow.

Re:Microsoft controls compoter booting (1)

maxwell demon (590494) | about a year and a half ago | (#42770675)

The redesigned bootloader has already been submitted to Microsoft for singing and once the signed version is received, The Linux Foundation is planning to provide it for free.

Why in hell did the world give Microsoft control over computer bootup hardware?

That's just insane.

Who's going to sing that bootloader at Microsoft? And how will they sing it? In hex?
I hope they publish a video of that performance. ;-)

Re:Microsoft controls compoter booting (0)

Anonymous Coward | about a year and a half ago | (#42770831)

Because the Linux community is too fragmented to effectively have every motherboard manufacturer add every cert from every distro.

Re:Microsoft controls compoter booting (0)

Anonymous Coward | about a year and a half ago | (#42771215)

Why in hell did the world give Microsoft control over computer bootup hardware?

That's just insane.

So Ballmer has given up throwing chairs in favour of torture by singing? Now that's insane..

and harsh...

It does not work yet... (1)

Zemran (3101) | about a year and a half ago | (#42769913)

... no story here, move along.

re: samsung (1)

X0563511 (793323) | about a year and a half ago | (#42769917)

Who would have thought that just randomly poking memory of a laptop would brick it. Long ago Samsung told me that it was just fine to be doing this, and that there would not be any problems (I based the samsung-laptop driver on code that Samsung themselves gave me.)

Hmm... so the firmware is so retarded that bad values in RAM can permanently break the hardware?

That sounds safe. Hope that thing comes with ECC RAM!

Re: samsung (2)

Gaygirlie (1657131) | about a year and a half ago | (#42770205)

Later on in the thread someone said that clearing NVRAM is enough to fix the brick, ie. either remove the NvRAM battery or otherwise prevent it from refreshing the NvRAM for 30 seconds and you're golden. Granted, that still requires opening up the whole laptop.

Isn't this, "also Linux works round Samsung bug" (1)

Anonymous Coward | about a year and a half ago | (#42769919)

It was Samsung firmware at fault. Thier fault. Place blame correctly.

Re:Isn't this, "also Linux works round Samsung bug (5, Informative)

ProfMobius (1313701) | about a year and a half ago | (#42770049)

Agreed. From http://www.jakobheinemann.de/en/blog.html [jakobheinemann.de] :

The implementation in Samsungs UEFI shows some weird behavior. Error code EFI_INVALID_PARAMETER should only be returned, if one of the given pointers to variables is NULL and pointing to an invalid memory section. Samsungs implementation also throughs this error, if the given memory blocksize is not exactly 128 bytes, so for example (like the Linux-efivars module does) 1024 bytes. The Linux module does not expect the strange error code (it checks for NULL pointers itself) and does not report any UEFI variables, no boot entries, no nothing. The installer accepts that and installs the Linux boot entry into the first slot, where actually the boot entry for the setup is located - overwriting that entry! Setup is dead since Linux took its boot entry.

It does look like the Samsung implementation is doing weird things and Linux is doing weird things in return because it is expecting it to follow standards...

Re:Isn't this, "also Linux works round Samsung bug (2)

IAmR007 (2539972) | about a year and a half ago | (#42771045)

I just hope this doesn't end up like ACPI, where everything is broken and only companies with secret specs can be made to work easily.

No. (1)

boorack (1345877) | about a year and a half ago | (#42770485)

It's fault of whoever designed this crap in the first place (Microsoft?). My opinion is that it does NOT serve any useful purpose, abd it doesn't improve overall security of a PC. It only causes problems. The only purpose of this thing is to reinforce Microsoft lock-in on PC consumer market.

But hibernation was right out? (0)

Anonymous Coward | about a year and a half ago | (#42769927)

So the hibernation functionality had to be removed because it could be used to boot an unsigned operating system, but this is A-okay?

Then why UEFI (1)

Faisal Rehman (2424374) | about a year and a half ago | (#42769941)

So is there need of secure boot?

Re:Then why UEFI (0)

Anonymous Coward | about a year and a half ago | (#42770013)

Secure Boot is a feature which Linux would benefit of too.

Re:Then why UEFI (1, Insightful)

Anonymous Coward | about a year and a half ago | (#42770117)

Only if user can set the keys, not MS / NSA.

Re:Then why UEFI (1)

Rockoon (1252108) | about a year and a half ago | (#42770569)

Only if user can set the keys, not MS / NSA.

So secure boot IS a feature which Linux would benefit from, too. Thanks AC.

Re:Then why UEFI (0)

Anonymous Coward | about a year and a half ago | (#42770877)

Part of the getting MS's blessing for OEMs to re-sell Win8 is to allow end users to manage certs. Go figure. Making up FUD.

Let me take a shot at this game.

Linux isn't secure because malware writers can insert back-doors directly into the source.

Yay, FUD for everyone! I do agree that MS kind of deserves it.

shortest bible verse (0, Offtopic)

Jarno Hams (1362467) | about a year and a half ago | (#42769949)

linus spoke

Problem would solve itself if we stop buying crap (0)

Anonymous Coward | about a year and a half ago | (#42770005)

The reason Microsoft gets away with this is because they have dominance in the market and we little users have not taken the initiative to purchase hardware from companies that respect our freedom. In fact there is only one company that has shown any real concern here. ThinkPenguin is the only company you can get a system form with Linux and know that there aren't any proprietary driver/firmware dependencies. The company doesn't sell ANY devices which are not compatible with 100% free versions of Linux. Humorously this is only partially done for ethical reasons. The founder recognized the major problem new users face with Linux is proprietary software. That was while working for a commercial distribution which included a lot of proprietary software. ThinkPenguin now is leading the way on the hardware front mostly thanks to the fact they have made the adoption of Linux by more novice users much easier. Just imagine what they could do if the larger community stopped complaining and started buying Linux friendly hardware.

Re:Problem would solve itself if we stop buying cr (-1)

Anonymous Coward | about a year and a half ago | (#42770045)

Windows has become so good that there really is no point running Linux on desktops anymore.

Re:Problem would solve itself if we stop buying cr (0)

Anonymous Coward | about a year and a half ago | (#42770073)

so why the need to use secure boot if windows is so good ?

Re:Problem would solve itself if we stop buying cr (0)

Anonymous Coward | about a year and a half ago | (#42770149)

Windows has become so good that there really is no point running Linux on desktops anymore.

I had a giggle, but sorry, bait not taken.

We expect a slightly higher quality of trolling on this site. A little bit of effort please.

Re:Problem would solve itself if we stop buying cr (1)

santosh.k83 (2442182) | about a year and a half ago | (#42770555)

ThinkPenguin is a ray of hope. Unless Linux finds a reasonable level of support from hardware makers it's going to keep getting more difficult to counter the strategies of Microsoft, Apple and co. An alternative to buying from ThinkPenguin (since shipping is likely to be a put-off for international orders) is to purchase individual components from those manufacturers who don't restrict their hardware with Windows only drivers or are particularly uncooperative with the FOSS community. This won't directly sway the issue of Secure Boot, but still the FOSS community does number in the tens of millions at least, and so coordinated action can send strong signals, provide it can unite together. Anyone knows of a updated online database for hardware (and their makers) that plays well with FOSS?

Samsung UEFI (2, Interesting)

Anonymous Coward | about a year and a half ago | (#42770057)

So ... does this mean Windows installs are just as vulnerable to a malicious piece of code poking bits to the wrong memory addresses and bricking the laptop? since it's an UEFI problem, it should be OS-agnostic.

Re:Samsung UEFI (0)

Anonymous Coward | about a year and a half ago | (#42770709)

It's one thing to test it so that it works with Windows, its another thing to make sure it is a proper implementation of the standard. While the bug and the standard would be OS-agnostic, the QA testing almost assuredly would not be.

Yeah, you know (0)

Anonymous Coward | about a year and a half ago | (#42770059)

Good old "BootServices->LoadImage()".

Who loads the pre-loader? (1)

Anonymous Coward | about a year and a half ago | (#42770133)

He who pre-loads the pre-loads pre-loads what he wishes.

Fuck secureboot, it must die, not be worked around (1)

Anonymous Coward | about a year and a half ago | (#42770187)

Fuck secureboot.
It must die, not be worked around.

Re:Fuck secureboot, it must die, not be worked aro (1)

maxwell demon (590494) | about a year and a half ago | (#42770741)

There's nothing wrong with secureboot as long as you, as the owner of the computer, can install the keys for your OS. Indeed, you should even have the option to only install your own keys (i.e. to remove the installed keys, ideally with the ability to backup), in case you want to make sure nobody installs another operating system than the one you have chosen.

There is the key problem.. (2)

Junta (36770) | about a year and a half ago | (#42770847)

The concept of 'SecureBoot' is inherently unable to accommodate user keys very well. The reason being that abilitiy to write the keystore from the OS in a straightforward manner makes it, by definition powerless. Now it could be mucked with so that for desktop systems you request some one-time passphrase from firmware setup and then use that in the OS to push your key. For servers you could use ability to authenticate to serive processor as a key (complication being that it would have to be a credential beyond the reach of IPMI KCS type interfaces, since that's not securable. Ultimately though, the whole concept of secureboot as the mechanism to always protect the boot seqence is flawed. Thinking about the larger picture proves this out. The more precisely a security mechanism can model the authentic intent of the authorized user, the better. SecureBoot as defined can only model the vendors intent, which has to be fairly wide open. Some people have said that this could protect the integrity of SELinux, but then again malicious policy data could be fed in. You could argue that perhaps they can at least be tamper-evident with an audit log, which is critical but not ambitious enough. What they should have emphasized was a mechanism where the frimware and OS work together with the TPM. The authorized OS takes ownership of the TPM and from then on the boot process be protected in that way. Offline attacks can be meaningly mitigated to a significant degree, which SecureBoot really cannot. The OS would require passphrase to sign kernel, initrd, and loader configuration file. The model wouldn't scale up beyond that, but the likes of LUKS could actually meaningfully take it from there to assure tamper-proof fielsystem and hibernate memory images.

Re:There is the key problem.. (2)

maxwell demon (590494) | about a year and a half ago | (#42771123)

The key installation process could remain completely in the BIOS. First, the OS verifies the boot image with the installed keys. If that fails, it looks for the key in a standardized location. If no key has yet been installed (which means this is the initial installation boot) it just installs that key. Otherwise, it asks the user for a fingerprint of the key, which for bought OS versions can be entered from the installation instructions (very much like the product key today), and for self-signed bootloaders you'd just generate that from the key. Note that at this point no operating system is yet running so unless the BIOS itself is compromised (in which case all protection it might have provided is gone anyway) there's no way any malware could interfere with that process (of course it also must be secured that the initial installation state cannot be reached again except from within the BIOS).

For pre-installed computers, the initial installation would be done by the vendor; if the user wants to install an operating system with another key than the pre-installed one (e.g. wants to switch from Windows to Linux), all he has to do is to enter a key fingerprint found in the documentation when booting up the install disk. For computers bought without OS, even that step is not needed.

I don't know much about servers, but I guess they are generally sold either without OS, or preinstalled with the OS intended to be used. In both cases, there would be no need for user interaction.

This scheme of course leaves a small hole in that you might install your initial OS from compromised installation media (for subsequent installations, that would be caught by the need to enter the fingerprint, unless you are switching vendors and also the documentation was compromised). However I don't think that risk is much higher than the risk of having a compromised BIOS, especially given that end user computers are generally sold pre-installed.

Samsung's response? (3, Interesting)

harryjohnston (1118069) | about a year and a half ago | (#42770213)

Has anybody seen confirmation that Samsung will be repairing affected user's machines under warranty? Definitely a design fault, it should be impossible for software to brick hardware.

Re:Samsung's response? (0)

Anonymous Coward | about a year and a half ago | (#42770581)

The question is - who''s design fault? In my mind, it is the kernel developers who work on efi support who are at fault. Their fix for the problem is not a fix - just a hack. See http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e0094244e41c4d0c7ad69920681972fc45d8ce34

No... (1)

Junta (36770) | about a year and a half ago | (#42770863)

Just because a developer puts out a *workaround* to avoid exacerbating a problem, does not mean they were the ones to make the mistake first. Notably, I personally know of UEFI implementations where in any way messing with the method to get into setup is impossible from the running OS. It is perfectly possible and reasonable to have a frimware that can keep itself whole and allow a user to be confident that no matter what the OS does, they can trivially reset to defaults. I know developers that exceedingly careful about the efi variable space and how it musnot t impact the ability to recover.

Re:Samsung's response? (0)

Anonymous Coward | about a year and a half ago | (#42770801)

No, but if you suddenly see a bunch of laptops on the Samsung Store's refurb page, you'll know what really happened :-)

Can't you just disable secure-boot? (0)

Anonymous Coward | about a year and a half ago | (#42770257)

Can't you just disable secure-boot if you don't want a distro tainted by Microsoft?

Re:Can't you just disable secure-boot? (2)

maxwell demon (590494) | about a year and a half ago | (#42770753)

On x86, you can -- for now. On ARM, you can't -- at least if it is Windows 8 certified.

Nothing Has Been Fixed With Samsung Laptops (5, Informative)

segedunum (883035) | about a year and a half ago | (#42770469)

I don't know where people get that idea from. If you read the kernel people are just disabling the driver because the code is so utterly retarded. Samsung haven't done shit about it as is typical for Samsung.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...