Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Linus Torvalds Clarifies His Position on Signed Modules

Unknown Lamer posted about a year ago | from the sarah-palin-vs-tcpa's-ugly-head dept.

Linux 208

An anonymous reader writes "No one, but no one, in the Linux community likes Microsoft's mandated deployment of the Unified Extensible Firmware Interface (UEFI) Secure Boot option in Windows 8 certified PCs. But, how Linux should handle the fixes required to deal with this problem remains a hot-button issue. Now, as the debate continues hot and heavy, Linus Torvalds, Linux's founder and de facto leader, spells out how he thinks Linux should deal with Secure Boot keys." And it's not in the control of Microsoft: distros should sign only the modules they provide with their key, with user built modules signed by locally generated keys (since, as SSL certification authority break-ins have shown, centralized trust systems are prone to abuse and offer dubious security benefits). Basically, no love for proprietary kernel modules.

cancel ×

208 comments

Oh, Linus; so adorable when you are angry. (-1, Troll)

Anonymous Coward | about a year ago | (#43044275)

I like how Linus (and a lot of the more security paranoid amongst us) have been talking about securing the boot chain for a few decades now, but now that it appears that they've finally won the day and convinced the wider world to get this going it's suddenly TEH EVIL and NOT FREE.

Sorry, dudes, Secure Boot is actually a pretty nice technology, you can load keys of your choice, and you know what? You probably weren't going to buy a surface RT anyway.

Re:Oh, Linus; so adorable when you are angry. (5, Informative)

MurukeshM (1901690) | about a year ago | (#43044311)

What are you smoking? He just provided guidelines for using keys while running Linux. He didn't say UEFI is evil, he just doesn't want sign off the ability to boot Linux on UEFI+Secure Boot to some big company.

Re:Oh, Linus; so adorable when you are angry. (-1)

Anonymous Coward | about a year ago | (#43044347)

... he just doesn't want sign off the ability to boot Linux on UEFI+Secure Boot to some big company.

But I'll be you he would love to have control of it himself. He's done a lot of good for computing in general, but his ego and attitudes often eclipses his accomplishments.

Re:Oh, Linus; so adorable when you are angry. (0, Troll)

fustakrakich (1673220) | about a year ago | (#43044371)

You're confusing him with Assange

Re:Oh, Linus; so adorable when you are angry. (5, Informative)

Dunbal (464142) | about a year ago | (#43044461)

Especially some big company that has already been hacked and had its certificates compromised in the past.

Re:Oh, Linus; so adorable when you are angry. (5, Interesting)

smpoole7 (1467717) | about a year ago | (#43044581)

It's important to note, though, that Linus isn't saying this just because "Itz Micro$OFT OMG run!11!!" Another nice quote from Linus:

"Encourage things like per-host random keys--with the stupid UEFI checks disabled entirely if required. They are almost certainly going to be *more* secure than depending on some crazy root of trust based on a big company, with key signing authorities that trust anybody with a credit card. Try to teach people about things like that instead."

Like I said elsewhere, Linus can be a big, furry anus, but all he cares about is his baby: the Linux kernel, keeping it free, and giving maximum freedom to the *USER*. I like that.

Re:Oh, Linus; so adorable when you are angry. (0)

Anonymous Coward | about a year ago | (#43044633)

The problem is that giving freedom to uneducated user is the worst security practice.

Re:Oh, Linus; so adorable when you are angry. (1)

bbelt16ag (744938) | about a year ago | (#43044853)

You are talking about advanced linux users. Not grandma or the little boy with gum in their hair. They know how to build a kernel and setup grub. If they don't they should learn.

Re:Oh, Linus; so adorable when you are angry. (0)

Anonymous Coward | about a year ago | (#43044919)

Have you met most Linux users lately? They know how to copy and paste crap from the Ubuntu forums. They had problems of their own doing in Windows, blamed "M$" and now use Linux.

Re:Oh, Linus; so adorable when you are angry. (0)

Anonymous Coward | about a year ago | (#43044997)

That is marginally accurate of an Ubuntu user, but the other distros are still popular and have only been gaining users since Shuttleworth started sodomizing his userbase.

Re:Oh, Linus; so adorable when you are angry. (1)

Electricity Likes Me (1098643) | about a year ago | (#43045179)

That is marginally accurate of an Ubuntu user, but the other distros are still popular and have only been gaining users since Shuttleworth started sodomizing his userbase.

Also it misses the point entirely. Distro maintainers should decide how and why UEFI is used. It shouldn't be baked into the Linux kernel, and if you want to build your own kernel, then it's something you should decide yourself.

Re:Oh, Linus; so adorable when you are angry. (3)

fredprado (2569351) | about a year ago | (#43044855)

It is still far preferable than giving control to anyone else.

Re:Oh, Linus; so adorable when you are angry. (2)

jbolden (176878) | about a year ago | (#43045177)

I'd say end users who are at a minimum configuring and compiling their own kernel modules are rather educated.

Re:Oh, Linus; so adorable when you are angry. (1)

jareth-0205 (525594) | about a year ago | (#43044653)

So what have you, oh AC, accomplished then that gives you the ability to judge his ego? His being the leading figure in one of the largest distributed projects in human history not enough for you?

Re:Oh, Linus; so adorable when you are angry. (-1, Troll)

Anonymous Coward | about a year ago | (#43044713)

Different AC here. You don't need any special talents to be able to identify an egomaniac, especially one who acts like Torvalds. Taking Linux to where it is today does not give him, or anyone, carte blanche to act like his wants and opinions are more important than anyone else's.

If Linus doesn't like the Intel/MS control over UEFI then let him conjure up a viable alternative and get it to market. Complaining that those who created a technology have final word over how it is implemented is fruitless, just as complaining that Torvalds holds final control over Linux is a waste of time.

Re:Oh, Linus; so adorable when you are angry. (5, Informative)

Goaway (82658) | about a year ago | (#43044757)

act like his wants and opinions are more important than anyone else's.

Actually, when it comes to the Linux kernel, his opinions are more important than anyone else's, because he has final say on it.

If Linus doesn't like the Intel/MS control over UEFI then let him conjure up a viable alternative and get it to market.

Like he does in the linked article?

Re:Oh, Linus; so adorable when you are angry. (3, Interesting)

fredprado (2569351) | about a year ago | (#43044871)

His opinions regarding Linux are more important than anyone else's. I know you don't like it but that does not make it less true. And the best way to deal with UEFI is to disable it. Simple as that.

RE: #43044347 (-1)

Anonymous Coward | about a year ago | (#43044833)

It's pretty obvious you haven't listened to Linus speak. I get quite the different impression: humble, hard-working, interested.
Let me know when you have your OS ready so that you'll be on equal footing - just sayin'.

It's a shame people have to attack at a personal level rather than offer a logical reason/argument against his ideas.

We see how well MS handles things; people are concerned that MS will mess this up. I'm actually surprised the DoJ
isn't involved. There's has to be a lot of money involved. Every article about this "technology" says that it addresses
a non-existent boot-exploit issue. So, people want to know what MSs motive is behind this.

Rather than everyone petitioning the WH to be allowed to alter their paid for iPhone (and what not), this is an issue that
has worth too, in a White House petition.

CAPTCHA = 'somehow' -- how fitting...

Re: #43044347 (0)

Anonymous Coward | about a year ago | (#43044987)

Non-existent? I thought this was supposed to keep people from installing those obnoxious MBR loaded malware from being ported over to GPT.

Re:Oh, Linus; so adorable when you are angry. (5, Informative)

Chrisq (894406) | about a year ago | (#43044905)

... he just doesn't want sign off the ability to boot Linux on UEFI+Secure Boot to some big company.

But I'll be you he would love to have control of it himself.

No: From TFA:

Torvalds concluded, "It really shouldn't be about Microsoft blessings, it should be about the *user* blessing kernel modules. Quite frankly, *you* are what the key-hating crazies were afraid of. You peddle the "control, not security" crap-ware. The whole "Microsoft owns your machine" is *exactly* the wrong way to use keys.

He goes on to give details of how this would work (each distro has a key and users have to explicitly grant permission to install non-distro apps)

Re:Oh, Linus; so adorable when you are angry. (0)

Anonymous Coward | about a year ago | (#43044355)

Nice try, Ballmer.

Re:Oh, Linus; so adorable when you are angry. (5, Interesting)

ledow (319597) | about a year ago | (#43044431)

"you can load keys of your choice"

I think this is the biggest, and most complained about, assumption in all the debacle. If it was true, the Microsoft key issue wouldn't exist (we'd just have a "Linus key" and that would be the end of it).

Sure, MS give lip service to this but there's nothing that guarantees it will be available. Nothing at all. You can turn Secure Boot off, but then you've had BIOS engineers working on a feature that you then turn off because it doesn't work as you need it to.

But nothing guarantees that every user will ever be able to add a key to their own machines, nor that machines would ever come supplied in a way that would ever suggest that's what needed.

Having just fixed a 2012-issue BIOS bug a few months ago, and it being pretty much par for the course with even the larger consumer manufacturers to have such bugs, I don't trust that a BIOS option to enter a key I trust will be present in machines before I've bought them.

The bug I reported (and had to get a custom BIOS patch for)? A whole series of laptop machines from my normal supplier, using big-name BIOS's, motherboards, and other components (and Windows 7 stickers on them!), would refuse to boot if a certain offset on the selected bootable partition on the first disk was not zero.

That offset is actually always zero on a plain Windows NTFS drive. On Linux, or any other filesystem, it is not. On any encrypted system - even with an NTFS partition - (we discovered the problem using Truecrypt), it was not.

You could not fake partitions and juggle them around - whatever the bootable partition was was checked, no matter what the filesystem signature on it. God knows what happens if you use GPT and equivalents. Even chain-loading from partitions was next-to-impossible to set up with booting into an encrypted Windows setup (you would have to boot from an unencrypted NTFS partition into an encrypted one somehow and even playing games with syslinux etc. it was too difficult to even demonstrate a single working example, let alone deploy company-wide) .

Any non-zero byte in that position on the disk, which could be verified with a hex-editor on a blank disk, rendered the machine unbootable. Black screen, no boot options, no truecrypt loader, it just stopped. Zero the byte and it would happily boot again.

Yes, it's stupid and it SHOULD NOT HAPPEN. But only our threat of sending many thousands of pounds worth of laptops back because they did not fulfill the stated purpose actually prompted the reseller to nudge the manufacturer to nudge the board supplier, to nudge the BIOS supplier, to hack up a dirty patch to their BIOS labelled with all sorts of beta /not for distribution / etc. warnings. And even that, it was a close run thing because the reseller was ready to just say "not our problem, it runs Windows which we supplied with it" at any second and only the threat of a lot of future business prompted any sort of action from them.

UEFI just puts an unnecessary burden of responsibility onto BIOS manufacturers and Microsoft. And the vast majority of BIOS manufacturers (even AMI, Pegasus, etc.) are inherently bad and aim at making machines that boot only Windows and then walk away saying "not my problem". Try finding a machine with valid ACPI tables, the problem has actually got WORSE since ACPI become commonplace and in every machine.

Samsung only the other week had a problem where a BIOS issue can cause a complete machine bricking no matter what the OS, but Windows triggers it less because it doesn't do certain things that are perfectly reasonable to do by the standards.

Nobody *cares* what *SHOULD* work. They care what could *NOT* work. And relying on your BIOS manufacturer to be able to boot Linux successfully is, historically, one of the most contentious areas of computer manufacture ever.

Re:Oh, Linus; so adorable when you are angry. (5, Informative)

AdamWill (604569) | about a year ago | (#43044543)

"Sure, MS give lip service to this but there's nothing that guarantees it will be available. Nothing at all."

Yes, there is. I quote http://msdn.microsoft.com/en-US/library/windows/hardware/jj128256 [microsoft.com] , "Windows Hardware Certification Requirements for Client and Server Systems":

"Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:

        It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.

        If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system is operating in Setup Mode with SecureBoot turned off.

        The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults. On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enabled."

Re:Oh, Linus; so adorable when you are angry. (1, Insightful)

fnj (64210) | about a year ago | (#43044625)

Except Microslop could change what passes for their mind tomorrow and there would be no recourse.

Re:Oh, Linus; so adorable when you are angry. (0)

Anonymous Coward | about a year ago | (#43044735)

Well except some massive anti-trust lawsuits all over the world.

Re:Oh, Linus; so adorable when you are angry. (2)

Dorkmaster Flek (1013045) | about a year ago | (#43044745)

Also, let's not forget the "non-ARM systems" part. The fact that they're locking down anything sours me on the whole secure boot BS.

Re:Oh, Linus; so adorable when you are angry. (1)

AdamWill (604569) | about a year ago | (#43044955)

Everyone locks down ARM. It sucks when Microsoft does it, but no more than when Google does it (you can't boot whatever you like on ARM Chromebooks), or Samsung, or Apple, or...

If you want to run Linux on an ARM machine, don't buy one with Windows on it, sure.

Re:Oh, Linus; so adorable when you are angry. (2)

ozmanjusri (601766) | about a year ago | (#43045247)

you can't boot whatever you like on ARM Chromebooks),

Yes you can.

Re:Oh, Linus; so adorable when you are angry. (0)

Anonymous Coward | about a year ago | (#43044765)

Except that's not a rational argument, it's baseless paranoia.

Re:Oh, Linus; so adorable when you are angry. (0)

Anonymous Coward | about a year ago | (#43044923)

That IS the lip service. Some laptops have shipped without instructions on how to get to the bios screen. They are technically compliant according to what you wrote.

Re:Oh, Linus; so adorable when you are angry. (1)

AdamWill (604569) | about a year ago | (#43044971)

Hardware ships with terrible firmware! Film at 11!

It is my previously stated opinion that the firmware engineers' union lists 'deep familiarity with a crack pipe' as a minimum baseline requirement for joining, so this shouldn't really _surprise_ anyone. Secure Boot sucks insofar as it's another firmware mechanism for the firmware engineers to fuck up, but it's not like we're _short_ of those.

Re:Oh, Linus; so adorable when you are angry. (1)

Anonymous Coward | about a year ago | (#43044945)

But why is it okay to deny users of ARM systems the freedom we've all taken for granted lo these many years?

Re:Oh, Linus; so adorable when you are angry. (3, Interesting)

ledow (319597) | about a year ago | (#43045159)

Now read what you wrote.

"It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. *****This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.******"

So the minimum requirement is that you can delete all the keys.

"If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system is operating in Setup Mode with SecureBoot turned off."

So when you delete the keys, SecureBoot is turned off.

There's also an option to always put the Microsoft key back in place. But that's it. At no point does it guarantee that you can enter an arbitrary key and keep secure mode on. Which is basically what I said.

And "possible" can be provided by means of, say, a supplied disk available at extra cost from the manufacturer that has to be inserted for such action to be taken at all.

Lip service.

Re:Oh, Linus; so adorable when you are angry. (2)

drinkypoo (153816) | about a year ago | (#43045165)

"Sure, MS give lip service to this but there's nothing that guarantees it will be available. Nothing at all."

Yes, there is. I quote http://msdn.microsoft.com/en-US/library/windows/hardware/jj128256 [microsoft.com] , "Windows Hardware Certification Requirements for Client and Server Systems":

Now please inform us as to under which conditions windows hardware certification may be revoked.

Re:Oh, Linus; so adorable when you are angry. (2)

serviscope_minor (664417) | about a year ago | (#43044721)

but Windows triggers it less because it doesn't do certain things that are perfectly reasonable to do by the standards.

I do love how someone effectively wrote a "brickme.exe" for windows to prove this point. That shows some real dedication. I wonder how many times he tested it.

Re:Oh, Linus; so adorable when you are angry. (1)

recoiledsnake (879048) | about a year ago | (#43044851)

I think this is the biggest, and most complained about, assumption in all the debacle. If it was true, the Microsoft key issue wouldn't exist (we'd just have a "Linus key" and that would be the end of it).

Sure, MS give lip service to this but there's nothing that guarantees it will be available. Nothing at all. You can turn Secure Boot off, but then you've had BIOS engineers working on a feature that you then turn off because it doesn't work as you need it to.

Sorry but that's just wrong.
Here's how you add your own keys(and remove Microsoft's if you want):
http://blog.hansenpartnership.com/owning-your-windows-8-uefi-platform/ [hansenpartnership.com]

Owning your Windows 8 UEFI Platform
Posted on 15 February 2013 by jejb

Even if you only ever plan to run Windows or stock distributions of Linux that already have secure boot support, I’d encourage everybody who has a new UEFI secure boot platform to take ownership of it. The way you do this is by installing your own Platform Key. Once you have done this, you can use key database maintenance tools like keytool to edit all the keys on the Platform and move the platform programmatically from Setup Mode to User Mode and back again. This blog post describes how you go about doing this.
First Save the Variables

The first thing to do is to install and run KeyTool either directly (the platform must have secure boot turned off, because keytool is unsigned) or via the mini USB image and save all the current secure variable keys (select the ‘Save Keys’ option from the top level menu). This will save the contents of each variable as a single esl (EFI Signature List) file, so you should end up with three files: PK.esl, KEK.esl and db.esl. These files can later be used to restore the contents if something goes wrong in the updates (and because some platforms put you into setup mode by erasing the contents of all the secure variables), so save them in a safe place.
Use the UEFI Menus to remove the Platform Key

This is the step that it’s impossible to be precise about. Every UEFI platform seems to be different in how you do this. The Linux Foundation hosts a web page collecting the information but so far it only has the Intel Tunnel Mountain system on it, but if you work it out for your platform, leave me a comment describing what you did and I’ll add it to the LF page.

The most common way to get a UEFI system to display the UEFI menus is to press ESC as it boots up.
Create your own Platform Key

If you rpm installed efitools, it will automatically have created a Platform Key for you in /usr/share/efitools/keys, plus all of the PK.auth and noPK.auth files.

A platform key may be self signed, but doesn’t have to be (I’m using one signed with my root certificate). However, assuming you want to create a self-signed platform key manually, here are the steps: The standard command for doing this with openssl is

openssl req -new -x509 -newkey rsa:2048 -subj “/CN=/” -keyout PK.key -out PK.crt -days 3650 -nodes -sha256

None of the parameters for the key (Like the Common Name) matters, so you can replace with anything you like (mine says ‘James Bottomley Platform Key 2013) you can also add other X509 well known objects like your address. Once you have the two files PK.crt and PK.key, you need to save them in a safe location (PK.key is the one to guard since it’s your private key).

Next, create an EFI Signature List file with the public key in (this and the next steps require that you have either installed the efitools rpm or compiled the unix commands from efitools.git and installed them on your system)

cert-to-efi-sig-list -g PK.crt PK.esl

where is any random GUID you choose. You also need to create an empty noPK.esl file which can be used to remove the platform key again

> noPK.esl

(do an ls -l on it to make sure it has zero size).

Now you create the signed update files (called .auth files)

sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth

sign-efi-sig-list -k PK.key -c PK.crt PK noPK.esl noPK.auth

copy the two .auth files to your USB key and you should now be able to use KeyTool to insert them into where the platform key is. Go to ‘Edit Keys’, select the ‘The Platform Key (PK)’ and then ‘Replace Keys(s)’. Navigate the file Chooser to your PK.auth file and you now are the platform Owner. Press ESC to go to the top level menu and it should tell you the platform is in User Mode and Secure Boot is enabled. Now verify you can move back to Setup Mode by going to ‘Edit Keys’, ‘The Platform Key (PK)’ and this time selecting the first entry (showing the GUID you chose for your platform key) and then ‘Delete with .auth file’. This time navigate to noPK.auth and select it. The platform key should now be gone and when you ESC to the top menu it will tell you you are in Setup Mode. You now own your own platform and can move easily between setup and user modes.
Replace or Edit the rest of the Keys

Now you own your own platform, restoring or replacing the current platform keys is easy. Where you saved the original keys, you should have a KEK.esl and a db.esl file. If you find that KEK and db are blank, you can restore them with this file, simply place the platform into Setup Mode, go to ‘Edit Keys’, ‘The Key Exchange Key Database (KEK)’ and ‘Replace Key(s)’ and finally navigate to the KEK.esl file you saved. You can also do the same thing with db.esl

Now your platform should be back to its original condition except that you own the Platform Key and can decide easily to flip it into Setup Mode. Once in setup mode, you can edit the actual keys. One thing you can do is create your own signature key (using the method above for PK) and place it into db. You could also (assuming you never plan to boot windows) delete all the microsoft keys from the system. Beware if you decide to do this that some of your UEFI drivers may be signed by microsoft keys, and removing them all may limit the functionality of your UEFI platform. Additionally, any UEFI update to your system is also likely to come signed with the microsoft keys, however, in this case you can put the Microsoft keys back before doing the update.

If pieces of your UEFI system do need to be signed, it might be possible to extract them and sign them with your key instead of Microsoft’s, but I haven’t yet found a system that needs this, so I don’t really have much of an idea how to do it.

Remember to move your platform back to User Mode to enable secure boot before you exit KeyTool.

Re:Oh, Linus; so adorable when you are angry. (0)

Anonymous Coward | about a year ago | (#43044603)

you can load keys of your choice

That's actually what Linus is arguing FOR.

It's the people trying to hand the whole thing over to Microsoft he's yelling at.

Re:Oh, Linus; so adorable when you are angry. (0)

Anonymous Coward | about a year ago | (#43044937)

How's the weather in Redmond, Mr. Ballmer? You think Linus is ranting? That's no rant, THIS is a rant (Crocodile Dundee style). We see what you're doing, you evil bastards. You know how much everyone outside your campus hates W8, and I see your fear -- that people will en-masse will buy a computer, turn it on, say "WTF??" and start looking for an alternate OS. When word spreads that Windows has lacked features compared to all other OSes for a decade now, OEMs might stop paying the "microsoft tax". My experience with Windows (I've had Windows computers since about 1996, DOS before that) hasn't been a good one. W7 seemed to change that.

It seemed to be an OK OS, despite its shortcomings. It seemed far more stable and secure than previous versions of Windows, and the notebook it came on had pretty snappy performance. I bought two more of them for my grown daughters as Christmas presents a year ago; I'd had mine for a year. Despite my grumbling about Reboot Tuesday, I didn't install Linux on it, unlike my XP tower.

I absolutely hate rebooting a Windows computer. Ironically, I don't mind a Linux reboot but you only have to reboot a Linux computer if you want to update the kernel. I've had the Linux computer running for months at a time, and only shut it off when I want to save electricity. When I do power it down to install a new piece of hardware or upgrade the memory, when I power it back up, I don't need to enter the password or reopen all my files; the OS does that for me. Without touching anything but the power switch it's as if it had never been shut down.

I discovered last week why you people demand monthly reboots -- your OS is still an unstable pile of shit. My daughter's notebook started getting sluggish, then she said the firewall refused to start and she feared a virus. My other daughter suggested to her that she wipe and reinstall Windows. Bad move! The battery ran down during the reinstall and it hibernated, now it's completely bricked. When power it up it says "Windows is starting services" (I'm thinking funeral services) and does nothing else after coming out of hibernation. Pressing the space bar to start it normally gives you the option, then goes right back to "starting services". F2 won't bring up the BIOS and the Linux installation thumb drive isn't recognized. Thanks, Microsoft, for being so god damned incompetent that you have an unbreakable infinite loop. Jesus, what moron wrote that shitty code??? A first year programming student knows better!

And, my notebook started getting flaky, not knowing whether or not it was hibernating, with the screen blacking out and the lights not going off and refusing to recognize the power button. When it flickered on for a minute I managed to shut it down. I feared a hardware failure. But after booting it back up, it was fine!

Stable, my ass. kubuntu is going on it this weekend. Note to OEMs who make laptops and tablets: if your wares have "secure" (lol) boot, you won't be getting my nerdy money.

And you, Mister Ballmer, can fucking go to hell. Actually, I'm sure you will, you evil man.

(mcgrew here, sorry I can't log in on this machine. Love that capcha... subdue)

This just in (-1, Offtopic)

sokoban (142301) | about a year ago | (#43044277)

Linus Torvalds sneezes. Early reports are that the discharge was clear with a slight yellow tinge.

Re:This just in (-1)

Anonymous Coward | about a year ago | (#43044345)

Any word on the approximate speed of the discharge?

Re:This just in (0)

Anonymous Coward | about a year ago | (#43044637)

About 50 BogoMips.

ONE WORD !! (-1)

Anonymous Coward | about a year ago | (#43044283)

Sequestration !!

Jury !!

Bravo Linus! (0)

Anonymous Coward | about a year ago | (#43044289)

Keep it up.

Re:Bravo Linus! (0, Insightful)

Anonymous Coward | about a year ago | (#43044351)

I recently bought a non-UEFI motherboard (while I still could). This may be my last x86 system, considering how UEFI effectively destroys choice, which is exactly what made the PC industry so great in the first place.

Re:Bravo Linus! (2, Insightful)

Anonymous Coward | about a year ago | (#43044407)

What a bunch of hyperbolic twaddle.

Re:Bravo Linus! (0)

Anonymous Coward | about a year ago | (#43045023)

That's funny, I have had tons of customers tell me the exact same thing in my shop. Now I have to tell them their opinion and outlook is twaddle.

I don't think they'll be pleased.

You moronic git.

Re:Bravo Linus! (0)

Anonymous Coward | about a year ago | (#43045109)

It's still twaddle no matter how many of your customers say it isn't. UEFI is far superior to BIOS in every technical manner, is it a great solution? probably not, but none of the customers in your shop will even understand why it's not great.

But it is unmistakably and undeniably better than BIOS in every way.

If your users dislike secure boot just tell them to turn it off or turn it off for them if your customers feel it's bad for them. Turn on legacy BIOS boot to go back to the 80s if you like. You DO know you can still boot your DOS floppies on UEFI machines right?

You really are truly the embodiment of aggressive knee jerk stupidity. You are wrong, but you are so entrenched in your wrongness you'll actually aggressively protect your ignorance.

I'm going to go ahead and assume you're probably religious too.

Twat

Re:Bravo Linus! (3, Insightful)

gradinaruvasile (2438470) | about a year ago | (#43044457)

Lol. Just disable "Secure Boot". Thats your choice right there (AFAIK the disable option is in the Microsoft secure boot spec).
The issue is to run Linux WITH SECURE BOOT ENABLED.

Re:Bravo Linus! (0)

Anonymous Coward | about a year ago | (#43044889)

Lol, while it still can be disabled and hasn't slowly wormed its way to being a non-choice. Lol, 'k thanx, bye.

Re:Bravo Linus! (0)

Anonymous Coward | about a year ago | (#43045151)

They didn't disable it, but they didn't require it to be possible to enable either. Which is sort of the point. MS has a history of not properly testing for compliance with specifications and benefiting from people being unable to use their hardware on other OSes because the MS implementation isn't properly compatible with the spec.

Considering that MS requires it to be there and to be enabled, but doesn't require it to be able to be disabled, it would hardly be shocking if some implementations don't permit themselves to be disabled.

Re:Bravo Linus! (1)

Dunbal (464142) | about a year ago | (#43044465)

can't you just turn off "secure boot" in the BIOS?

Re:Bravo Linus! (2, Informative)

Anonymous Coward | about a year ago | (#43044539)

You do, of course, realize that "UEFI" and "Secure Boot" are neither synonymous, nor mutually inclusive, right? UEFI has been replacing BIOS for almost a decade - obviously, you're a bit out of date when it comes to the state of desktop hardware. Secure Boot is just a single available setting in UEFI, and there's nothing in the current or proposed implementations that requires you to use it.

UEFI (-1)

Anonymous Coward | about a year ago | (#43044301)

No one, but no one, in the Linux community likes Microsoft's mandated deployment of the Unified Extensible Firmware Interface (UEFI) Secure Boot option in Windows 8 certified PCs

But only because everyone but no-one in the Linux community is an irrational anti-Microsoft zealot, not because this actually does anything at all to inconvenience Linux users.

Re:UEFI (1)

axujen (2854475) | about a year ago | (#43044353)

Stop trolling please.

Re:UEFI (1, Insightful)

Anonymous Coward | about a year ago | (#43044363)

You're a clueless M$ apologist. To begin with, UEFI is not the problem but this Micro$oft's "secure boot" which should rather be called restricted boot as it has nothing to do with security and everything to do with vendor lock-in. When a convicted monopolist starts something like this, people tend to take notice.

Q: So, what's wrong with Micro$oft?
A: How long time did you say you have? Try reading http://wayback.archive.org/web/20120116153542/http://www.msversus.org/ [archive.org] And then about ooxml and this "secure boot". If you're not lobotomized, you'll start to see a pattern. And it's not pretty.

The hate is real. But it's well motivated.

Re:UEFI (5, Insightful)

smpoole7 (1467717) | about a year ago | (#43044375)

> not because this actually does anything at all to inconvenience Linux users.

Ummm ... not necessarily. Linus is concerned about two things:

1. That a Microsoft-signed Linux secure boot key could be used to hack systems. Microsoft could disable the key, which would then disable *Linux* systems. We can argue about whether Microsoft would actually do this, but understandably, Linus isn't excited about placing that kind of power in anyone else's hands.

2. Linus also says, "Before loading any third-party module, you'd better make sure you ask the user for permission. On the console. Not using keys."

Linus can be a tyrant and an anus, but I like where his heart is at. The best quote is this Linux's approach to UEFI is (again quoting), "based on REAL SECURITY and on PUTTING THE USER FIRST."

Agree or disagree, don't just dismiss this as the usual "Microsoft bashing." I'm not a Microsoft hater; we use their stuff alongside F/OSS all over our workplace. I prefer Linux, but I don't hate Microsoft. But I am very concerned about this whole UEFI thing and the way it's shaping up.

So is Linus ... and in his usual, inimitable fashion is telling everyone how he feels. :)

Re:UEFI (4, Informative)

AdamWill (604569) | about a year ago | (#43044561)

"That a Microsoft-signed Linux secure boot key could be used to hack systems. Microsoft could disable the key, which would then disable *Linux* systems. We can argue about whether Microsoft would actually do this, but understandably, Linus isn't excited about placing that kind of power in anyone else's hands."

You're actually reading Linus' argument exactly backwards.

Howells and Garrett argue that revocation is a significant possibility, _therefore_ we (distributions) need to do kernel module signing (because unsigned kernel modules are an attack vector against a Windows install on the same system). One strand of Torvalds' argument is that MS is never going to revoke any keys anyway, therefore we (distributions) don't need to bother. There are other strands to his argument, but that's how the revocation one goes. That's what http://marc.info/?l=linux-kernel&m=136185309010028&w=2 [marc.info] is about: key revocation is what he describes as an 'unlikely and bogus scenario'.

Re:UEFI (1)

serviscope_minor (664417) | about a year ago | (#43044663)

Linus can be a tyrant and an anus, but I like where his heart is at.

He's an asshole, but an asshole that gets shit done.

Kidding aside...

The best quote is this Linux's approach to UEFI is (again quoting), "based on REAL SECURITY and on PUTTING THE USER FIRST."

Indeed. Too many people seem to be focussing on the technical details and not on how this will actually work. UEFI can be OK (though I don't really see the improvement over Open Firmeware or Coreboot, but that's another discussion).

Sure, you can disable the secureboot and you can add your own keys. And in theory, the board vendors can add keys from multiple authorities.

In practice, that's not how it will happen. What people want it to load an OS on to their computer with minimal fuss, which means having the signed bootloader, signed by Microsoft.

Even ignoring the implications of having Microsoft in particular in that position of power, having one organisation there is just not a good idea. All one has to do it look at the various hacks and cracks against big organisations and their cryptographic stuff (e.g. Sony's PS3 master key, HDCP, various SSL hacks) to see that even with the best of intentions security wise, they are just not trustworthy.

Re:UEFI (1)

blueg3 (192743) | about a year ago | (#43044675)

Microsoft could disable the key, which would then disable *Linux* systems.

Future Linux systems, until a new key is obtained. Unless you're suggesting that Secure Boot will connect to the Internet to obtain a CRL.

Re:UEFI (0)

Anonymous Coward | about a year ago | (#43045015)

Future Linux systems, until a new key is obtained. Unless you're suggesting that Secure Boot will connect to the Internet to obtain a CRL.

What do you think will happen when Windows Update runs on the Windows 8 install on the other partition?

Funny (1)

DaMattster (977781) | about a year ago | (#43044339)

People aren't scrambling to get Windows 8. Shall we chalk Windows 8 up to another Microsoft failure (much like Vista and ME)?

Re:Funny (0)

Anonymous Coward | about a year ago | (#43044387)

Why? Large swathes of the consumer and enterprise markets don't "scramble" to buy the latest OS, they wait to see how it does and what the early adopters' problems are. There's a good chunk of people who don't buy a Windows OS until after it has its first service pack.

Re:Funny (1)

gmuslera (3436) | about a year ago | (#43044501)

Or getting big enough numbers of bricked Windows 8 machines because the kind of bios messes that Samsung did with secure boot.

Re:Funny (0)

Anonymous Coward | about a year ago | (#43044449)

Windows 8 was selling pretty well, it comes on most new PCs and a lot of people have upgrade. What's not happening is the majority of win7 users are not upgrading, their OS works just fine and the (braindead) changes made for win8 are somewhat discouraging. MS recently killed the upgrade path by raising the price of doing so by 400%. That's a bit short sighted, there's no need for $200 OS updates in 2013, when you can by a perfectly usable (basic) laptop for $350.

Re:Funny (3, Insightful)

Dunbal (464142) | about a year ago | (#43044483)

They're not adopting Windows 8 because on the whole, Windows 8 sucks or doesn't offer a compelling reason to upgrade. That does not mean that Microsoft will remove secure boot from future operating systems, since most of the drones have no idea at all what it means or what it does, and don't care. If their $500 computer stops working they say "it had a virus" and throw it away and buy another one.

Challenge in court? (0)

Anonymous Coward | about a year ago | (#43044361)

Wouldn't it be better to stop taking it up the ass from Microsoft and challenge them in court? Considering Microsoft were successfully litigated over browser bundling I'm sure the OSS community would have an even stronger case with Secure Boot. Microsoft's OEM stranglehold is so 1998. Now the Linux kernel is everywhere surely we now have a much stronger case against Balmer and his shills.

Re:Challenge in court? (3, Insightful)

dkleinsc (563838) | about a year ago | (#43044399)

Microsoft's OEM stranglehold is so 1998. Now the Linux kernel is everywhere surely we now have a much stronger case against Balmer and his shills.

See, you're misunderstanding that: Microsoft made two mistakes that caused that lawsuit. The first was browser bundling. The second was failing to grease the right palms in Washington. They learned their lesson, began giving out the campaign donations, and all of a sudden the case went from seriously considering the breakup of the OS and application divisions to a settlement that amounted to a slap on the wrist.

My take is that we're probably going to end up with instructions on how to disable secure boot, but it may involve soldering or other physical modifications.

Re:Challenge in court? (0)

Anonymous Coward | about a year ago | (#43044427)

and voiding any warranty on the hardware

Re:Challenge in court? (2)

gradinaruvasile (2438470) | about a year ago | (#43044511)

Go in the UEFI/BIOS, select disable secure boot/use bios compatibility mode or whatever this is labeled on that particular firmware.

And if it didn't have one, you get your money back (0)

Anonymous Coward | about a year ago | (#43044705)

And if it didn't have one, you get your money back, including your P&P costs?

No, you won't.

And it won't be on the "Specifications" screen, either. So you'll buy it, find it doesn't work, return it and find you're still down for 80% of the cost of the motherboard because you had to pay for P&P both ways.

And there's no way to write down on your purchase order that you want to be able to install Linux on it, or turn off Secure Boot.

Re:Challenge in court? (1)

Jerry Atrick (2461566) | about a year ago | (#43044879)

Which is great until you boot into the legacy BIOS setup and find just 1 option - Enable UEFI. Only seen one claim for that so far but it would be foolish to think this won't happen, it's not forbidden by Microsoft rules.

If you're lucky that board will work with all your hardware without tweaking any settings. If you're really lucky they'll update the legacy firmware side with fixes and new hardware support and won't just orphan it.

Do you feel lucky punk?

Re:Challenge in court? (3, Insightful)

Hatta (162192) | about a year ago | (#43045181)

The second was failing to grease the right palms in Washington. They learned their lesson, began giving out the campaign donations, and all of a sudden the case went from seriously considering the breakup of the OS and application divisions to a settlement that amounted to a slap on the wrist.

Quoted for emphasis. Microsoft dramatically increased their campaign contributions at the same time they were being prosecuted by the DOJ. It's a perfect example of how corrupt this government has been for decades.

Re:Challenge in court? (0)

Anonymous Coward | about a year ago | (#43044459)

On what grounds? Microsoft doesn't control Secure Boot licensing - they're offering it through themselves, but you can still go out and get your own key. You don't even have to use the feature, it can be disabled in the UEFI (read: "BIOS") settings. The "slippery slope" isn't even a rational argument, let alone a solid legal case - you can't sue Microsoft because you're worried they might, maybe, possible, some day in the future abuse Secure Boot by asking OEMs to make it more restrictive. There's nothing actionable about it, by any stretch of the imagination.

Re:Challenge in court? (0)

Anonymous Coward | about a year ago | (#43044505)

possibly*

Just had to get this out... (-1)

Anonymous Coward | about a year ago | (#43044385)

I was always getting bullied and was constantly ditching school as a result.
Finally my parents removed me from the public school system and put me in
an alternative school. It was the beginning of eighth grade, I had no friends and
the school was full of gangsters and bullies. This one kid named Chris acted like
my friend and brought me to his house after school where he taught me to sniff
glue and huff freon. Sometimes, when he could get it, we would smoke pot.
Sometimes when we were high Chris would slap me, choke me, push me down,
call me his "little bitch." I was scared and didnt fight back.

One day when we were high, he told me that I had to pay him back for all he
had done for me. To make a long story short, he made me dress up in his
moms clothing and then he proceeded to rape me anally. After that, it became
a daily occurrance. After school he would force walk me to his house where I
would have to get dressed up for him; clothing, make-up, wig, etc, he then had
me perform oral sex on him and had anal sex with me. It was painful and
humiliating.

There is not really any more to the story. It went on for a while but Chris's family
eventually moved away. It is just a secret that I have to keep. It sucks.

Microsoft and patents. (5, Insightful)

Anonymous Coward | about a year ago | (#43044393)

Could microsoft refuse to sign a uefi binary because it violated their patents? If so, this could be a way to get everyone using linux to pay them.

Basically, no love for proprietary kernel modules. (1)

fustakrakich (1673220) | about a year ago | (#43044395)

Yeah, and? You say that like it's a bad thing.

Eh, once 3D printers come with their own smelters (throw a pile of rocks in the bin and the machine will sort it out.), this won't be a problem anymore.

Re:Basically, no love for proprietary kernel modul (0)

Anonymous Coward | about a year ago | (#43045131)

Yeah, and transporters and warp drives too! Gee golly.

Face it (0)

Anonymous Coward | about a year ago | (#43044437)

Linus Torvalds is the Kanye West of the open source community. He needs to calm down or risk making the entire community look like angry little boys. Yelling every time you're upset is unprofessional and no way to work with people.

I'll wait for the Dualboot Unified EFI (1)

Anonymous Coward | about a year ago | (#43044439)

Pronounced "doofy"

I have a better idea... (5, Interesting)

pla (258480) | about a year ago | (#43044443)

Instead of screwing around with politics, I have a much better idea...

Replace the kernel idle loop with a UEFI signing key cracker. Let it chow down on Microsoft's key.

Re:I have a better idea... (0)

Anonymous Coward | about a year ago | (#43045065)

That is not very energy conscious of you.
The standard idle loop in Linux executes the HLT instruction which makes the CPU stop processing new instructions until an interrupt occurs.

Re:I have a better idea... (1)

Anonymous Coward | about a year ago | (#43045117)

Yeah because battery life on my Linux power laptop was already just amazing....

infection (0)

Anonymous Coward | about a year ago | (#43044467)

The surgeon general warns that MS is an infectious cunt.

Picture a 60 year old crack whore who has been turning tricks in the ghetto for 45 years. Would you fuck it? That's what you're doing when you deal with microsoft. If you don't want your penis to rot away, then don't fuck crack whores, and don't run Micro$oft.

Re:infection (0)

Anonymous Coward | about a year ago | (#43044875)

While MS is a truly horrible disease, it is not actually infectious at all; nor is it sexually-transmitted.

Whitehouse Petition (4, Insightful)

DaMattster (977781) | about a year ago | (#43044479)

I think this entire issue needs to be looked at by the Attorney General and Federal Trade Commission. The SecureBoot UEFI is nothing more than a form of vendor lock-in, cleverly (or not so much) disguised as a security innovation. Please sign my petition and spread the word: http://wh.gov/wHLq [wh.gov]

Re:Whitehouse Petition (4, Interesting)

Anonymous Coward | about a year ago | (#43044613)

Judging by your petition, it sounds like you don't even understand what UEFI is. You just use the phrase "SecureBoot UEFI" repeatedly. Secure Boot is a option in UEFI, which is a replacement for BIOS. Microsoft also requires that vendors make this feature able to be disabled, and allow users to load other, non-Microsoft keys, so your claim that it makes it "difficult, if not impossible to run other OSes" is false. Your silly petition demonstrates a failure to understand the actual issue, and makes factually incorrect and exaggerated claims. You clearly don't understand what's going on.

Re:Whitehouse Petition (0)

Anonymous Coward | about a year ago | (#43044617)

Good luck with that who is the "other" person to sign ?

Re:Whitehouse Petition (0)

Anonymous Coward | about a year ago | (#43044881)

Perhaps it's Mr "I can't use punctuation such as commas, spaces etc correctly"?

Re:Whitehouse Petition (1)

Bigby (659157) | about a year ago | (#43045203)

How ironic

Microsoft (5, Insightful)

Anonymous Coward | about a year ago | (#43044503)

Microsoft = small, soft

Their business model has outgrown the company name. They are big and hard. So big, that they can get by with some shit like this. Hard because their head is hard.

Them getting with the hardware designers and creating this secure boot shit, just so it's harder for pirates to pirate a copy of windows8, is the same thing as GM getting with the folks that make roads, and have them install a switch that can disable ALL CARS if GM decides. GM can just state, "What if a GM car is stolen? How are we supposed to be expected to recover the losses?"

So here is another car manufacturer saying that he's not willing to put the GM parts into his cars. That's all. Our world's problems are getting so stupid, that it's sorta hard to tell/believe what's going on.

I think everyone should read the lyrics to "Wish You Were Here" by Pink Floyd. Or maybe another band should release a song called "I wish we weren't here". Again, hard to tell...

No one? (3, Funny)

serviscope_minor (664417) | about a year ago | (#43044545)

No one, but no one, in the Linux community likes Microsoft's mandated deployment of the Unified Extensible Firmware Interface (UEFI) Secure Boot option in Windows 8 certified PCs.

I don't believe this. There's always one lunatic out there so in love witn Microsoft "technologies" that they'll love this. Miguel?

Re:No one? (0)

Anonymous Coward | about a year ago | (#43044867)

Yes, lets rag on the one person who has done more for Linux than the collective people reading this story ever have or can in the future.

Proof required. (0)

Anonymous Coward | about a year ago | (#43044567)

"No one, but no one, in the Linux community likes Microsoft's mandated deployment of the Unified Extensible Firmware Interface (UEFI) Secure Boot option in Windows 8 certified PCs"

Proof required.

And I could just as easily call the Tivo requiring a SIGNED BOOT to run linux that only Tivo can give out as PRECISELY THE SAME THING. But apparently, for no reason, "the linux community" doesn't mind this.

I guess the new anon cow defines "the linux community" as "those who like Tivo signed bootloaders and hate Microsoft signed bootloaders".

Re:Proof required. (0)

Anonymous Coward | about a year ago | (#43044677)

I guess the new anon cow defines "the linux community" as "those who like Tivo signed bootloaders

It was actually the author of TFA who said "but no one...". It should've been attributed by the summary.

Re:Proof required. (1)

ChunderDownunder (709234) | about a year ago | (#43044759)

What the? do a search for 'tivoization'. It's a sticking point with Linus and RMS regards GPLv3.

Want to know why Nexus phones are so popular? Because historically numerous Android vendors supplied locked bootloaders, so if you wanted to install Cyanogenmod on them you required an exploit and even then couldn't compile your own kernel.

no one, but no one (-1)

Anonymous Coward | about a year ago | (#43044595)

"but no one"? Are you all a bunch of fucking fags or something?

woohoo! (5, Insightful)

Sloppy (14984) | about a year ago | (#43044661)

Somebody gets it:

encourage things like per-host random keys - with the stupid UEFI checks disabled entirely if required. They are almost certainly going to be *more* secure than depending on some crazy root of trust based on a big company, with key signing authorities that trust anybody with a credit card. Try to teach people about things like that instead. Encourage people to do their own (random) keys, and adding those to their UEFI setups (or not: the whole UEFI thing is more about control than security)

Imagine if someone invented a protocol like ssh, but then suggested that of course, nobody should be able to use it except in situations where a host's key is signed by one of the global CAs, like we do on the web except without the possibility of self-signing or for new CAs to enter the market.

Nobody would call that "secure." They would call it a joke which goes out of its way to be less secure, by deliberately adding an untrustable link. And the fix to such a protocol would be obvious. Well, that's just what Linus did in the above paragraph: he told you how to turn SecureBoot from "just plain stupid" into "decent even if still mostly useless."

No goatse? (1)

dimeglio (456244) | about a year ago | (#43045061)

I was expecting the link to take me to a goatse image. Maybe the article is really just an euphemism.

GNU/Linux users now have a 'golden opportunity' (1)

ikhider (2837593) | about a year ago | (#43045121)

Now there is less reason than ever to buy laptops and computers pre-installed with the Windows operating system and to be made to pay the Windows tax. We can now turn to manufacturers that offer Linux-based machines out of the box such as ThinkPenguin, Lemote, and System 76. Add to that, even companies like HP and Dell (still?) offer pre-installed Linux machines. Previously, gamers needed Windows to run games, but now companies like Steam Valve make that a moot point. As Microsoft resorts to more aggressive tactics to ensure only their product can run on computers, we simply need no longer support manufacturers who bow to their whim. Consumers need choice and freedom and Microsoft will not facilitate this, nor will manufacturers who force people to pay for the Windows OS even though the Microsoft EULA states the consumer can get a refund if s/he does not agree to the terms and conditions. It's time the users of alternate operating systems created and supported their own ecosystem.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...