"Linux Developers Step Up to the Secure Boot Challenge"
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It is all about control, who control who through what. It is their brand new control toy for sure, don't be naive, even if they say, "oh you can disable it", that is just a ground been prepared for later on. Every coin has 3 sides, and people normally don't pay attention to the 3rd side. Threats aren't to be detect, until is too late. Fences are been built around, you can see through it but if you jump over it well...
Then the fences get electricity, barbwire, you name it. At the end you will be locked, in or out, still locked.
"Lets control the computers, the internet, so the people will be controlled too." That is their(governments, corporations) plan, if you can't see it, you have been controlled already.
If Microsoft wants UEFI then so be it. There will be countless ways to bypass this, since security is not a strong point of this company. And how can one pretend UEFI is for security reasons anyway? They simply try to lower the piracy rate of their systems which is a total failure.
Furthermore, no one should be able to decide what's best for you. You pay for a PC and you should be able to do whatever you want with it, that includes installing a malware filled system. You do it at your own risk.
Once again, UEFI is not the same as Secure Boot. Also, Secure Boot can not be used to prevent piracy, since the copied bootloader is still signed. By the way, it is their good right to prevent people from circumventing their license. If you don't agree with that license than don't use it, in the same way you are not allowed to circumvent any other license,like the GPL.
Besides that is it a non-sense argument that it is your right to install a malware filled system. Don't get me wrong, if you want you can do that, but then disconnect that machine from the net, so that it doesn't fill our mail accounts with spam or is used to attack our servers.
If Microsoft wants UEFI then so be it. There will be countless ways to bypass this, since security is not a strong point of this company. And how can one pretend UEFI is for security reasons anyway? They simply try to lower the piracy rate of their systems which is a total failure.
Furthermore, no one should be able to decide what's best for you. You pay for a PC and you should be able to do whatever you want with it, that includes installing a malware filled system. You do it at your own risk.
The Unified Extensible Firmware Interface (UEFI) is a specification that defines a software interface between an operating system and platform firmware. UEFI is meant as a replacement for the BIOS firmware interface, present in all IBM PC-compatiblepersonal computers.[1][2] In practice, most UEFI images have legacy support for BIOS services. It can be used to allow remote diagnostics and repair of computers, even without another operating system. [3]
The original EFI (Extensible Firmware Interface) specification was developed by Intel. Some of its practices and data formats mirror ones from Windows.[4][5] In 2005, UEFI deprecated EFI 1.10 (final release of EFI). The UEFI specification is managed by the Unified EFI Forum.
FUD definition jargon
/fuhd/ An acronym invented by Gene Amdahl after he left IBM to found his own company: "FUD is the fear, uncertainty, and doubt that IBM sales people instill in the minds of potential customers who might be considering [Amdahl] products." The idea, of course, was to persuade them to go with safe IBM gear rather than with competitors' equipment. This implicit coercion was traditionally accomplished by promising that Good Things would happen to people who stuck with IBM, but Dark Shadows loomed over the future of competitors' equipment or software.
[Jargon File]
(1995-05-23)
I'm not trying to spread FUD or anything. I'm not an expert on the subject but according to Wikipedia:
Quote:
The UEFI 2.2 specification adds a protocol known as Secure boot, which can secure the boot process by preventing the loading of drivers or OS loaders that are not signed with an acceptable digital signature. When secure boot is enabled, it is initially placed in "Setup" mode, which allows a public key known as the "Platform key" (PK) to be written to the firmware. Once the key is written, secure boot enters "User" mode, where only drivers and loaders signed with the platform key can be loaded by the firmware. Additional "Key Exchange Keys" (KEK) can be added to a database stored in memory to allow other certificates to be used, but they must still have a connection to the private portion of the Platform key. Secure boot can also be placed in "Custom" mode, where additional public keys can be added to the system that do not match the private key.
So from what I understand so far BIOS is too primitive to have a feature like secure boot implemented so they needed a replacement.
UEFI is far older than Secure Boot, so no, UEFI was not invented with the intention to years later implement Secure Boot.
I didnt said UEFI was invented for secure boot. What I meant is that they figured out UEFI is much more advanced than BIOS ( and by all means it should be, considering the age of BIOS ) and so the replacement process began.
Anyway, we'll have to wait and see what happens, but I'm afraid that this won't end here.
My last post was removed and/or I was reprimanded by
the moderator God, for something or other which I think
He didn't understand. Sarcasm with intelligence, for example,
is communication. This topic deserves repeats from every side in
my stupid opinion, sir, because it relates to the future of
Linux for Everyman.
This is what He, and many, don't get:
There is a reason to hope that Linux will be popular
outside of *nix professionals. It gives us a lot of levers.
However, that requires easy access to Linux on new, dumb-bought
machines, by ordinary joes. <=
I probably am disqualifying myself right here by mentioning
this but I am artist. My main thing. But however (long story)
I also have enjoyed the UNIX line since version 7, at a
Canadian university.
The thing is, there are still at least two sorts
of people - ones who are comfortable with techie things,
and those who would really rather not. There is a complicated
continuous conversation here as you realize.
The thing is, if we want the levers (for Openness and
Goodness) that Linux will potentially give us still, it at
least has to continue to have it's current popularity,
-> OUTSIDE of the community that can compile and
do any whiz thing necessary to get what
they want.
i.e. Dumb guys like me have to have a way.
And that's what -so far- it looks like Windows 8
and the bloody greedy vendors .. are going
to do.
Close the "civilian" users of Linux free "market".
For instance, I no doubt will be fine, but how am I going
to support Linux for dummies, if that's what I might
make money on, when the possibility evaporates?
Somebody said somewhere that no one has stepped
up to the plate to do a UEFI boot for us all.
Or I hallucinated again.
I think, at the very least, that this issue is a real
sore soreness, and should stay alive, and am kind
of pissed that Linuxers should shut me up when
it's kind of important.
My last post was removed and/or I was reprimanded by
the moderator God, for something or other which I think
He didn't understand. Sarcasm with intelligence, for example,
is communication. This topic deserves repeats from every side in
my stupid opinion, sir, because it relates to the future of
Linux for Everyman.
Your post was removed because of the failure to edit & remove the masked vulgarity. Plus you were in violation;
Quote:
Please do not form attacks or form posts with the intent of baiting to start a flame war. Be respectful with your post.
You were given the opportunity to edit & revise your post. When you did not then the post was deleted for not abiding the LQR.
Quote:
Originally Posted by Yukon
This is what He, and many, don't get:
There is a reason to hope that Linux will be popular
outside of *nix professionals. It gives us a lot of levers.
I do understand the proper use of 'UEFI' protocol. Too much 'FUD' and rumors that misstate the facts to suit their argument or to the their understanding(s) thus causing issues.
Quote:
Originally Posted by Yukon
However, that requires easy access to Linux on new, dumb-bought
machines, by ordinary joes. <=
Your views are not clear. Documentation is available to help ordinary 'joes' to understand what and how someone can use a 'UEFI' based machine.
Quote:
Originally Posted by Yukon
I probably am disqualifying myself right here by mentioning
this but I am artist. My main thing. But however (long story)
I also have enjoyed the UNIX line since version 7, at a
Canadian university.
I do not see how that will dis-qualify you.
Quote:
Originally Posted by Yukon
The thing is, there are still at least two sorts
of people - ones who are comfortable with techie things,
and those who would really rather not. There is a complicated
continuous conversation here as you realize.
Then maybe stick with turn key equipment. If you are not willing to learn how to use the newer systems with protocol changes then it will be difficult.
Quote:
Originally Posted by Yukon
The thing is, if we want the levers (for Openness and
Goodness) that Linux will potentially give us still, it at
least has to continue to have it's current popularity,
I really do not see an issue. Informed users will continue to use equipment with Gnu/Linux.
Quote:
Originally Posted by Yukon
-> OUTSIDE of the community that can compile and
do any whiz thing necessary to get what
they want.
Review the documentation available so you will be informed.
Quote:
Originally Posted by Yukon
i.e. Dumb guys like me have to have a way.
And that's what -so far- it looks like Windows 8
and the bloody greedy vendors .. are going
to do.
Only if you and people like you will not inform so that the ability to perform will evolve.
Quote:
Originally Posted by Yukon
Close the "civilian" users of Linux free "market".
For instance, I no doubt will be fine, but how am I going
to support Linux for dummies, if that's what I might
make money on, when the possibility evaporates?
False fear(s), you will always have *buntu like Gnu/Linux available to hold your hand thus limit abilities. Yet, you will be able to use a Gnu/Linux.
Quote:
Originally Posted by Yukon
Somebody said somewhere that no one has stepped
up to the plate to do a UEFI boot for us all.
Or I hallucinated again.
There you go again! Someone passes 'FUD', you believe it thus pass it on. 'UEFI' with a Gnu/Linux is doable. No issues! Do us all a favor and do some searching or read some of the previous linked information for 'UEFI' within this thread.
Quote:
Originally Posted by Yukon
I think, at the very least, that this issue is a real
sore soreness, and should stay alive, and am kind
of pissed that Linuxers should shut me up when
it's kind of important.
-jae
No one is shutting you up! You are not informed nor tooled to understand 'UEFI'. Spend a little time reading the protocol(s) for 'EFI' then for 'UEFI' so when you do present information then it will be formed and reliable information. Look at 'UEFI_Home';
Quote:
Unified EFI Forum:
UEFI is a community effort by many companies in the personal-computer industry to modernize the booting process. UEFI capable systems are already shipping, and many more are in preparation. During the transition to UEFI, most platform firmware will continue to support legacy (BIOS) booting as well, to accommodate legacy-only operating systems.
UEFI stands for "Unified Extensible Firmware Interface". The UEFI specification defines a new model for the interface between personal-computer operating systems and platform firmware. The interface consists of data tables that contain platform-related information, plus boot and runtime service calls that are available to the operating system and its loader. Together, these provide a standard environment for booting an operating system and running pre-boot applications.
The Unified EFI Forum is the group responsible for developing, managing and promoting UEFI specifications. Further information about the UEFI specification and membership opportunities can be found throughout this Web site. The "Adopter" membership category is free. For additional information please contact UEFI Administration.
Overview The Unified EFI Forum is a non-profit collaborative trade organization formed to promote and manage the UEFI standard. As an evolving standard, the UEFI specification is driven by contributions and support from member companies of the UEFI Forum.
The UEFI Forum board of directors include representatives from the following eleven leading companies:
With support and innovation from all UEFI Forum member companies, work is being done continually to evolve the UEFI specification to meet industry needs.
If you wish to dig deeper then look at 'UEFI_Specifications'. When & if you do not understand something then post a query here.
Someone will help you to understand once you inform and re-learn why 'UEFI' is necessary.
Well, let's just skip this rambling talk, that's off-subject anyhow, and stick to subject: what are the technical requirements for getting Linux to respect the secure-boot protocols, and where does Linux now stand in fulfilling them?
The exploits of Microsoft Windows that have occurred are legend: root-kitting the entire system, reprogramming the Flash ROMs on the mobo ... as thorough and complete an "exploit" as an "exploit" could possibly be.
It's no accident that there are NTFS drivers for MS-DOS. Boot up the ol' command-prompt of yesteryear, if the computer will allow you to easily do it i.e. without removing the thing from the rack and opening it up, and you can do any damm thing you want with that supposedly "secure" machine. No one's paying attention to you at 3:30 AM. No one knows you're an industrial spy or saboteur ... and no one will easily be able to detect what you have done. They will go on, maybe for years, supposing that their machines are uncompromised. The invisible Trojan Horse.
And so, people are just as interested in making sure that their production Linux systems cannot be easily exploited in this way, as they are with their Microsoft and Apple operating-systems and for precisely the same good reasons.
So ... let's just put the kibosh on off-topic diatribes about conspiracy theories, as often as necessary, and follow the progress of the Secure Boot support in Linux. Thatsupport, done correctly, is necessary to everyone concerned.
No, UEFI won't be impenetrable. Nothing is. But Master Padlock Company made millions selling devices that can be opened with the help of a soft-drink can, because they worked. The existence of the security alone is a deterrent, and Linux must support it correctly also, for those sites who wish to use it.
Last edited by sundialsvcs; 10-12-2012 at 08:54 AM.
So ... let's just put the kibosh on off-topic diatribes about conspiracy theories, as often as necessary, and follow the progress of the Secure Boot support in Linux. Thatsupport, done correctly, is necessary to everyone concerned.
... and this does seem to be a pragmatic solution to the matter. If you want to use hardware in your shop that implements this protection, then this solution extends that protection to cover your Linux systems while avoiding actual changes to the plentitude of Linux systems that already exist -- both within your shop and elsewhere.
It will be interesting to see how long this strategy lasts, because I can see rather obvious holes in it unless a particular operating-system image can be keyed to a device. It won't take very long for various "properly keyed" OS images to show up: of necessity, software-service and sysadmin-defribillator discs will have to have the proper keys on them. And when this happens, I suspect that we will be right back where we started from. This whole concept is really trying to tiptoe along a very delicate line between "secure" and "maintainable," and the jury might still be out as to where that line will actually turn out to be located.
I don't get how can it be a new standard, which favors one OS, and puts obstacles for the other. Yes, there is a workaround by cutting a deal with M$ and obtaining their key - wow, is that the best that can be done.
And I don't think that leaving some users at the mercy of *buntu like Gnu/Linux is a right thing to do, just because they're not techie enough. Besides I don't trust *buntu as I don't trust M$.
Quote:
"I fully understand that Red Hat and Canonical won't be doing the right thing, they are traitors to the cause, mostly in it for the money and power. They want to be the new Microsoft." - Theo de Raadt
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.