LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   "Linux Developers Step Up to the Secure Boot Challenge" (http://www.linuxquestions.org/questions/linux-general-1/linux-developers-step-up-to-the-secure-boot-challenge-4175417476/)

onebuck 07-18-2012 06:41 PM

"Linux Developers Step Up to the Secure Boot Challenge"
 
Hi,

"Linux Developers Step Up to the Secure Boot Challenge" is a good attempt at solving the 'Secure Boot' issue for Gnu/Linux.

Sure it is early but people are working on a solution.

Another good article: Linux and Windows 8's Secure Boot: What We Know So Far


Other useful links in Links for Helpful Linux articles & books

TobiSGD 07-18-2012 06:52 PM

Good to have tools for signing bootloaders, but I don't get what Tianocore is for. Anyone able to explain that to me?

chrism01 07-18-2012 08:13 PM

Am I misunderstanding your qn?
Quote:

Intel's Tianocore, which is an open source implementation of the Unified Extensible Firmware Interface (UEFI).

The Intel Tianocore project just recently added the Secure Boot facility to its UEFI ROM images, he noted.
https://www.pcworld.com/businesscent...challenge.html
See also http://sourceforge.net/apps/mediawik...?title=Welcome

TobiSGD 07-18-2012 09:02 PM

OK, so now we have an open source implementation of UEFI, including Secure Boot. But what is it good for? Can I replace the UEFI on my motherboard with it? And how does having an open source implementation of Secure Boot change things for Linux? That is what I don't get.

ReaperX7 07-18-2012 11:56 PM

It kinda seems to state that even if SecureBoot is enabled on a PC, they are working on developing a SecureBoot key for Linux systems to use SecureBoot without a workaround.

That's what I gathered...

TobiSGD 07-19-2012 05:27 AM

But you don't need a workaround for Secure Boot. It works for Linux.

sundialsvcs 07-19-2012 08:43 AM

Well, we obviously do need computer systems whose "hardware software" layer is cryptographically protectable, for the same reason that we now understand the importance of cryptographically signed applications and operating-system components. The trick of it, though, is that such technologies must not be proprietary: owned by one company and known only to them, regardless of the reasoning (or the patents) given.

If you've ever seen a Linux system that was "root-kitted," you know firsthand that penetration of a system can be done very deep ... beneath, indeed, the operating-system layer upon which we routinely hang the hat of security. There's a genuine need for this kind of technology in modern computer systems. But, it can't be owned by Microsoft, by Apple, or by anyone else. And, it can't rely on secrets. To do any of these things would be to defeat its purpose. (But try telling an IP lawyer that!)

onebuck 07-20-2012 09:49 AM

Member Response
 
Hi,

Software/Hardware protection is not new. Early OS provided protections to prevent both intentional and accidental changes. I do remember signing several different legal agreements for AIX and UNIX to allow tweaking of a OS by the end user. This was not taken lightly at the time.

I personally can understand Microsoft's position with 'secure boot'. Some look at it as locking out. I look at it as securing the system. You are not being forced to purchase the equipment & software. Buy something else! The argument that I purchased the equipment therefore it's mine to do as I wish doesn't wash. Purchasing a piece of hardware with a known control that prevents augmentation of software unless you make the changes through the certified vendor is just that: You purchased with known restrictions thus no way to change it without major hacks thus violating the original agreement. Create a brick and you have a large door stop.

brianL 07-20-2012 11:22 AM

Gary
It's not so often that I agree with you, and this time is no exception. :) It may be OK for Microsoft to dictate what I can do with their software, after all I've only bought a license to use it, and not bought it outright. But they should have no power to dictate or enforce what I use on my hardware. It might suit you to have limited choice, and say "buy something else", but some of us prefer to be less constrained. As far as most ARM devices go, it could very well become "locking out", if Microsoft get their way. Don't give them the thin end of the wedge. They couldn't care less about you, only profits.

TobiSGD 07-20-2012 12:59 PM

What I see in discussions about Secure Boot and Microsoft is that most people that have a negative opinion about this have most of their knowledge from FUD spreading bloggers.
Some simple facts: Every x86 mainboard/PC that wants to get the Windows 8 logo has to have options in the firmware that allow the users to disable Secure Boot and, if they don't want to disable it, to add their own custom keys. It may sound ironical, but if you buy x86 hardware with Windows 8 logo you can be sure that any Linux distribution will run on it without major problems.
If you look at ARM hardware, most of the devices that you can buy now are already locked, without Microsoft being in the game. So why is it different if Microsoft does it also?

brianL 07-20-2012 01:51 PM

Yeah, maybe it's FUD. Maybe I'm being paranoid to mistrust Microsoft and anything they're keen on implementing. Maybe their boss never likened Linux to a cancer.
From:
http://technet.microsoft.com/library/hh824987.aspx
Quote:

Secure Boot is a feature that helps prevent unauthorized firmware, operating systems, or UEFI drivers (also known as Option ROMs) from running at boot time. Secure Boot does this by maintaining databases of software signers and software images that are pre-approved to run on the individual computer.
Who, besides Microsoft, decides what is unauthorized firmware and operating systems? Which operating systems and firmware are "unauthorized"?

TobiSGD 07-20-2012 04:18 PM

Quote:

Originally Posted by brianL (Post 4733958)
Maybe their boss never likened Linux to a cancer.

Of course he did. In the 90's.

Quote:

Who, besides Microsoft, decides what is unauthorized firmware and operating systems?
As I stated in my last post, the user does.
Quote:

Which operating systems and firmware are "unauthorized"?
All those that you have not authorized. Just in the case you simply don't just disable Secure Boot and don't have to bother at all.

brianL 07-20-2012 04:47 PM

The user, me, already decides which operating system and firmware is installed on my computer. And I hope this will be the case in future, without interference of any kind. Especially interference from would-be monopolies with dubious business ethics. So what's new?

jefro 07-20-2012 05:09 PM

Linux has always had problems. Simple things that people take for granted now were show stoppers before. Take the WinModem problem. Dunno how many people only had dialup and didn't want to spend the money for a hardware modem.

This entire boot and bios deal will be solved one way or another. It is not an evil empire deal, just something linux users need to learn and use.

TobiSGD 07-20-2012 05:27 PM

Quote:

Originally Posted by brianL (Post 4734092)
So what's new?

New is that you as the user can sign your OS to make sure that it is really your decision (and not the decision of a rootkit) what can run on your system.


All times are GMT -5. The time now is 04:42 AM.