"Linux Developers Step Up to the Secure Boot Challenge"
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OK, so now we have an open source implementation of UEFI, including Secure Boot. But what is it good for? Can I replace the UEFI on my motherboard with it? And how does having an open source implementation of Secure Boot change things for Linux? That is what I don't get.
It kinda seems to state that even if SecureBoot is enabled on a PC, they are working on developing a SecureBoot key for Linux systems to use SecureBoot without a workaround.
Well, we obviously do need computer systems whose "hardware software" layer is cryptographically protectable, for the same reason that we now understand the importance of cryptographically signed applications and operating-system components. The trick of it, though, is that such technologies must not be proprietary: owned by one company and known only to them, regardless of the reasoning (or the patents) given.
If you've ever seen a Linux system that was "root-kitted," you know firsthand that penetration of a system can be done very deep ... beneath, indeed, the operating-system layer upon which we routinely hang the hat of security. There's a genuine need for this kind of technology in modern computer systems. But, it can't be owned by Microsoft, by Apple, or by anyone else. And, it can't rely on secrets. To do any of these things would be to defeat its purpose. (But try telling an IP lawyer that!)
Software/Hardware protection is not new. Early OS provided protections to prevent both intentional and accidental changes. I do remember signing several different legal agreements for AIX and UNIX to allow tweaking of a OS by the end user. This was not taken lightly at the time.
I personally can understand Microsoft's position with 'secure boot'. Some look at it as locking out. I look at it as securing the system. You are not being forced to purchase the equipment & software. Buy something else! The argument that I purchased the equipment therefore it's mine to do as I wish doesn't wash. Purchasing a piece of hardware with a known control that prevents augmentation of software unless you make the changes through the certified vendor is just that: You purchased with known restrictions thus no way to change it without major hacks thus violating the original agreement. Create a brick and you have a large door stop.
Gary
It's not so often that I agree with you, and this time is no exception. It may be OK for Microsoft to dictate what I can do with their software, after all I've only bought a license to use it, and not bought it outright. But they should have no power to dictate or enforce what I use on my hardware. It might suit you to have limited choice, and say "buy something else", but some of us prefer to be less constrained. As far as most ARM devices go, it could very well become "locking out", if Microsoft get their way. Don't give them the thin end of the wedge. They couldn't care less about you, only profits.
What I see in discussions about Secure Boot and Microsoft is that most people that have a negative opinion about this have most of their knowledge from FUD spreading bloggers.
Some simple facts: Every x86 mainboard/PC that wants to get the Windows 8 logo has to have options in the firmware that allow the users to disable Secure Boot and, if they don't want to disable it, to add their own custom keys. It may sound ironical, but if you buy x86 hardware with Windows 8 logo you can be sure that any Linux distribution will run on it without major problems.
If you look at ARM hardware, most of the devices that you can buy now are already locked, without Microsoft being in the game. So why is it different if Microsoft does it also?
Yeah, maybe it's FUD. Maybe I'm being paranoid to mistrust Microsoft and anything they're keen on implementing. Maybe their boss never likened Linux to a cancer.
From: http://technet.microsoft.com/library/hh824987.aspx
Quote:
Secure Boot is a feature that helps prevent unauthorized firmware, operating systems, or UEFI drivers (also known as Option ROMs) from running at boot time. Secure Boot does this by maintaining databases of software signers and software images that are pre-approved to run on the individual computer.
Who, besides Microsoft, decides what is unauthorized firmware and operating systems? Which operating systems and firmware are "unauthorized"?
The user, me, already decides which operating system and firmware is installed on my computer. And I hope this will be the case in future, without interference of any kind. Especially interference from would-be monopolies with dubious business ethics. So what's new?
Linux has always had problems. Simple things that people take for granted now were show stoppers before. Take the WinModem problem. Dunno how many people only had dialup and didn't want to spend the money for a hardware modem.
This entire boot and bios deal will be solved one way or another. It is not an evil empire deal, just something linux users need to learn and use.
New is that you as the user can sign your OS to make sure that it is really your decision (and not the decision of a rootkit) what can run on your system.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.