Hi,

"Linux Developers Step Up to the Secure Boot Challenge" is a good attempt at solving the 'Secure Boot' issue for Gnu/Linux.

Sure it is early but people are working on a solution.

Another good article: Linux and Windows 8's Secure Boot: What We Know So Far


Other useful links in Links for Helpful Linux articles & books

Good to have tools for signing bootloaders, but I don't get what Tianocore is for. Anyone able to explain that to me?

Am I misunderstanding your qn?
https://www.pcworld.com/businesscent...challenge.html
See also http://sourceforge.net/apps/mediawik...?title=Welcome

OK, so now we have an open source implementation of UEFI, including Secure Boot. But what is it good for? Can I replace the UEFI on my motherboard with it? And how does having an open source implementation of Secure Boot change things for Linux? That is what I don't get.

It kinda seems to state that even if SecureBoot is enabled on a PC, they are working on developing a SecureBoot key for Linux systems to use SecureBoot without a workaround.

That's what I gathered...

But you don't need a workaround for Secure Boot. It works for Linux.

Well, we obviously do need computer systems whose "hardware software" layer is cryptographically protectable, for the same reason that we now understand the importance of cryptographically signed applications and operating-system components. The trick of it, though, is that such technologies must not be proprietary: owned by one company and known only to them, regardless of the reasoning (or the patents) given.

If you've ever seen a Linux system that was "root-kitted," you know firsthand that penetration of a system can be done very deep ... beneath, indeed, the operating-system layer upon which we routinely hang the hat of security. There's a genuine need for this kind of technology in modern computer systems. But, it can't be owned by Microsoft, by Apple, or by anyone else. And, it can't rely on secrets. To do any of these things would be to defeat its purpose. (But try telling an IP lawyer that!)

Hi,

Software/Hardware protection is not new. Early OS provided protections to prevent both intentional and accidental changes. I do remember signing several different legal agreements for AIX and UNIX to allow tweaking of a OS by the end user. This was not taken lightly at the time.

I personally can understand Microsoft's position with 'secure boot'. Some look at it as locking out. I look at it as securing the system. You are not being forced to purchase the equipment & software. Buy something else! The argument that I purchased the equipment therefore it's mine to do as I wish doesn't wash. Purchasing a piece of hardware with a known control that prevents augmentation of software unless you make the changes through the certified vendor is just that: You purchased with known restrictions thus no way to change it without major hacks thus violating the original agreement. Create a brick and you have a large door stop.

Gary
It's not so often that I agree with you, and this time is no exception. It may be OK for Microsoft to dictate what I can do with their software, after all I've only bought a license to use it, and not bought it outright. But they should have no power to dictate or enforce what I use on my hardware. It might suit you to have limited choice, and say "buy something else", but some of us prefer to be less constrained. As far as most ARM devices go, it could very well become "locking out", if Microsoft get their way. Don't give them the thin end of the wedge. They couldn't care less about you, only profits.

What I see in discussions about Secure Boot and Microsoft is that most people that have a negative opinion about this have most of their knowledge from FUD spreading bloggers.
Some simple facts: Every x86 mainboard/PC that wants to get the Windows 8 logo has to have options in the firmware that allow the users to disable Secure Boot and, if they don't want to disable it, to add their own custom keys. It may sound ironical, but if you buy x86 hardware with Windows 8 logo you can be sure that any Linux distribution will run on it without major problems.
If you look at ARM hardware, most of the devices that you can buy now are already locked, without Microsoft being in the game. So why is it different if Microsoft does it also?

Yeah, maybe it's FUD. Maybe I'm being paranoid to mistrust Microsoft and anything they're keen on implementing. Maybe their boss never likened Linux to a cancer.
From:
http://technet.microsoft.com/library/hh824987.aspx
Who, besides Microsoft, decides what is unauthorized firmware and operating systems? Which operating systems and firmware are "unauthorized"?

Of course he did. In the 90's.

As I stated in my last post, the user does.
All those that you have not authorized. Just in the case you simply don't just disable Secure Boot and don't have to bother at all.

The user, me, already decides which operating system and firmware is installed on my computer. And I hope this will be the case in future, without interference of any kind. Especially interference from would-be monopolies with dubious business ethics. So what's new?

Linux has always had problems. Simple things that people take for granted now were show stoppers before. Take the WinModem problem. Dunno how many people only had dialup and didn't want to spend the money for a hardware modem.

This entire boot and bios deal will be solved one way or another. It is not an evil empire deal, just something linux users need to learn and use.

New is that you as the user can sign your OS to make sure that it is really your decision (and not the decision of a rootkit) what can run on your system.