LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 07-27-2012, 11:24 AM   #31
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Gentoo
Posts: 15,438
Blog Entries: 2

Rep: Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001

Quote:
Originally Posted by brianL View Post
Yeah. Great White shark. Do you really want to swim with them?
Do I want to? No. Do I have a choice? Also no.
So I have to make the best out of it and that works only if I go and study the great white shark and its rules. You can be sure that they don't make this rules for the benefit of Linux. They make it because of two simple things:
1. Don't mess with antitrust laws, especially in the EU.
2. Many of there larger customers have the option to downgrade their licenses. If they need more licenses they will buy Windows 8 licenses in the future, but have the right to use Windows 7 instead. Now try to install Windows 7 on hardware where you can't disable Secure Boot.

Quote:
Not to mention downright suspicious, and against GNU/Linux principles.
I can't see where it is against GNU/Linux principles to buy hardware that has a logo on it that indicates that you can be sure that you are able to install GNU/Linux on it. It doesn't matter if this logo comes from Microsoft or a different third party. What would be the difference if a logo with the same requirements would come from the FSF?

Last edited by TobiSGD; 07-27-2012 at 11:25 AM.
 
Old 07-27-2012, 01:56 PM   #32
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware & Slackware64 14.1
Posts: 6,915
Blog Entries: 51

Rep: Reputation: Disabled
Another thing:
Secure Boot is meant to make a system more secure, but it can be easily disabled. Waste of time, isn't it?
 
Old 07-27-2012, 02:01 PM   #33
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Gentoo
Posts: 15,438
Blog Entries: 2

Rep: Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001
Quote:
Originally Posted by brianL View Post
Another thing:
Secure Boot is meant to make a system more secure, but it can be easily disabled. Waste of time, isn't it?
Not really. If I have physical access to your machine then no machine is secure, I can just rip out your harddisk and steal your data (assuming that it is not encrypted). But you can't disable Secure Boot from a running OS, which will prevent that malicious software can link itself into the boot process (root kits or similar). Also, in corporate environments you can be pretty sure that there will be a BIOS (UEFI) password that prevents you from simply disabling it.
 
Old 07-27-2012, 02:14 PM   #34
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware & Slackware64 14.1
Posts: 6,915
Blog Entries: 51

Rep: Reputation: Disabled
Anyway, this debating is speculative. We'll have to wait and see. I'll remain sceptical, but admit I was wrong if everything works out OK.
 
Old 09-28-2012, 11:37 PM   #35
Yukon
LQ Newbie
 
Registered: Feb 2004
Location: Vancouver BC
Distribution: Debian
Posts: 12

Rep: Reputation: 0
Quote:
Originally Posted by TobiSGD View Post
What I see in discussions about Secure Boot and Microsoft is that most people that have a negative opinion about this have most of their knowledge from FUD spreading bloggers.
Some simple facts: Every x86 mainboard/PC that wants to get the Windows 8 logo has to have options in the firmware that allow the users to disable Secure Boot and, if they don't want to disable it, to add their own custom keys. It may sound ironical, but if you buy x86 hardware with Windows 8 logo you can be sure that any Linux distribution will run on it without major problems.
If you look at ARM hardware, most of the devices that you can buy now are already locked, without Microsoft being in the game. So why is it different if Microsoft does it also?
OK. Will it allow dual boot? I think it will
kill linux, not because of FUD, but because
it makes it a little bit harder.

Easier is what we need. Not harder. Bye Bye.
 
Old 09-30-2012, 10:21 AM   #36
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,052
Blog Entries: 1

Original Poster
Rep: Reputation: 1373Reputation: 1373Reputation: 1373Reputation: 1373Reputation: 1373Reputation: 1373Reputation: 1373Reputation: 1373Reputation: 1373Reputation: 1373
Member Response

Hi,
Quote:
Originally Posted by Yukon View Post
OK. Will it allow dual boot? I think it will
kill linux, not because of FUD, but because
it makes it a little bit harder.

Easier is what we need. Not harder. Bye Bye.
Yes, for informed users that do not fall for 'FUD'. Secure boot will not kill Linux.

How is it harder? User doesn't wish to read information to allow the choice of proper hardware & configuration. We call that laziness!
 
Old 09-30-2012, 01:56 PM   #37
nobuntu
Member
 
Registered: Mar 2012
Distribution: Debian for server, CrunchBang for everything that's not a server
Posts: 143

Rep: Reputation: 24
I think I must be missing something.

I have been confused throughout this whole Secure Boot debate about why those who don't like it can't simply purchase one of these or something similar, instead of going down to their local Costco/RadioShack/OfficeMax/etc. and purchasing a computer there. Open source hardware seems to be the logical choice if one is hoping to run open source software, to me at least.
 
Old 10-01-2012, 09:47 AM   #38
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,267

Rep: Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086
It's a mistake to present Secure Boot technology as "an obstacle" which has been tossed into the way of The Freedom Lovers by the Evil Empire.

Secure Boot is an attempt to thwart root-kits. It is therefore of equal importance to Linux and to Windows, and for precisely the same reasons. Yes, it relies heavily upon the integrity of cryptographic root-keys, as do all other systems of their kind.

Obviously, Microsoft can't control what kind of operating-system a particular computer might need to run. Businesses (including Microsoft itself) "need to run" Linux, "too." The only thing that they wish to enforce is the prerogatives of the system owner to only permit known operating systems to be booted on the device.

The problem here is literally the industrial spy or assailant or god-knows-what who, in the guise of a young kid, who hires on for the job that nobody wants: third-shift sysop. He's got a USB stick in his pocket and he knows how to use it ... shutting down a Windows server, booting up a Knoppix linux on the same hardware, and surfing the computer's hard drive at his leisure because the security and the vigilance normally provided by the "intended" host operating-system (it could be "another Linux," after all ...) no longer exists. He siphons away the information, unplugs the USB stick, hits the reset button and in a few moments there is no obvious evidence of his crime.

This happens to be an extremely significant attack-vector, very plausible and real, which must be guarded against. Secure Boot is an important step in that direction, and both Windows and Linux (and every other potential "legitimate guest") must support it securely.

(Let me put it this way: "This vector is as devastating as a root-kit ... of course it is an excellent way to install a root-kit ... and it is potentially undetectable." In a world in which computer systems are profoundly trusted with matters directly pertaining to "human health and safety," this is unacceptable and dangerous.)

Last edited by sundialsvcs; 10-01-2012 at 09:51 AM.
 
1 members found this post helpful.
Old 10-01-2012, 11:26 PM   #39
nobuntu
Member
 
Registered: Mar 2012
Distribution: Debian for server, CrunchBang for everything that's not a server
Posts: 143

Rep: Reputation: 24
Quote:
Originally Posted by sundialsvcs View Post
It's a mistake to present Secure Boot technology as "an obstacle" which has been tossed into the way of The Freedom Lovers by the Evil Empire.

Secure Boot is an attempt to thwart root-kits. It is therefore of equal importance to Linux and to Windows, and for precisely the same reasons. Yes, it relies heavily upon the integrity of cryptographic root-keys, as do all other systems of their kind.

Obviously, Microsoft can't control what kind of operating-system a particular computer might need to run. Businesses (including Microsoft itself) "need to run" Linux, "too." The only thing that they wish to enforce is the prerogatives of the system owner to only permit known operating systems to be booted on the device.

The problem here is literally the industrial spy or assailant or god-knows-what who, in the guise of a young kid, who hires on for the job that nobody wants: third-shift sysop. He's got a USB stick in his pocket and he knows how to use it ... shutting down a Windows server, booting up a Knoppix linux on the same hardware, and surfing the computer's hard drive at his leisure because the security and the vigilance normally provided by the "intended" host operating-system (it could be "another Linux," after all ...) no longer exists. He siphons away the information, unplugs the USB stick, hits the reset button and in a few moments there is no obvious evidence of his crime.

This happens to be an extremely significant attack-vector, very plausible and real, which must be guarded against. Secure Boot is an important step in that direction, and both Windows and Linux (and every other potential "legitimate guest") must support it securely.

(Let me put it this way: "This vector is as devastating as a root-kit ... of course it is an excellent way to install a root-kit ... and it is potentially undetectable." In a world in which computer systems are profoundly trusted with matters directly pertaining to "human health and safety," this is unacceptable and dangerous.)
This is an absolutely brilliant post - the most convincing and well-researched argument in favor of Secure Boot that I have seen thus far.
 
Old 10-02-2012, 03:54 PM   #40
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,052
Blog Entries: 1

Original Poster
Rep: Reputation: 1373Reputation: 1373Reputation: 1373Reputation: 1373Reputation: 1373Reputation: 1373Reputation: 1373Reputation: 1373Reputation: 1373Reputation: 1373
Moderator Response

@Yukon

Please do not form attacks or form posts with the intent of baiting to start a flame war. Be respectful with your post.

You are violating the LQ Rules;
Quote:
Personal attacks on others will not be tolerated.

Flame Wars will not be tolerated.

Do not post if you do not have anything constructive to say in the post.
In the future, please re-read your composed post before submitting. One thing to have firm believe(s) but you should have consideration & respect for fellow LQ members thus forming a considerate, constructive post.

You should consider researching 'EFI', 'UEFI' and 'secure boot' since it seems you are not informed on the subject at hand as related to the Gnu/Linux community. Nobody has stated that Gnu/Linux will die because of 'secure boot', except for the uninformed and people who rely on 'FUD' thus not knowing what to do and how..

Please remove the masked vulgarity in your post. If you don't edit the post satisfactorily, I will remove the post entirely. Not censoring either, this is a moderated forum and you agreed to abide by LQ Rules.

Last edited by onebuck; 10-03-2012 at 07:40 AM. Reason: typo
 
Old 10-02-2012, 09:55 PM   #41
mostlyharmless
Senior Member
 
Registered: Jan 2008
Distribution: Slackware -current (multilib) with kernel 3.15.5
Posts: 1,498
Blog Entries: 12

Rep: Reputation: 155Reputation: 155
Quote:
There are laws coming down, in all sorts of businesses including but not limited to health-care, that say that you must be able to guarantee this. And time is running out to prove compliance.
Now this statement is all too true and the worst part of the whole thing. They are bad laws and ill conceived too.

Why is there such faith in rules and laws? Do you not think the " kid with USB" will have a bootable signed system? Or that the malfeasance will be authorized? Or that the amateur will simply remove the drive, clone it and return it, just as a forensic expert would do? I'm not saying that it isn't sensible to take security precautions, but this sort of thing isn't really addressing the problem.
 
Old 10-02-2012, 11:19 PM   #42
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware & CentOS
Posts: 2,885
Blog Entries: 1

Rep: Reputation: Disabled
I have been studying for about 3 to 4 weeks on anything I could find on this UEFI and I'm just glad that men are working on this.
One of the company's that design these UEFI System Partiions is Insyde
http://www.insydesw.com/

I found these articles of intrest as well.
http://www.zdnet.com/blog/open-sourc...d-fedora/11187
http://www.extremetech.com/computing...os-replacement

The Linux Foundation had some say about this as well and made a PDF
http://www.linuxfoundation.org/publi...open-platforms

I look at this UEFI and Secure Boot issue as a challange not evil. But I do see where some individuals can find it a wee bit negative and the act of manufacturing for pure profit. It's even possible that this may be some type of 'control' used for the future.

However; every man must support himself and his family but it is what he is practicing/making/manufacturing that is what deems this practice good or bad-

Last edited by Ztcoracat; 10-02-2012 at 11:36 PM. Reason: Additional thought
 
Old 10-03-2012, 01:51 PM   #43
NyteOwl
Member
 
Registered: Aug 2008
Location: Nova Scotia, Canada
Distribution: Slackware, OpenBSD, others periodically
Posts: 512

Rep: Reputation: 138Reputation: 138
My previous post was primarily to illustrate how such a "conspiracy" might be orchestrated not that I necessarily thought there was one. Though I have no doubt that Microsoft hopes this will discourage people from using something other than Windows.

Secure Boot, like TPM before it, is a piece of technology designed to help solve a specific set of problems.Yes, like all technology it can be misused but properly used has some significant benefits. TPM didn't hurt Linux and this isn't liekly too either.

And if all the hand wringing and wailing would stop for a minute and people think, than all that might really be needed is a reputable Linux entity (the Linux Foundation or OSI for example) to step up an offer a secure key service to distribution authors, that don't want to use a self-signed key, and say OEM's. Then Linux wold have its own "certified" keys rather than relying on Microsoft's.

There are numerous options but it's mostly a tempest in a teapot (though I think the MS deal with ARM based OEM's is a bit over the top).
 
Old 10-04-2012, 08:13 AM   #44
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,267

Rep: Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086
I don't think that it is realistic for Microsoft to "discourage people" in this way ... the notion just isn't credible. No one with Linux installations in-place is going to "convert" those systems to the entirely non-equivalent Windows OS. This is technically inconceivable.

But, yes, there can't just be one cryptographic root-key, owned by a particular software vendor. You do want to minimize the number of authorized-issuers in any such system, obviously.

The Achilles Heel that I perceive in this system as-designed right now is that you need to be able to lock a system to a particular OS-build ... a company needs to say, "Windows Version 1.2.3 As Customized By Us on August 22nd," and none other, may be installed on our machines. All without creating hideous complications for their infrastructure teams. I'm not sure how well this architecture is going to play out in practice, nor how widespread it will actually become. In a year or two, we'll all know.

Last edited by sundialsvcs; 10-04-2012 at 08:18 AM.
 
Old 10-04-2012, 03:47 PM   #45
Yukon
LQ Newbie
 
Registered: Feb 2004
Location: Vancouver BC
Distribution: Debian
Posts: 12

Rep: Reputation: 0
UEFI worry

I must say I enjoy all the feedback I got from
my initial posting of worry, and agree with much of
it, but until someone comes up with an open solution,
I retain my view. Over the long haul, and because
of MS cunning, Linux will become even more
of a specialist thing. NOT Good.

Thanks to the person that mentioned the effort at

http://www.insydesw.com/

which I will check out now. Happy trails!

BTW, very good point about the Achilles heel
mentioned below. *Windows* people are
going to be unhappy about upgrading
all the time, also.

-jae


Quote:
Originally Posted by sundialsvcs View Post
I don't think that it is realistic for Microsoft to "discourage people" in this way ... the notion just isn't credible. No one with Linux installations in-place is going to "convert" those systems to the entirely non-equivalent Windows OS. This is technically inconceivable.

But, yes, there can't just be one cryptographic root-key, owned by a particular software vendor. You do want to minimize the number of authorized-issuers in any such system, obviously.

The Achilles Heel that I perceive in this system as-designed right now is that you need to be able to lock a system to a particular OS-build ... a company needs to say, "Windows Version 1.2.3 As Customized By Us on August 22nd," and none other, may be installed on our machines. All without creating hideous complications for their infrastructure teams. I'm not sure how well this architecture is going to play out in practice, nor how widespread it will actually become. In a year or two, we'll all know.
 
  


Reply

Tags
bios, secure boot, uefi


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Will your computer's "Secure Boot" turn out to be "Restricted Boot"? LXer Syndicated Linux News 0 10-17-2011 09:00 PM
What are the easy to follow step-by-step instructions for loading "WICD" in Slackware Twilight_Bandit Linux - Software 2 06-22-2009 05:16 AM
boot hangs at the "/boot: clean" step dh4 Linux - General 1 03-10-2007 10:14 AM
LXer: Why EnGarde Secure Linux is "Secure By Design" LXer Syndicated Linux News 0 10-10-2006 12:21 AM
LXer: O'reilly Releases "Learning PHP & MySQL": A Step-by-Step Guide to ... LXer Syndicated Linux News 0 06-21-2006 06:33 AM


All times are GMT -5. The time now is 01:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration