LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 02-12-2013, 09:56 AM   #1
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,204
Blog Entries: 3

Rep: Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433
Linux Foundation releases Windows Secure Boot fix


Hi,

Linux Foundation releases Windows Secure Boot fix;
Quote:
It took longer than anyone expected but the Linux Foundation fix for Windows 8 PC's UEFI (Unified Extensible Firmware Interface) Secure Boot lockout of other operating systems has finally arrived.

James Bottomley -- Parallels' CTO of server virtualization, well-known Linux kernel maintainer, and the man behind the Linux Foundation's efforts to create an easy way to install and boot Linux on Windows 8 PCs -- announced on February 8 that the Linux Foundation UEFI secure boot system was finally out.
To finish this required security keys from Microsoft so that the Linux Foundation UEFI bootloader would work. These keys have now been included and these universal Linux bootloaders are ready to go. With these files you should be able to boot and install Linux on almost any Windows 8 PC.
I say "should" because this is the first release. As Bottomley himself wrote, "Let me know how this goes because I’m very interested to gather feedback about what works and what doesn’t work. In particular, there’s a worry that the security protocol override might not work on some platforms, so I particularly want to know if it doesn’t work for you."

You must also be an expert Linux user to even try to get this to work at this point. Today, all Bottomley has provided are the two key bootloading files: PreLoader.efi and HashTool.efi. These EFI files are Extensible Firmware Interface Firmware files. By themselves, they just set up a pre-boot environment that can then be used to boot Linux.

Bottomley has also "put together a mini-USB image that is bootable (just did it on to any USB key; the image is gpt partitioned, so use the whole disk device). It has an EFI shell where the kernel should be and uses gummiboot [a simple UEFI boot manger] to load" a Linux distribution.
Other useful links in Links for Helpful Linux articles & books

Last edited by onebuck; 05-26-2013 at 10:18 AM. Reason: add link
 
Old 02-12-2013, 10:05 AM   #2
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,204
Blog Entries: 3

Original Poster
Rep: Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433
Member Response

Hi,

For Slackware users there is: Slackware on UEFI in the Slackware forum. Good on going discussion with input from PV with good advice from all.
 
Old 02-12-2013, 02:05 PM   #3
NyteOwl
Member
 
Registered: Aug 2008
Location: Nova Scotia, Canada
Distribution: Slackware, OpenBSD, others periodically
Posts: 512

Rep: Reputation: 139Reputation: 139
The real title should be "Linux Foundation Releases Microsoft's Secure Boot Certificates for Linux".

Two words - SOLD OUT!
 
Old 02-12-2013, 10:13 PM   #4
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,269

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
Unfortunately, I agree with NyteOwl; I do not want to see 'required security keys from Microsoft so that the Linux Foundation UEFI bootloader would work'.
Historically I would not trust MS to keep supplying keys... it's not in their interest to support another OS if they don't have to, even though they are co-operating with Linux in some areas eg CIFS and the VM Technology agreement with RH.
 
Old 02-13-2013, 10:04 AM   #5
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,204
Blog Entries: 3

Original Poster
Rep: Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433
Member Response

Hi,

Why?? Microsoft providing a key for secure access would do no harm. If Microsoft would renege then the market would realize issues thus placing Microsoft in a awkward position. Microsoft would not jeopardize their position or warrant a issue that would be so negative thus placing a true awareness of that intent. Poor marketing!
 
Old 02-13-2013, 07:43 PM   #6
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,269

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
They've been sued at least twice in the US for monopolistic practices; think they lost but just got a slap on the wrist.
THE EU has come down on them a few times.
Basically they're a company and their loyalty is to themselves and their shareholders.
They're not in the industry to be nice.
Look at some of the things they've said about Linux in the past.

I'm not saying they would pull a stunt like that, but their credibility is nil (as far as I and others are concerned).
I could ask why they didn't provide the soln themselves in the first place if they are so accommodating..?
 
Old 02-13-2013, 08:20 PM   #7
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,377

Rep: Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108
Well, it might be that Microsoft couldn't find anyone else to be willing to hold the keys for them. I don't give this "Windows secure-boot" idea too much hope for success in its present, "version 1.0" incarnation, simply because it is not generalized. For example, why do I have to obtain signed-keys etc. from you? Why doesn't the hardware allow me to provide whatever keys I want, signed or not-signed by whomever I want, and program the machine so that it will not boot with any other certificate? That is what the feature ought to be doing; ought to have been doing all along.

I suspect that this whole idea is going to turn out to be a "massive headache" for hardware vendors, who quite frankly aren't going to cotton to having a bunch of devices that they can't "sell to anyone who wants to buy one." They don't want to have warehouse racks full of "model 12345's" and find themselves unable to fill a massive order because those "model 12345's" are locked to Windows ... and aren't selling. I don't think that Microsoft Corporation has the "presumed sacrosanct status" anymore that they used to take for granted.

Last edited by sundialsvcs; 02-13-2013 at 08:23 PM.
 
Old 02-13-2013, 09:32 PM   #8
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,592
Blog Entries: 2

Rep: Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046
Quote:
Originally Posted by sundialsvcs View Post
Well, it might be that Microsoft couldn't find anyone else to be willing to hold the keys for them. I don't give this "Windows secure-boot" idea too much hope for success in its present, "version 1.0" incarnation, simply because it is not generalized. For example, why do I have to obtain signed-keys etc. from you? Why doesn't the hardware allow me to provide whatever keys I want, signed or not-signed by whomever I want, and program the machine so that it will not boot with any other certificate?
Exactly those features you demand have to be implemented in mainboards that get the certification for the Windows 8 Logo program.
You do not have to obtain keys from Microsoft to use Secure Boot. But getting a key from Microsoft has significant advantages, for example that those keys will already be in the database when you buy a new mainboard, which makes it a lot easier for users to just install a Linux distribution with a key signed by Microsoft. Of course any distro can use their own keys, if they want, but then the end-user has to add them to the database. Shouldn't be a problem for an experienced user, but will be a no-go for the newbie.

So, IMHO, getting a Microsoft key is an advantage, not a disadvantage. And you can be sure that revoking a key for no good reason will give really bad press for Microsoft, in turn dropping the value on the stock market. The shareholders would launch Steve Ballmer into orbit faster than you can say Secure Boot.

It is easy as that: If you don't want to use Secure Boot buy hardware with Windows 8 logo and you will be able to disable it. If you want to use Secure Boot, but with your own keys buy hardware with Windows 8 logo and you can add your keys to the database.
Buy hardware without Windows 8 logo and you have no guarantee for either.
 
Old 02-14-2013, 04:06 AM   #9
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware & Slackware64 14.1
Posts: 7,030
Blog Entries: 52

Rep: Reputation: Disabled
A lot of Linux users don't want anything to do with Microsoft, so why should we depend on them for keys, certification, or anything at all? I know we've been through all this before, but I'm still not, nor will I ever be, convinced that this Secure Boot setup is a good thing.
 
Old 02-14-2013, 10:24 AM   #10
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,204
Blog Entries: 3

Original Poster
Rep: Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433
Member Response

Hi,
Quote:
Originally Posted by brianL View Post
A lot of Linux users don't want anything to do with Microsoft, so why should we depend on them for keys, certification, or anything at all? I know we've been through all this before, but I'm still not, nor will I ever be, convinced that this Secure Boot setup is a good thing.
Then those users will need to improvise methods to use the newer Windows 8 logo hardware if they wish to implement Gnu/Linux. Nothing wrong with the extension 'Secure Boot' for 'UEFI'. Just the conspiracy minded individuals who just cannot look past their hatred of Microsoft which is part of the 'UEFI' standard. Microsoft does not control 'UEFI' nor ever will. Other members like Intel, Dell and other major contributors have the foresight to implement 'UEFI' knowing the continued limitations of 'BIOS'.

Don't give me the 'I bought it then I should be able to use it as I feel fit' argument. If you buy a Win/8 logo machine you should read that 'EULA' and License agreements. You select the hardware therefore you are to abide by those agreements. Do not buy unless you are sure it fits!

I have no problem with a piece of hardware that has Win/8 that suits my needs and abilities to use as I see fit. I will be sure to use the utilities to allow my use of that hardware. And I will be sure to research any purchase, since I do know that any Win/8 logo hardware will have to provide the abilities to either disable 'secure boot' to allow certification or provide a signed key for the software to be installed. Will I use Win/8, No. Will I use 'UEFI', Yes! Since we have 'UEFI' hardware available now that can be used with Gnu/Linux, I do not see a issue.

As to worries about past Microsoft issues, it seems everyone chooses Windows capable equipment to use with Gnu/Linux since Microsoft tends to provide indirectly via vendors/OEM bleeding edge equipment. I find it hypocritical for people to say 'Bad Microsoft' but use the newer equipment provided by the design cycle for each Microsoft OS generation. Now there's a laugh!

Gnu/Linux driven hardware design cycles are limited! Sad, but the world is still Microsoft provided OS laptop or desktop equipment until the next giant equipment/OS provider. Apple?? No! Google?? Why are people not buying that hardware in droves? Limited & controlled!

Brian, we have different points of view concerning 'Secure boot'. I find it another tool and useful alongside 'UEFI' to hopefully get past antiquated BIOS. Do I agree with Microsoft's past legal issues? No! Do I want the government controlling free enterprise or capitalism? NO!
 
Old 02-14-2013, 02:32 PM   #11
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware & Slackware64 14.1
Posts: 7,030
Blog Entries: 52

Rep: Reputation: Disabled
I've nothing against Secure Boot as such, if it really helps to make computers more secure. It's Microsoft's control/administration of it I'm not keen on. I don't hate Microsoft, I just don't trust them.
 
Old 02-14-2013, 03:07 PM   #12
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,204
Blog Entries: 3

Original Poster
Rep: Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433
Member Response

Hi,

Why? You think they are going to bork the system? If so then there would be many users that would be against such action and publicity alone would damage Microsoft.

In the past you trusted 'BIOS', Microsoft involvement for enhancement and rewrites are monumental. Everyone forgets about that. Many cases could be presented for what big companies have done for modern PC equipment, even Microsoft.

The Microsoft vitriol(3) gets old and not always valid or justified.
 
Old 02-14-2013, 04:29 PM   #13
Soderlund
Member
 
Registered: Aug 2012
Location: Sweden
Distribution: Slackware
Posts: 113

Rep: Reputation: 50
Quote:
Originally Posted by brianL View Post
A lot of Linux users don't want anything to do with Microsoft, so why should we depend on them for keys, certification, or anything at all? I know we've been through all this before, but I'm still not, nor will I ever be, convinced that this Secure Boot setup is a good thing.
I fully agree; I don't trust them with anything and I would never buy such hardware.

Boogeyman: Rootkits!
Intention: Lock competing operating systems out of motherboards.
Stated purpose: You have to get this, or Evil Rootkits will kill your computer!

With all due respect onebuck, this is the oldest trick in the book. Governments do it all the time to take away our internet privacy, freedom of speech, et cetera (but they usually use pedophiles or terrorists as the boogeyman). Now Microsoft does it to take away our freedom -- or make it as troublesome as possible -- to install whatever operating systems we want to use. You don't need a tinfoil hat to see it.

Judging by your other posts about the subject, you seem to be very defensive about UEFI. Conspiracy minded people might think you are astroturfing.

Quote:
If Microsoft would renege then the market would realize issues thus placing Microsoft in a awkward position.
They've done similar things in the past. People won't stop buying computers with Windows pre-installed because Linux users are upset, and Linux users hate them anyway. Most of their customers probably don't know what any of this is about.

Still it's good to see that they are working on it. Hopefully they won't need to buy keys from the racketeers in the future.
 
Old 02-14-2013, 05:56 PM   #14
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,377

Rep: Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108
I personally suspect that the "presumed Microsoft-centric nature of" this particular scheme will prove to be its Achilles heel. The bottom line is, "people just aren't much into Microsoft anymore." It's no longer a foregone conclusion that someone who buys, say, a rack-mounted x86 server blade, is "of course" going to run Microsoft Windows on that blade.

Fact is, the odds are by now quite a bit higher that the "server of choice" for that piece of equipment is going to be ... Linux.

By installing "Microsoft, of course" keys onto a particular server on a distributor's warehouse-shelf, that server-in-inventory is, in effect, tied to the presumption that the customer who ultimately buys it "of course" is going to run Windows. Point is, it becomes virtually unsalable to anyone who does not wish to do so.

Furthermore, for that growing majority(!) of customers, the "prevents booting of unauthorized operating-systems" feature (which is, in fact, quite important if it is properly designed ....) is of no pragmatic use at all, because this feature is not properly designed.

People do want and need such a capability, but as-implemented it is quite useless to them. Why? Because it is "locked 'of course' to Microsoft," when the fact of the matter is that today's hardware market by-and-large isn't.

Quote:
Originally Posted by real customer:
What good, to me, is a 'feature' that I have to jump through Linux Foundation 'hoops' to use? I am The Customer. I want a feature that is designed from the start to work my way, and my money stays right here in my pocket until I get it.
This poorly-conceived "version 1.0" implementation is, I will predict, doomed in the real-world marketplace.

Last edited by sundialsvcs; 02-14-2013 at 05:59 PM.
 
Old 02-15-2013, 12:37 AM   #15
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,269

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
As above, I don't particularly hate MS, I just don't trust them (think 'embrace, extend, extinguish' & such like).

IF they'd formed a committee of the big players, including themselves, to come up with a vendor neutral soln to the general problem of 'Secure Boot', that would have been fine with me.

I agree with sundialsvcs re servers, but home systems are what worry me; its still very difficult to buy an off the (retail shop / website ) shelf computer that doesn't have MS, so the temptation to lock them to MS is going to be strong, for simplicity of manufacture/setup, if nothing else.

PS: I'd be happy with a simple switch on the M/B that could be set to 'on' when manufactured, but the owner could then flick over to 'off' if he/she wants.

Last edited by chrism01; 02-15-2013 at 12:39 AM.
 
  


Reply

Tags
efi, efi hashtool.efi, efi preload.efi, elilo, linux boot, secure boot, uefi, usb boot, windows 8


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Linux Foundation releases Windows Secure Boot fix LXer Syndicated Linux News 3 02-11-2013 02:10 PM
LXer: Linux Foundation Releases UEFI Secure Boot System LXer Syndicated Linux News 0 02-09-2013 11:11 AM
LXer: Linux Foundation UEFI Secure Boot key for Windows 8 PCs delays explained LXer Syndicated Linux News 0 11-23-2012 02:10 PM
LXer: Linux Foundation Steps Into Windows 8 Secure Boot Flap LXer Syndicated Linux News 0 10-15-2012 04:00 PM


All times are GMT -5. The time now is 10:00 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration