LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 10-12-2012, 06:14 PM   #16
s3phir0th115
LQ Newbie
 
Registered: Jan 2007
Distribution: Slackware
Posts: 22

Rep: Reputation: 3

I'm not really understanding the concern, at least on PC architecture systems... It's mandatory to allow disabling secure boot in order to receive certification, so how is this a threat to Linux?
 
Old 10-12-2012, 06:58 PM   #17
JaseP
Senior Member
 
Registered: Jun 2002
Location: Eastern PA, USA
Distribution: K/Ubuntu 10.04/12.04, Scientific Linux 6.3, Android-x86, Maemo
Posts: 1,658

Rep: Reputation: 138Reputation: 138
Quote:
Originally Posted by AlleyTrotter View Post
... I just can't seem to get past a single corporation being allowed to control my ability to use my hardware, as I wish, if secure boot is enabled by default. Even with the Linux Foundation's key, it can still be blacklisted by that corporation. Is my system now a brick?

...

john
While, on one hand, I do not trust MS,... "Bricking" other OSes, by revoking keys from Linux Distros would be a really good way to find themselves back in Court as a defendant in another anti-trust action,... again.

I look at them lording over this as a way for them to reinvent themselves as a service company, rather than a software company ...
 
Old 10-12-2012, 08:16 PM   #18
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.0/14.1
Posts: 3,479

Rep: Reputation: 533Reputation: 533Reputation: 533Reputation: 533Reputation: 533Reputation: 533
Unless I'm missing something, this is a contractual issue and not a technical issue.

Seems to me the entire debate is the Microsoft folks won't certify a Windows 8 computer unless that system uses UEFI and a Microsoft platform key in the secure boot process. Final result: a nice little sticker on the computer. No certification, no nice little sticker.

The same computer model can be sold without Windows 8 certification. No hardware vendor is required to certify all systems as such. Hardware vendors also are not required to use UEFI. They can use the older BIOS --- unless they want that nice little sticker.

Computers not certified for Windows 8 do not have to have secure boot enabled and do not have to have UEFI installed.

The terms of a Windows 8 licensing contract might require vendors to sell only certified systems, but that is a contractual issue, not technical. If the folks at large hardware companies such as Dell can't negotiate contracts to allow them to sell their hardware as they please, then that is their tough luck. Folks managing hardware companies that are not codependent upon Microsoft/Windows 8 likely will see an increase in sales as people not needing Windows 8 certification buy their products.

Stand-alone motherboards sold through retailers do not need and are unlikely to be sold with secure boot protected with a Microsoft Windows8 platform key. People who build their own systems won't be affected.

UEFI does not require secure boot to be enabled, but only supports the capability. A UEFI computer not certified to run Windows 8 and with secure boot not enabled should be able to run any Linux based system.

People who want to dual boot using a preinstalled Windows 8 certified computer might feel up the creek without a paddle, but otherwise I'm not seeing a problem. Just don't buy a Windows 8 certified computer. Don't buy a computer that has secure boot enabled with a platform key owned by people not supporting Linux based systems.
 
Old 10-12-2012, 09:07 PM   #19
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Gentoo
Posts: 15,438
Blog Entries: 2

Rep: Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001
Quote:
Originally Posted by Woodsman View Post
Computers not certified for Windows 8 do not have to have secure boot enabled and do not have to have UEFI installed.
But they can have UEFI firmware with Secure Boot enabled, but without the option to disable it. It is mandatory to have a disable option to get the certificate.

Quote:
Stand-alone motherboards sold through retailers do not need and are unlikely to be sold with secure boot protected with a Microsoft Windows8 platform key. People who build their own systems won't be affected.
You can be pretty sure that many mainboards will come with UEFI and Secure Boot. Many smaller and mid-size OEMs are not using custom-built mainboards, but mainstream hardware and they want to have the option to sell Windows 8 certified hardware. The mainboard manufacturers will also want to sell certified hardware.

Quote:
Just don't buy a Windows 8 certified computer.
In my eyes misleading advice. Again, mainboards/computers without the certificate can have UEFI with Secure Boot enabled without the option to disable it. This option is mandatory on hardware with certificate.
 
Old 10-12-2012, 09:27 PM   #20
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.0/14.1
Posts: 3,479

Rep: Reputation: 533Reputation: 533Reputation: 533Reputation: 533Reputation: 533Reputation: 533
Quote:
In my eyes misleading advice. Again, mainboards/computers without the certificate can have UEFI with Secure Boot enabled without the option to disable it. This option is mandatory on hardware with certificate.
Okay, when buying a motherboard from Amazon or Newegg, buy one that is not Windows 8 certified. If a motherboard has UEFI and has secure boot enabled but is not Windows 8 certified, then whose key is active? A Windows 8 certification answers the question, but a motherboard without that certification? I don't see how such a board would have secure boot enabled. By whom?
 
Old 10-12-2012, 10:22 PM   #21
s3phir0th115
LQ Newbie
 
Registered: Jan 2007
Distribution: Slackware
Posts: 22

Rep: Reputation: 3
Hmm, ok, well that being the case, how could they market a board like that? Something like that would probably get the crappiest ratings imaginable. (People buying motherboards are usually geeks anyway.)

I don't see a business incentive to force secure boot without the ability to disable.
 
Old 10-13-2012, 02:54 AM   #22
Martinus2u
Member
 
Registered: Apr 2010
Distribution: Slackware
Posts: 343

Rep: Reputation: 56
Quote:
Originally Posted by TobiSGD View Post
It is mandatory to have a disable option to get the certificate.
Are you sure about that? If would go against MS's commercial intrest.

If I had to make a viable plan for world domination it would look like this:

(a) make Windows start only on UEFI/SB systems
(b) stipulate in the UEFI/SB specification that there must not be an option to disable SB
(c) enforce the UEFI/SB specification through legal measures

The result: you won't be able to buy hardware able to run anything other than Windows.
 
Old 10-13-2012, 03:23 AM   #23
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
As long as secure boot can be turned off, distro diversity will be maintained. I think it's clearly an attempt by M$ to kill Linux.
 
Old 10-13-2012, 04:01 AM   #24
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: ElementaryOS, Ubuntu LTS, Slackware
Posts: 1,515

Rep: Reputation: 700Reputation: 700Reputation: 700Reputation: 700Reputation: 700Reputation: 700Reputation: 700
Quote:
Originally Posted by TobiSGD View Post
if you don't trust Microsoft you shouldn't be using their software
This has been my policy for the last eleven years. Do not (ever) trust Microsoft. And do not (ever) use their software. Over the past years, this company has done repeatedly about all that can be done to earn my mistrust.
 
Old 10-13-2012, 05:42 AM   #25
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Gentoo
Posts: 15,438
Blog Entries: 2

Rep: Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001
Quote:
Originally Posted by Woodsman View Post
Okay, when buying a motherboard from Amazon or Newegg, buy one that is not Windows 8 certified. If a motherboard has UEFI and has secure boot enabled but is not Windows 8 certified, then whose key is active? A Windows 8 certification answers the question, but a motherboard without that certification? I don't see how such a board would have secure boot enabled. By whom?
Having the key in the firmware and having the certificate is not in any way related. You can be sure that Microsoft will not be angry if there are mainboards that effectively lock out other OSes. They would prefer if any mainboard would do that, but for legal reasons they can't do that. You know, anti-trust and such things. They will not hesitate to give manufacturers the key, even if they don't go for the certificate.
But if you buy a mainboard/PC with certificate you can be sure that there will be options to disable Secure Boot and to manage keys, which means you can delete Microsoft's keys and you can add your own custom keys.

Quote:
Originally Posted by s3phir0th115
Hmm, ok, well that being the case, how could they market a board like that? Something like that would probably get the crappiest ratings imaginable. (People buying motherboards are usually geeks anyway.)
Most mainboards are not bought by the private person, they are bought by small and midrange OEMs. These OEMs don't use custom mainboards, they use mainstream mainboards. You can also be sure that a mainboard without certificate will be at least a little bit cheaper than those with certificate. Since the most OEMs sell their systems with Windows pre-installed anyways they couldn't care less about those options.

Quote:
Are you sure about that? If would go against MS's commercial intrest.
Yes I am sure. No offense meant, but I wonder why people don't actually read what Microsofts requirements are: http://msdn.microsoft.com/en-us/libr...dware/jj128256
For this topic relevant are the points 17 (key management) and 18 (disabling Secure Boot) in the paragraph System.Fundamentals.Firmware.UEFISecureBoot
Here the relevant excerpt from paragraph 18:
Quote:
Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv.
That is the reason why I recommend always to buy mainboards with the certificate, so you can be sure that you have options to manage keys and disable Secure Boot, options that don't have to be implemented on mainboards without the certificate.
Quote:
If I had to make a viable plan for world domination it would look like this:

(a) make Windows start only on UEFI/SB systems
(b) stipulate in the UEFI/SB specification that there must not be an option to disable SB
(c) enforce the UEFI/SB specification through legal measures

The result: you won't be able to buy hardware able to run anything other than Windows.
Microsoft would be sued to hell in the EU and I think even in the US of A they would see another anti-trust lawsuit.
 
Old 10-13-2012, 06:01 AM   #26
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Quote:
Originally Posted by TobiSGD View Post
Microsoft would be sued to hell in the EU and I think even in the US of A they would see another anti-trust lawsuit.
In the EU, yes. In the US, maybe, but M$ will win.
 
Old 10-13-2012, 06:26 AM   #27
AlleyTrotter
Member
 
Registered: Jun 2002
Location: Coal Township PA
Distribution: Slackware64-14.1 (3.15.3) UEFI enabled
Posts: 347

Original Poster
Rep: Reputation: 71
wrong again, John

meaning me.
I would [unsolve] this post if there were a method.
First and foremost: I still believe that business' will develop a method to poll your computer that all financial transactions have secure boot enabled and operating. If they don't develop said method, some 'hot shot class action lawyer' or 'insurance provider' will declare that this business method does not do all it can to protect its user's financial transactions. Liability and blacklist enabled.
Secondly further reading in the comments section by mjg8, he states his shim is signed by MS. Unlike Tobi I believe any key issued by anyone can also be revoked by that entity.

To quote George Ure "Everything is a business plan"
So I am still undecided, do I build my next system with a UEFI Bios with secure boot or not? I have not had an MS system in my home since about 1998 (Win95). I do run a KVM (WinXp-VM) to access my wife's bank which polls the OS and sends you to a "We are having problems, please try again later" page if it does not get the expected answer. I have tried browser spoofing. It doesn't work at this bank. Will your bride change her favorite bank where her friend works for you?
To quote President o'bama "this is above my pay grade"
Apparently I will need to do much more RTFM'ing
Thanks to everyone for their opinion.
Also hope to hear more advice.
John
 
Old 10-13-2012, 06:59 AM   #28
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Gentoo
Posts: 15,438
Blog Entries: 2

Rep: Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001Reputation: 4001
Quote:
Originally Posted by AlleyTrotter View Post
Unlike Tobi I believe any key issued by anyone can also be revoked by that entity.
From the link to LWN you gave in a previous post:
Quote:
The only way to modify the EFI key databases programmatically is to have access to the private half of one of the keys in the KEK database, which then allows you to produce signed updates to DB (the key and hash whitelist) and DBX (the corresponding blacklist). The only people who will typically have that are Microsoft and, perhaps, the motherboard vendor. If you want to modify those databases without having access to a key then you need to go through the firmware interface.
So if you don't use Microsoft software (which means you don't have the needed private key) or software provided by the boards manufacturer (which is pretty unusual on Linux, since they only provide Windows software) they can't revoke your keys.
But even if they do: If you have a Windows certified mainboard just disable Secure Boot or add your own keys.
 
Old 10-13-2012, 12:36 PM   #29
AlleyTrotter
Member
 
Registered: Jun 2002
Location: Coal Township PA
Distribution: Slackware64-14.1 (3.15.3) UEFI enabled
Posts: 347

Original Poster
Rep: Reputation: 71
Quote:
Originally Posted by TobiSGD View Post
If you have a Windows certified mainboard just disable Secure Boot or add your own keys.
And as I said, then I lose the advantage of secure boot. I would like to participate in the secure boot environment if it helps secure communications. I believe at some point financial institutions will require it. I am just looking for a way to do it without needing MicroSoft's keys or permission, if that can be accomplished with my own keys as you seem to indicate that suits me fine.
Not trying to be argumentative about it. Just looking for a way out.
Also trying to decide how to build my next system. Thinking if UEFI/SB is a bad thing for Slackware, I better snag an old bios super motherboard before they all disappear. Otherwise I can just wait until I really need a new system. Right now I have 2 working desktops vintage 1996 (actually has 3-1/2 and 5-1/4 onboard floppies and a 8" external) and a generic Dell 2007. They both are pretty solid for desktop use and some hobby programming.
Thanks
John

Last edited by AlleyTrotter; 10-13-2012 at 02:55 PM.
 
Old 10-13-2012, 12:54 PM   #30
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
When they remove the option to disable secure boot (like on ARM), then you can mad rush to get the old mobos ... but I think they've planned for that too.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Working System will not boot, I do not understand the messages on the screen. flatstan Linux - Software 5 11-15-2011 11:35 AM
Don't understand, where I can find Fedora 12 boot.img?! proNick Fedora - Installation 6 03-17-2010 04:39 PM
Need help to understand /boot entries with 2 Kernels Orangutanklaus Slackware 5 08-21-2006 05:25 AM
I don't understand:Fast LILO boot floppy kocoman Linux - Software 1 06-16-2005 12:37 AM
Want some understand of boot folder Tyir Slackware 1 01-02-2004 09:25 AM


All times are GMT -5. The time now is 12:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration