GeneralThis forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In a word: M$&etc trying to stop hacks at the 'bios'/boot level.
To put it horribly loosely: installing Linux on a PC which is 'protecting' its 'signed' OS.
DDGoo: uefi signed linux (instead of me posting a ton of links here)
"Secure Boot" has of course been discussed to death.
It is simply a mechanism that is designed to prevent discourage "a bored night-time operator, who is actually a clever industrial spy," from rebooting one of your servers using the DVD-ROM or memory-stick of his choice, in order to steal data or to do other mischief.
The mechanism can be turned off, but you have to do so, and that's the point.
Furthermore, Secure Boot can be used with Linux, and it very often is. It's not exclusive to any one operating system.
If you are running any sort of "server farm" that you own and run yourself, it is in fact a very good idea to use it for its intended purpose. It actually closes what would otherwise be a very big hole. In order to rely upon the software protection mechanisms afforded by your operating system, which of course you do, you must have reason to be confident that your operating system will be in control of the hardware at all times.
(You should also have locking physical enclosures, so that no one can take a hard-drive out. It has been done. And don't forget to do mandatory background-checks. Nasty people can look so very nice. Having a set of fingerprints is good, too. Believe it or not, office-supply stores can provide the service of collecting them – but not "running" them.)
Last edited by sundialsvcs; 10-26-2017 at 08:31 AM.
It is simply a mechanism that is designed to prevent discourage "a bored night-time operator, who is actually a clever industrial spy," from rebooting one of your servers using the DVD-ROM or memory-stick of his choice, in order to steal data or to do other mischief.
That may be some of the stated reasoning (or perhaps your reasoning/reconciling), but it's very far away from what most know and understand of UEFI/Secureboot. To me it seems exceptionally naive to consider Microsoft Corp's motives as anything less than continuing efforts to protecting its Windows PC monopoly at all costs. Windows tried and failed to enter the smartphone market, so it's obvious that it's going to make certain it maintains it's stranglehold over desktop/laptop PCs.
You can achieve your same stated ends by not installing an optical drive in your server or by locking it in a cabinet/server room. You can prevent reboots by proper access controls, you can also prevent access to the UEFI/BIOS by setting the admin password. You could also encrypt sensitive data, making it essentially useless to the person trying to boot an OS from a memory stick or optical disk. You have numerous belts and braces, what you don't need is a highly questionable system which only allows booting of a particular OS from a particular vendor masquerading as "security".
You also fail to note that Secureboot is mostly deployed on consumer desktops/laptops x86 devices running MS Windows, it's not really aimed at servers. It's quite simply, as others have stated in this thread in a round about fashion, a means to achieve "vendor lock in" and prevent the end user easily changing the OS. If I were to remove the hard disk from a disk running windows 8/10 with secureboot enabled I can install it in another machine, mount the file system and proceed to "steal data" regardless. The intent of secureboot is clearly just to prevent a none "certified" OS being installed on a Windows PC ("Windows logo certification" - aka MS' leverage over the OEMs).
You also fail to mention that some Linux distribution vendors were forced to support secureboot and use the MS signing key, in order to continue allowing installation of said distributions on secureboot enabled desktop/laptop PCs.
A bit of basic research makes it apparent that UEFI/Secureboot was devised by interested parties in the OEM x86 desktop/laptop market - namely: Intel, AMD, Dell, HP, Insyde Software (UEFI specialist), Lenovo, Microsoft, AMI and Phoenix. IBM and Hewlett Packard (Enterprise) were also involved before they got out of the desktop/laptop market, as are Apple - for obvious reasons.
Quote:
Originally Posted by sundialsvcs
The mechanism can be turned off, but you have to do so, and that's the point.
For now, on amd64, but not on ARM chips. In fact since Windows 10 was released, it's entirely up to OEMs as to whether they allow you to turn it off on amd64 ("Windows logo certification") - MS removed the requirement for them to provide the option once the initial hullabaloo/fallout from Windows 8 died down.
Quote:
Originally Posted by sundialsvcs
Furthermore, Secure Boot can be used with Linux, and it very often is. It's not exclusive to any one operating system.
And it allows dual booting I believe? Would the various Ubuntu live cds which have the Secureboot key not give our bored night-time operator access...?
Last edited by anisoptera; 10-27-2017 at 10:32 AM.
Microsoft does not have "a Windows® monopoly," in spite of what a US Federal judge once said about it.
You might be running Windows®, or you might be running Linux®, or you might be running something else, and nothing's going to cause you to "switch" from one to the other. Windows does not do what Linux does, and vice-versa. (And there are many more operating systems than just these "Big Two.")
If a machine supported Secure Boot such that it would not boot a non-Microsoft operating system, well, "you simply would not buy that particular box!" And, no hardware vendor would be in favor of that. They would be needlessly losing lots of sales.
In all cases, you might have legitimate need to prevent a night-operator from rebooting your machine into an OS of his or her (malicious?) choosing. And this is what Secure Boot can attempt to do.
The need for what Secure Boot does is not limited to any one operating system type. Secure Boot can be used to protect Windows, and(!) it can likewise be used to protect Linux. Although the cryptographic private-key material is necessarily secret, security keys have been issued to a variety of vendors.
The cryptographic underpinnings of the system can detect not only the identity of the OS, but the data integrity of it, as well. In other words, if a file such as a nucleus-image is tampered with, it won't boot anymore. Operating systems have had this level of protection for some time, but SB brings it to the boot process.
Household machines might be considered among those that might need it most. And in any case, it can be turned off. (But you just might want to leave it turned on.)
Last edited by sundialsvcs; 10-27-2017 at 11:21 AM.
That may be some of the stated reasoning (or perhaps your reasoning/reconciling), but it's very far away from what most know and understand of UEFI/Secureboot. To me it seems exceptionally naive to consider Microsoft Corp's motives as anything less than continuing efforts to protecting its Windows PC monopoly at all costs. Windows tried and failed to enter the smartphone market, so it's obvious that it's going to make certain it maintains it's stranglehold over desktop/laptop PCs.
You can achieve your same stated ends by not installing an optical drive in your server or by locking it in a cabinet/server room. You can prevent reboots by proper access controls, you can also prevent access to the UEFI/BIOS by setting the admin password. You could also encrypt sensitive data, making it essentially useless to the person trying to boot an OS from a memory stick or optical disk. You have numerous belts and braces, what you don't need is a highly questionable system which only allows booting of a particular OS from a particular vendor masquerading as "security".
You also fail to note that Secureboot is mostly deployed on consumer desktops/laptops x86 devices running MS Windows, it's not really aimed at servers. It's quite simply, as others have stated in this thread in a round about fashion, a means to achieve "vendor lock in" and prevent the end user easily changing the OS. If I were to remove the hard disk from a disk running windows 8/10 with secureboot enabled I can install it in another machine, mount the file system and proceed to "steal data" regardless. The intent of secureboot is clearly just to prevent a none "certified" OS being installed on a Windows PC ("Windows logo certification" - aka MS' leverage over the OEMs).
You also fail to mention that some Linux distribution vendors were forced to support secureboot and use the MS signing key, in order to continue allowing installation of said distributions on secureboot enabled desktop/laptop PCs.
A bit of basic research makes it apparent that UEFI/Secureboot was devised by interested parties in the OEM x86 desktop/laptop market - namely: Intel, AMD, Dell, HP, Insyde Software (UEFI specialist), Lenovo, Microsoft, AMI and Phoenix. IBM and Hewlett Packard (Enterprise) were also involved before they got out of the desktop/laptop market, as are Apple - for obvious reasons.
For now, on amd64, but not on ARM chips. In fact since Windows 10 was released, it's entirely up to OEMs as to whether they allow you to turn it off on amd64 ("Windows logo certification") - MS removed the requirement for them to provide the option once the initial hullabaloo/fallout from Windows 8 died down.
And it allows dual booting I believe? Would the various Ubuntu live cds which have the Secureboot key not give our bored night-time operator access...?
Can you not just format Windows than install Linux?
For now, on amd64, but not on ARM chips. In fact since Windows 10 was released, it's entirely up to OEMs as to whether they allow you to turn it off on amd64 ("Windows logo certification") - MS removed the requirement for them to provide the option once the initial hullabaloo/fallout from Windows 8 died down.
And it allows dual booting I believe? Would the various Ubuntu live cds which have the Secureboot key not give our bored night-time operator access...?
Can you not just update or change the secure boot firmware chip?
I mean people can already update and change the BIOS chip and router firmware.
It does not seem long before hackers and malware can go after secure boot making it pointless.
Microsoft does not have "a Windows® monopoly," in spite of what a US Federal judge once said about it.
Well it does actually, because it owns the trademark.
But aside from that it has its deal with the x86 OEMs. It has directx, office, the vast majority of commerical apps being built for it and more, it's the de facto standard and has been since the early 90s. I don't know what dimension it is that it doesn't have a monopoly... you're letting it off on a mere technicality...
Quote:
Originally Posted by sundialsvcs
If a machine supported Secure Boot such that it would not boot a non-Microsoft operating system, well, "you simply would not buy that particular box!" And, no hardware vendor would be in favor of that. They would be needlessly losing lots of sales.
That doesn't seem to have hurt android. People simply don't know and don't care and want what works and what they can run their apps on, plug their phone into, watch videos on and check their social media on - that's what drives the MS monopoly - it just snowballed and established itself. Secureboot is yet more insurance to make sure the monoploy persists. It's not so different to Android or Chromebooks.
Anyone that thinks Linux is a "choice" or a viable option for the average computer end user, is very much mistaken. Most people simply do not care, in the same way they don't care about what firmware runs their fridge. Linux is not and never was the alternative to MS Windows. The "Linux users" running android for the most part don't know or don't care that it's based on the Linux kernel. If it were based on the NetBSD kernel, it wouldn't matter either and the situation would be the same. There are SOHO devices, running Linux, sat-navs, e-readers, etc. And it's the same thing - the users don't know or don't care it's Linux. And in every case the desktop client software for such devices is MS Windows or macOS.
Well it does actually, because it owns the trademark.
But aside from that it has its deal with the x86 OEMs. It has directx, office, the vast majority of commerical apps being built for it and more, it's the de facto standard and has been since the early 90s. I don't know what dimension it is that it doesn't have a monopoly... you're letting it off on a mere technicality...
No, I will freely acknowledge that "Microsoft Corporation produces "some really great stuff!"
"In spite of the ponderous stupidity of their Marketing Department," Microsoft has managed to continually produce and maintain a suite of products that, I think, has earned (more or less ... ...) their position as "de-facto standard." I have (almost ... ...) nothing but praise for their software managers and engineers.
All this being said, however, "Microsoft does not have 'a monopoly.'" Linux is out there doing just fine. IBM is out there doing "what IBM always does." There are many other more-specialized operating systems, also doing just fine.
The world of computing is much bigger(!) than just "the average [home ...] computer user," which is actually a rather-pitifully-small market in terms of revenue potential. All those millions of machines that are sold to consumers are probably worth about $35.00 apiece ... just once(!) ... to Microsoft Corporation. "Woo-hoo." (It's probably more expensive to try to "sell them an upgrade" than actual sales of those upgrades would ever recoup.) While of course this does represent a respectable amount of money, it is not a revenue stream that can be relied-upon again and again and again.
But, "the ability to reasonably-protect a computer system from being rebooted using an operating system other than the one that its owners intended" really is(!) a big deal, and very badly needed. Microsoft owns the secret-keys because somebody has to.
Last edited by sundialsvcs; 10-27-2017 at 04:21 PM.
So base on your reasoning Linux cannot be installed because secure boot than case close. That yell and scream and say what point talking about it just rant.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.