GeneralThis forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by smeezekitty
The problem is that it removes the possibility for non highly computer-savvy people to try alt OSes. Not even a live cd.
Indeed. For those of us more in the know I'm sure there will be lists of hardware vendors or products where secure boot can be switched off or more keys added. As you note the problem here is there will be people who cannot choose to try Linux due to the restrictions.
There is hope though as both Canonical and Red Hat are able to sign their boot loaders, though a google tells me that Canonical's may be signed by the wrong key currently.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by Head_on_a_Stick
Apart from Ubuntu, Fedora & OpenSUSE live CDs all of which will boot and install a working system with Secure Boot enabled...
Since I pushed this thread over a page after your post I'll quote it so others can see and thank you for the heads-up of what to try in my "secure boot" experiments when I get my secondary laptop fixed.
And what if the next step is to disallow third party signers? or charge an exorbitant fee to have it signed?
Won't happen. Microsofts biggest fear is another anti-trust lawsuit. That is why they made it mandatory to have an option to disable it for Windows 8. Now that there are competitors that also have the possibility to use Secure Boot they don't have to care for that anymore. But third party signing is wanted by the industry and making signing expensive may open the possibility of another lawsuit.
It will be mandatory to ship with Secure Boot enabled. It will be optional to allow the user to turn it off.
@Dugan
Thx, now I understood
@TobiSGD
Quote:
If it makes changes to the bootloader or kernel then it shouldn't work with Secure Boot enabled.
So, how does it work? E.g. "Secure Boot" fires up only bootloaders (e.g. Grub, Windows bootloader, etc...) that have been appropriately signed and that one in turn loads only a kernel that has been signed as well appropriately?
So, how does it work? E.g. "Secure Boot" fires up only bootloaders (e.g. Grub, Windows bootloader, etc...) that have been appropriately signed and that one in turn loads only a kernel that has been signed as well appropriately?
Thx
Yes, that is how it works. From that point on the OS is responsible for security.
Distribution: M$ Windows / Debian / Ubuntu / DSL / many others
Posts: 2,339
Rep:
Quote:
Originally Posted by TobiSGD
Won't happen. Microsofts biggest fear is another anti-trust lawsuit. That is why they made it mandatory to have an option to disable it for Windows 8. Now that there are competitors that also have the possibility to use Secure Boot they don't have to care for that anymore. But third party signing is wanted by the industry and making signing expensive may open the possibility of another lawsuit.
They have been taking away user freedom one step at a time. Don't underestimate what greedy corporations will do.
Yes, that is how it works. From that point on the OS is responsible for security.
So, on:
Linux
Do I have to sign the kernel every time I recompile it?
Windows
If my father downloads "something" and keeps on clicking on "yes" even when it asks if the kernel or some drivers should be updated he still will end up with a virus/whatever, he will still end up having the system compromised, right?
Linux
Do I have to sign the kernel every time I recompile it?
As I understand it, yes. Keep in mind that Secure Boot is not aimed at kernel developers, but at enterprise and the "common user". In that environments kernels don't change often.
Quote:
Windows
If my father downloads "something" and keeps on clicking on "yes" even when it asks if the kernel or some drivers should be updated he still will end up with a virus/whatever, he will still end up having the system compromised, right?
Yes, the whole purpose of Secure Boot is to be able to have a trusted boot chain.
I feel this way and I don't care what others say, if I pay for the computer, I should install whatever I want. I always removed a pee-installed windows OS with linux. These vendors and OEMs think that windows is the only player in town. Not everybody likes to use windows as there are other operating systems out there. It would piss me off if secure boot is grey-out and I can't disable it.
Secure boot sucks, Microsoft sucks and OEMs that prevent us to disable secure secure boot suck even more!!!!!!!!!!!!!!!
Last edited by linux4everybody; 03-23-2015 at 01:30 PM.
But it doesn't help at all once the system is booted. What it DOES do is make it harder to install a more secure OS in the first place.
Of course it doesn't help after the system is booted. That is not what it was designed for. The point is, your OS can be as secure as you want, it still can't be trusted without having a trusted boot chain. Secure Boot fixes this issue. And of course it does make it harder to install an OS that is not signed, this is also by design. What worth would a trusted boot chain have if you just could pop in a Knoppix or Puppy CD/USB to circumvent all that stuff?
I feel this way and I don't care what others say, if I pay for the computer, I should install whatever I want. I always removed a pee-installed windows OS with linux. These vendors and OEMs think that windows is the only player in town. Not everybody likes to use windows as there are other operating systems out there. It would piss me off if secure boot is grey-out and I can't disable it.
Secure boot sucks, Microsoft sucks and OEMs that prevent us to disable secure secure boot suck even more!!!!!!!!!!!!!!!
From a security point of view, Secure Boot does not suck. But anyways, it is as it always is in the corporate world: Vote with your money, if an OEM does not allow you to disable Secure Boot then just don't buy their products.
Not when Windows 10 machines are released. Well, to be more precise, it is not guaranteed that it will be possible to create one's own keys on a Windows 10 machine as M$ are removing that requirement for vendors to be able to mark their equipment Windows compatible.
I am sure some vendors will continue to play fair but some may be paid by M$ to lock down secure boot and some may find it cheaper to do so.
So, this isn't "the sky is falling" but it is a slightly worrying move.
Yes, currently Ubuntu have got their own keys from MS to support Secure Boot and for Fedora it uses shim bootloader from Mathew Garett who got key from MS.
What if Microsoft denies giving it or revokes already given one. An anti-trust case may be waiting in future.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
