"Linux Developers Step Up to the Secure Boot Challenge"
 

Hi,

"Linux Developers Step Up to the Secure Boot Challenge" is a good attempt at solving the 'Secure Boot' issue for Gnu/Linux.

Sure it is early but people are working on a solution.

Another good article: Linux and Windows 8's Secure Boot: What We Know So Far


Other useful links in Links for Helpful Linux articles & books

Good to have tools for signing bootloaders, but I don't get what Tianocore is for. Anyone able to explain that to me?

Am I misunderstanding your qn?
https://www.pcworld.com/businesscent...challenge.html
See also http://sourceforge.net/apps/mediawik...?title=Welcome

OK, so now we have an open source implementation of UEFI, including Secure Boot. But what is it good for? Can I replace the UEFI on my motherboard with it? And how does having an open source implementation of Secure Boot change things for Linux? That is what I don't get.

It kinda seems to state that even if SecureBoot is enabled on a PC, they are working on developing a SecureBoot key for Linux systems to use SecureBoot without a workaround.

That's what I gathered...

But you don't need a workaround for Secure Boot. It works for Linux.

Well, we obviously do need computer systems whose "hardware software" layer is cryptographically protectable, for the same reason that we now understand the importance of cryptographically signed applications and operating-system components. The trick of it, though, is that such technologies must not be proprietary: owned by one company and known only to them, regardless of the reasoning (or the patents) given.

If you've ever seen a Linux system that was "root-kitted," you know firsthand that penetration of a system can be done very deep ... beneath, indeed, the operating-system layer upon which we routinely hang the hat of security. There's a genuine need for this kind of technology in modern computer systems. But, it can't be owned by Microsoft, by Apple, or by anyone else. And, it can't rely on secrets. To do any of these things would be to defeat its purpose. (But try telling an IP lawyer that!)

Member Response
 

Hi,

Software/Hardware protection is not new. Early OS provided protections to prevent both intentional and accidental changes. I do remember signing several different legal agreements for AIX and UNIX to allow tweaking of a OS by the end user. This was not taken lightly at the time.

I personally can understand Microsoft's position with 'secure boot'. Some look at it as locking out. I look at it as securing the system. You are not being forced to purchase the equipment & software. Buy something else! The argument that I purchased the equipment therefore it's mine to do as I wish doesn't wash. Purchasing a piece of hardware with a known control that prevents augmentation of software unless you make the changes through the certified vendor is just that: You purchased with known restrictions thus no way to change it without major hacks thus violating the original agreement. Create a brick and you have a large door stop.

Gary
It's not so often that I agree with you, and this time is no exception. :) It may be OK for Microsoft to dictate what I can do with their software, after all I've only bought a license to use it, and not bought it outright. But they should have no power to dictate or enforce what I use on my hardware. It might suit you to have limited choice, and say "buy something else", but some of us prefer to be less constrained. As far as most ARM devices go, it could very well become "locking out", if Microsoft get their way. Don't give them the thin end of the wedge. They couldn't care less about you, only profits.

What I see in discussions about Secure Boot and Microsoft is that most people that have a negative opinion about this have most of their knowledge from FUD spreading bloggers.
Some simple facts: Every x86 mainboard/PC that wants to get the Windows 8 logo has to have options in the firmware that allow the users to disable Secure Boot and, if they don't want to disable it, to add their own custom keys. It may sound ironical, but if you buy x86 hardware with Windows 8 logo you can be sure that any Linux distribution will run on it without major problems.
If you look at ARM hardware, most of the devices that you can buy now are already locked, without Microsoft being in the game. So why is it different if Microsoft does it also?

Yeah, maybe it's FUD. Maybe I'm being paranoid to mistrust Microsoft and anything they're keen on implementing. Maybe their boss never likened Linux to a cancer.
From:
http://technet.microsoft.com/library/hh824987.aspx
Who, besides Microsoft, decides what is unauthorized firmware and operating systems? Which operating systems and firmware are "unauthorized"?

Of course he did. In the 90's.

As I stated in my last post, the user does.
All those that you have not authorized. Just in the case you simply don't just disable Secure Boot and don't have to bother at all.

The user, me, already decides which operating system and firmware is installed on my computer. And I hope this will be the case in future, without interference of any kind. Especially interference from would-be monopolies with dubious business ethics. So what's new?

Linux has always had problems. Simple things that people take for granted now were show stoppers before. Take the WinModem problem. Dunno how many people only had dialup and didn't want to spend the money for a hardware modem.

This entire boot and bios deal will be solved one way or another. It is not an evil empire deal, just something linux users need to learn and use.

New is that you as the user can sign your OS to make sure that it is really your decision (and not the decision of a rootkit) what can run on your system.

Well, as long as that is all there is to it, OK. But this tiny paranoid streak in me suspects an hidden agenda.

It's really not a "hidden agenda," as long as the technology (a) actually works, as verified by peer-review; and (b) can be used by other operating systems.

We have a genuine business need, when constructing "trustworthy" computing environments, to be able to control the entire software environment, including the built-in (flash...) ROM software.

Given Microsoft's past behaviour one could make a case for a "hidden agenda".

1) back UEFI (done)
2) back SecureBoot (done)
3) make sure all UEFI BIOSes incorporate SecureBoot (done)
3) strike deal with ARM manufacturers so their SecureBoot BIOS only boots Windows (almost there)
4) strike deal with desktop OEM's so that their SecureBoot BIOS only boots Windows (pending)
5) strike deal with desktop motherboard manufacturers so that their SecureBoot BIOS only boots Windows (pending)
6) strike deal with server OEM's so that their SecureBoot BIOS only boots Windows (pending)
7) strike deal with desktop motherboard manufacturers so that their SecureBoot BIOS only boots Windows (pending)
8) 99.9% of all "PC" and related servers now only boot Microsoft products.

Have they considered it? Probably.
Is it practical? No.
Could it be practical as far as step 4? Yes, possibly even step 5.

It starts to break down on the server market. Then there would be the inevitible legal hurdles such a strategy would entail and the costs involved. Another very practical obstacle to trying to implement such a plan beyond the OEM desktop.

NyteOwl, your step 7 is redundent. If it ever gets as bad as all new desktop motherboards being pre-locked to Windows, then vendors like System76 are going to have a lot more customers. I know that we Linux/BSD/other OS users only make up a small percentage of the desktop market, but there are enough of us around to where such a thing will not be possible.

Also, since most web servers run something other than Windows, I really can't see any server motherboard manufacturers implementing the secure boot crap. In my opinion, the SecureBoot/RestrictedBoot crap really isn't necessary to begin with. It's just another way for MS to make money without actually making a product.

Also, NyteOwl, there is a bit of practical reality here. If "99.9% of all servers now must boot Microsoft products," then a very significant percentage of those servers have just become ... unmarketable!

Linux, BSD, and several other "non-Microsoft" operating systems are, and always will remain, "legitimate and necessary operating systems" that there is, and always will be, a fundamental requirement to be able to run. And, to run with "secure boot" capability. (In other words, "if I have a legitimate business need for secure boot ... and I do ... then I have that need, regardless of which particular operating system I am talking about.

Walk into any server-farm on the planet, and it is extremely likely that you are looking at machines, side-by-side with one another, who are running many different operating systems (and versions thereof). The need to be able to guarantee that a bored (or clandestine) computer operator cannot hijack a system by rebooting it from an unauthorized DVD-ROM at 2:30 in the morning is a very legitimate business concern which actually has nothing at all to do with "Microsoft" or "Windows."

There are laws coming down, in all sorts of businesses including but not limited to health-care, that say that you must be able to guarantee this. And time is running out to prove compliance.

Fedora Linux Moves Forward with UEFI Secure Boot Plans
 

Hi,

Fedora Linux Moves Forward with UEFI Secure Boot Plans announcement article with some helpful information.

Member Response
 

Hi,

brianL, too much misinformation by the commentators to the article. Both articles are helpful and do reveal the on-coming issues for some hardware vendors that stick/set the secure boot. Most still provide the means for a BIOS compatibility but when will that no longer be available?

People do not understand that 'UEFI' & 'Secure Boot' are different animals. 'UEFI' is a protocol that does provide the provision for 'Secure Boot' protocol for hardware.

UEFI Today: Bootstrapping the Continuum is a good paper with useful information. Be sure to download and read: UEFI and the OEM and IHV Community

I'm still not convinced. I still regard Secure Boot as a potential threat, interfering with peoples' rights to install whatever operating-systems/distros/software on whatever hardware they want.

If you don't like it, disable it. Simple as that.

Yeah, but are you sure you will be able to do that on all hardware? Or will you possibly be limited in choice?

Yes. All you have to do is to buy a motherboard/PC with the Windows 8 logo, then you must be able to do that. Otherwise they wouldn't have the logo.

Windows 8 logo? Why not some new logo, independent of any individual company? You might be willing to trust Microsoft, but I wouldn't. It could all end up as restrictive as their EULAs.

Because nobody would care for such a logo. Microsoft is the biggest fish in the pool, so the hardware manufacturers will use their logo.

The requirements for the Windows 8 logo for x86 hardware clearly state that it must be possible to deactivate Secure Boot and to add your own keys if you don't want to disable it.
It may sound ironical and somewhat odd for a Linux user, but buying Windows 8 hardware is in this case the only way to go to make sure that Secure Boot actually will not prevent you from installing the OS of your choice.

Yeah. Great White shark. :) Do you really want to swim with them?
Not to mention downright suspicious, and against GNU/Linux principles.

Do I want to? No. Do I have a choice? Also no.
So I have to make the best out of it and that works only if I go and study the great white shark and its rules. You can be sure that they don't make this rules for the benefit of Linux. They make it because of two simple things:
1. Don't mess with antitrust laws, especially in the EU.
2. Many of there larger customers have the option to downgrade their licenses. If they need more licenses they will buy Windows 8 licenses in the future, but have the right to use Windows 7 instead. Now try to install Windows 7 on hardware where you can't disable Secure Boot.

I can't see where it is against GNU/Linux principles to buy hardware that has a logo on it that indicates that you can be sure that you are able to install GNU/Linux on it. It doesn't matter if this logo comes from Microsoft or a different third party. What would be the difference if a logo with the same requirements would come from the FSF?

Another thing:
Secure Boot is meant to make a system more secure, but it can be easily disabled. Waste of time, isn't it?

Not really. If I have physical access to your machine then no machine is secure, I can just rip out your harddisk and steal your data (assuming that it is not encrypted). But you can't disable Secure Boot from a running OS, which will prevent that malicious software can link itself into the boot process (root kits or similar). Also, in corporate environments you can be pretty sure that there will be a BIOS (UEFI) password that prevents you from simply disabling it.

Anyway, this debating is speculative. We'll have to wait and see. I'll remain sceptical, but admit I was wrong if everything works out OK.

OK. Will it allow dual boot? I think it will
kill linux, not because of FUD, but because
it makes it a little bit harder.

Easier is what we need. Not harder. Bye Bye.

Member Response
 

Hi,
Yes, for informed users that do not fall for 'FUD'. Secure boot will not kill Linux.

How is it harder? User doesn't wish to read information to allow the choice of proper hardware & configuration. We call that laziness!

I think I must be missing something.

I have been confused throughout this whole Secure Boot debate about why those who don't like it can't simply purchase one of these or something similar, instead of going down to their local Costco/RadioShack/OfficeMax/etc. and purchasing a computer there. Open source hardware seems to be the logical choice if one is hoping to run open source software, to me at least.

It's a mistake to present Secure Boot technology as "an obstacle" which has been tossed into the way of The Freedom Lovers by the Evil Empire.

Secure Boot is an attempt to thwart root-kits. It is therefore of equal importance to Linux and to Windows, and for precisely the same reasons. Yes, it relies heavily upon the integrity of cryptographic root-keys, as do all other systems of their kind.

Obviously, Microsoft can't control what kind of operating-system a particular computer might need to run. Businesses (including Microsoft itself) "need to run" Linux, "too." The only thing that they wish to enforce is the prerogatives of the system owner to only permit known operating systems to be booted on the device.

The problem here is literally the industrial spy or assailant or god-knows-what who, in the guise of a young kid, who hires on for the job that nobody wants: third-shift sysop. He's got a USB stick in his pocket and he knows how to use it ... shutting down a Windows server, booting up a Knoppix linux on the same hardware, and surfing the computer's hard drive at his leisure because the security and the vigilance normally provided by the "intended" host operating-system (it could be "another Linux," after all ...) no longer exists. He siphons away the information, unplugs the USB stick, hits the reset button and in a few moments there is no obvious evidence of his crime.

This happens to be an extremely significant attack-vector, very plausible and real, which must be guarded against. Secure Boot is an important step in that direction, and both Windows and Linux (and every other potential "legitimate guest") must support it securely.

(Let me put it this way: "This vector is as devastating as a root-kit ... of course it is an excellent way to install a root-kit ... and it is potentially undetectable." In a world in which computer systems are profoundly trusted with matters directly pertaining to "human health and safety," this is unacceptable and dangerous.)

This is an absolutely brilliant post - the most convincing and well-researched argument in favor of Secure Boot that I have seen thus far.

Moderator Response
 

@Yukon

Please do not form attacks or form posts with the intent of baiting to start a flame war. Be respectful with your post.

You are violating the LQ Rules;In the future, please re-read your composed post before submitting. One thing to have firm believe(s) but you should have consideration & respect for fellow LQ members thus forming a considerate, constructive post.

You should consider researching 'EFI', 'UEFI' and 'secure boot' since it seems you are not informed on the subject at hand as related to the Gnu/Linux community. Nobody has stated that Gnu/Linux will die because of 'secure boot', except for the uninformed and people who rely on 'FUD' thus not knowing what to do and how..

Please remove the masked vulgarity in your post. If you don't edit the post satisfactorily, I will remove the post entirely. Not censoring either, this is a moderated forum and you agreed to abide by LQ Rules.

Now this statement is all too true and the worst part of the whole thing. They are bad laws and ill conceived too.

Why is there such faith in rules and laws? Do you not think the " kid with USB" will have a bootable signed system? Or that the malfeasance will be authorized? Or that the amateur will simply remove the drive, clone it and return it, just as a forensic expert would do? I'm not saying that it isn't sensible to take security precautions, but this sort of thing isn't really addressing the problem.

I have been studying for about 3 to 4 weeks on anything I could find on this UEFI and I'm just glad that men are working on this.
One of the company's that design these UEFI System Partiions is Insyde
http://www.insydesw.com/

I found these articles of intrest as well.
http://www.zdnet.com/blog/open-sourc...d-fedora/11187
http://www.extremetech.com/computing...os-replacement

The Linux Foundation had some say about this as well and made a PDF
http://www.linuxfoundation.org/publi...open-platforms

I look at this UEFI and Secure Boot issue as a challange not evil. But I do see where some individuals can find it a wee bit negative and the act of manufacturing for pure profit. It's even possible that this may be some type of 'control' used for the future.

However; every man must support himself and his family but it is what he is practicing/making/manufacturing that is what deems this practice good or bad-

My previous post was primarily to illustrate how such a "conspiracy" might be orchestrated not that I necessarily thought there was one. Though I have no doubt that Microsoft hopes this will discourage people from using something other than Windows.

Secure Boot, like TPM before it, is a piece of technology designed to help solve a specific set of problems.Yes, like all technology it can be misused but properly used has some significant benefits. TPM didn't hurt Linux and this isn't liekly too either.

And if all the hand wringing and wailing would stop for a minute and people think, than all that might really be needed is a reputable Linux entity (the Linux Foundation or OSI for example) to step up an offer a secure key service to distribution authors, that don't want to use a self-signed key, and say OEM's. Then Linux wold have its own "certified" keys rather than relying on Microsoft's.

There are numerous options but it's mostly a tempest in a teapot (though I think the MS deal with ARM based OEM's is a bit over the top).

I don't think that it is realistic for Microsoft to "discourage people" in this way ... the notion just isn't credible. No one with Linux installations in-place is going to "convert" those systems to the entirely non-equivalent Windows OS. This is technically inconceivable.

But, yes, there can't just be one cryptographic root-key, owned by a particular software vendor. You do want to minimize the number of authorized-issuers in any such system, obviously.

The Achilles Heel that I perceive in this system as-designed right now is that you need to be able to lock a system to a particular OS-build ... a company needs to say, "Windows Version 1.2.3 As Customized By Us on August 22nd," and none other, may be installed on our machines. All without creating hideous complications for their infrastructure teams. I'm not sure how well this architecture is going to play out in practice, nor how widespread it will actually become. In a year or two, we'll all know.

UEFI worry
 

I must say I enjoy all the feedback I got from
my initial posting of worry, and agree with much of
it, but until someone comes up with an open solution,
I retain my view. Over the long haul, and because
of MS cunning, Linux will become even more
of a specialist thing. NOT Good.

Thanks to the person that mentioned the effort at

http://www.insydesw.com/

which I will check out now. Happy trails!

BTW, very good point about the Achilles heel
mentioned below. *Windows* people are
going to be unhappy about upgrading
all the time, also.

-jae

It is all about control, who control who through what. It is their brand new control toy for sure, don't be naive, even if they say, "oh you can disable it", that is just a ground been prepared for later on. Every coin has 3 sides, and people normally don't pay attention to the 3rd side. Threats aren't to be detect, until is too late. Fences are been built around, you can see through it but if you jump over it well...
Then the fences get electricity, barbwire, you name it. At the end you will be locked, in or out, still locked.

"Lets control the computers, the internet, so the people will be controlled too." That is their(governments, corporations) plan, if you can't see it, you have been controlled already.

Regards

If Microsoft wants UEFI then so be it. There will be countless ways to bypass this, since security is not a strong point of this company. And how can one pretend UEFI is for security reasons anyway? They simply try to lower the piracy rate of their systems which is a total failure.

Furthermore, no one should be able to decide what's best for you. You pay for a PC and you should be able to do whatever you want with it, that includes installing a malware filled system. You do it at your own risk.

Once again, UEFI is not the same as Secure Boot. Also, Secure Boot can not be used to prevent piracy, since the copied bootloader is still signed. By the way, it is their good right to prevent people from circumventing their license. If you don't agree with that license than don't use it, in the same way you are not allowed to circumvent any other license,like the GPL.

Besides that is it a non-sense argument that it is your right to install a malware filled system. Don't get me wrong, if you want you can do that, but then disconnect that machine from the net, so that it doesn't fill our mail accounts with spam or is used to attack our servers.

Member Response
 

Hi,
Hopefully you have read information on 'UEFI' if not then please consider 'Unified Extensible Firmware Interface (UEFI)';You could go to: http://www.uefi.org/home/ for more help & information.

There is too much 'FUD';

I'm not trying to spread FUD or anything. I'm not an expert on the subject but according to Wikipedia:

So from what I understand so far BIOS is too primitive to have a feature like secure boot implemented so they needed a replacement.