LinuxQuestions.org
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Win 8 computers won't run Linux - true? (https://www.linuxquestions.org/questions/linux-general-1/win-8-computers-wont-run-linux-true-4175425334/)

newbiesforever 09-02-2012 09:25 PM
Win 8 computers won't run Linux - true?
 
Warren Woodford (inventor of MEPIS) Twittered that new computers with a "certified for Windows 8" sticker probably won't run Linux. How right is he? My dad has been somewhat interested in switching to Linux for a long time (but has never put in the time or effort, aside from briefly trying out an Ubuntu liveCD). Should I warn him that if he buys another Windows computer off the shelf the next time his computer dies on him, he can forget about Linux?

abrinister 09-02-2012 09:29 PM
That's partially true. What M$ has said is that OEMs have the option to put the special UEFI thingy in the BIOS. IF they do, then

a) The boot loader needs to have a special signature (M$-provided , of course)

and

b) The OS that you're booting needs to be signed.

If the computer has this UEFI BIOS, nothing can boot without being signed. Basically, no Linux, BSD, or anything.

Fedora has made and bought signatures for $100 a pop to sign their software.

Alex Brinister

jschiwal 09-02-2012 09:32 PM
If it is an Intel based computer, he may be able to disable UEFI or a workaround may exist that will let you even build your own kernel.

The $100 in post#2 is what it costs Red Hat to get their key. SuSE has developed an extention to RH's solution allowing users and other distros to add their own keys to a private key ring.

abrinister 09-02-2012 09:39 PM
They did say something about it being optional on computer (excluding hand-helds). So the question is really: why even implement it?

Alex Brinister

John VV 09-02-2012 11:35 PM
dual booting might be a problem
wiping out Win8 and the MS mandated UEFI settings
then reinstalling all the firmware WITHOUT the need for the MS mandated hashes will still be possible

however an option for disabling the UEFI settings ??? SHOULD ??? be available for X86 ? maybe

However ARM cpu's ??? that is a whole new ball game
MS wants ALL ARM hardware sold with win8 to ONLY run win8
( win 9 - buy a NEW device)

basically
BUY a computer or hand held computing device -- WITHOUT a OS preinstalled

cascade9 09-03-2012 05:14 AM
Quote:
Originally Posted by abrinister (Post 4771036)
That's partially true. What M$ has said is that OEMs have the option to put the special UEFI thingy in the BIOS. IF they do, then

a) The boot loader needs to have a special signature (M$-provided , of course)

and

b) The OS that you're booting needs to be signed.

If the computer has this UEFI BIOS, nothing can boot without being signed. Basically, no Linux, BSD, or anything.
Microsoft has said that if hardware manufacturers want 'Microsoft Certification' (which basicly means 'get the certified for windows 8' sticker) the system has to implement UEFI 'Secure Boot'.

If the hardware manufacturer provides a way to disable secure boot, that is allowable (on x86 hardware anyway, its not with ARM devices). If there is a way to disable secure boot in the UEFI BIOS, the OS will NOT need to be signed to boot.

Quote:
Originally Posted by abrinister (Post 4771036)
Fedora has been attempting to make a deal with the devil and sell signatures for $100 a pop.
Comon.....

Quote:
Although Microsoft offers a signing portal, Red Hat's Matthew Garrett said the Fedora project had considered a number of alternatives, including creating a catch-all Linux key, but that paying Verisign a one-off $99 fee for a key was the easiest and most pragmatic solution.

Garrett said, "The $99 goes to Verisign, not Microsoft - once paid you can sign as many binaries as you want, but it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions."
http://www.theinquirer.net/inquirer/...fi-secure-boot

Quote:
Originally Posted by jschiwal (Post 4771037)
If it is an Intel based computer, he may be able to disable UEFI or a workaround may exist that will let you even build your own kernel.
Should be possible on AMD (and even VIA) systems as well.

Not that its necessary to disable UEFI (really, that would be 'change back to the old style BIOS'), just disabling secure boot is all that is needed.

*edit- and given the right situation, it should be possible to boot any OS even with secure boot enabled. How many manufacturers will allow users that much control over the systems they own is unknown now. As is how difficult it will be to hack if they dont allow it, and how good and easy to use the tools will be if they do allow it.

BTW, even if it is possible to change back to BIOS, that will stop installed microsoft OSes from booting, as "After Windows has been installed on a UEFI platform, Windows can boot only on a UEFI platform." (quote from Microsofts 'UEFIrequirements.docx', link is a PITA or else I would post it).

Quote:
Originally Posted by John VV (Post 4771085)
however an option for disabling the UEFI settings ??? SHOULD ??? be available for X86 ? maybe
Optional, up to the hardware manufacturer.

I'd predict that the cheaper the computer, and the more corporate the manufacturer, the less likely to have a way to disable secure boot.

Quote:
Originally Posted by John VV (Post 4771085)
basically
BUY a computer or hand held computing device -- WITHOUT a OS preinstalled
Its more likely that computers or devices sold without an OS will have the option to disable secure boot, but there is no guarantee that a no OS computer (or even motherboard if you buy in parts) will have a way to disable secure boot.

TobiSGD 09-03-2012 05:29 AM
Just to clarify some things:
1. UEFI and Secure Boot are not the same. You can have UEFI mainboards without Secure Boot.
2. If the machine is x86 and has the Windows 8 logo there must be options in the BIOS to
a) disable Secure Boot completely.
b) add your own custom keys, so that you can sign your own bootloader/kernel.
3. The bigger distros have already obtained keys, so even with Secure Boot enabled you will be able to install Ubuntu/Fedora/RHEL and I think openSuse.

Quote:
Originally Posted by abrinister
The boot loader needs to have a special signature (M$-provided , of course)
You can use your own key to sign the bootloader.
Quote:
Originally Posted by abrinister
If the computer has this UEFI BIOS, nothing can boot without being signed. Basically, no Linux, BSD, or anything.

Fedora has been attempting to make a deal with the devil and sell signatures for $100 a pop.
Both statements are not true. UEFI is not preventing anything from installing. Only in the case you have a UEFI firmware that has Secure Boot implemented, activated and you don't have a signed bootloader you will not be able to install Linux.
Also, Fedora has not only tried to buy a key, they have done it (by the way, they bought it from Verisign, not Microsoft) and it costs them 99$ per version of the distribution. You have nothing to pay for it.

Quote:
Originally Posted by abrinister
Well, this guy did that.

And they did say something about it being optional even when enabled. So the question is really: why even implement it?
The link you gave us is for installing Windows 8 on a specific Intel board with UEFI enabled. It is not about UEFI in general and it is not about Secure Boot. Again, UEFI is not Secure Boot.
Quote:
Originally Posted by John_VV
however an option for disabling the UEFI settings ??? SHOULD ??? be available for X86 ? maybe
If the device has a Windows 8 logo it has have be options for disabling Secure Boot and adding custom keys. Otherwise they would not get the logo.

Quote:
BUY a computer or hand held computing device -- WITHOUT a OS preinstalled
True for handhelds (but really difficult to get handheld devices without OS), but not for x86 hardware. Even if it comes without OS you can buy hardware that will run only Windows 8. It sounds ironic, but the only way to make sure that you get x86 hardware that is not locked to Windows is to buy hardware with the Windows 8 logo.

cascade9 09-03-2012 05:43 AM
Quote:
Originally Posted by TobiSGD (Post 4771283)
2. If the machine is x86 and has the Windows 8 logo there must be options in the BIOS to
a) disable Secure Boot completely.
b) add your own custom keys, so that you can sign your own bootloader/kernel.
AFAIK, no. Microsoft hasnt stated that there _must_ be options to do either 'a' or 'b'.

Maybe I've missed something?

abrinister 09-03-2012 06:45 AM
Quote:
UEFI firmware that has Secure Boot implemented,
That's what I was trying to get at. I realize that UEFI is different from the Secure Boot thing. By my use of 'UEFI', I was implying Secure Boot (should have clarified). And I only realized that that link had nothing to do with the matter (it was not talking about an OEM install of Windows 8 anyway). Fixed.

Quote:
Also, Fedora has not only tried to buy a key, they have done it (by the way, they bought it from Verisign, not Microsoft) and it costs them 99$ per version of the distribution. You have nothing to pay for it.
Yeah, I was confused about that and misposted when I said that. That article cascade gave a link to cleared things up for me.

Quote:
BUY a computer or hand held computing device -- WITHOUT a OS preinstalled
Where would one get a hand-held without an OS?

Alex Brinister

TobiSGD 09-03-2012 06:55 AM
Quote:
Originally Posted by cascade9 (Post 4771292)
AFAIK, no. Microsoft hasnt stated that there _must_ be options to do either 'a' or 'b'.

Maybe I've missed something?
Yes, you have: http://msdn.microsoft.com/en-us/libr...dware/jj128256
Paragraph 18, disabling Secure Boot:
Quote:
Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows Server may also disable Secure Boot remotely using a strongly authenticated (preferably public-key based) out-of-band management connection, such as to a baseboard management controller or service processor. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure Boot must not be possible on ARM systems.
Paragraph 17, modifying the key database:
Quote:
Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:

It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.

If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system is operating in Setup Mode with SecureBoot turned off.

The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults.On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enabled.

jefro 09-03-2012 10:57 AM
Always a popular question.

I doubt the twitted issue is correct. I'd say the opposite. A windows 8 certified computer will boot linux. I might go so far as to say any x86 class will boot some linux.

szboardstretcher 09-03-2012 11:02 AM
I believe the original poster is talking about Secure Boot. In that case, then Yes: Linux will continue to be able to run on new computers, just as Windows 8 will. However, it will take a little bit more tweaking at the hardware/bios level to get it to run.

allend 09-03-2012 11:13 AM
@TobiSGD - Thanks for the link and clarification.

Where this gets messy is:
Paragraph 2
Quote:
Mandatory. Secure Boot must ship enabled
Paragraph 11
Quote:
Mandatory. Verify Signature of all Boot Apps and Boot Loaders. Upon power-on, the platform shall start executing boot firmware and use public key cryptography as per algorithm policy to verify the signatures of all images in the boot sequence up-to and including the Windows Boot Manager.
Paragraph 14
Quote:
Mandatory. No in-line mechanism is provided whereby a user can bypass Secure Boot failures and boot anyway Signature verification override during boot when Secure Boot is enabled is not allowed. A physically present user override is not permitted for UEFI images that fail signature verification during boot. If a user wants to boot an image that does not pass signature verification, they must explicitly disable Secure Boot on the target system.
Having to toggle a firmware setup setting to boot Windows8 or an unsigned Linux OS is a departure from the freedom and convenience that I currently enjoy with my multiboot setups.

TobiSGD 09-03-2012 12:10 PM
Quote:
Originally Posted by allend (Post 4771549)
Having to toggle a firmware setup setting to boot Windows8 or an unsigned Linux OS is a departure from the freedom and convenience that I currently enjoy with my multiboot setups.
You should take the emphasis on the first part of the quote:
Quote:
If a user wants to boot an image that does not pass signature verification
Just add your own key to the firmware and sign your bootloader with it.

linux999 09-03-2012 03:35 PM
If people only want linux and no windows they should get a system 76 -- no need to worry about keys.


All times are GMT -5. The time now is 11:42 PM.
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page