Does anyone understand Secure Boot?
 

Just tried to read and understand this article.
http://www.linuxfoundation.org/news-...em-open-source

What I am understanding from all this is 2 or 3 years from now my bank sends me a letter saying all online access must be thru secure boot. No problem I have the pre-boot-loader from Linux Foundation signed by MicroSoft installed on my Slackware-69.9 system. 6 months later MS decides too many people using Linux are subverting the Linux Foundation signing key and puts it on the blacklist.
Now I'm SOL I can't cash my check, pay my bills, transfer money etc. from my home computer.
Someone please tell my I'm misinterpreting this.
thanks
john

1. Your bank can't determine if you use Secure Boot or not, it is simply a way to prevent rootkits and other similar malware.
2. Microsoft has no blacklist to prevent your system from booting. According to Microsoft's guidelines it is not allowed to implement Secure Boot in a way that keys can be altered from software on a running system, otherwise the system will not get the Windows 8 logo. It is also mandatory to implement a function that the user can add his own custom keys to the firmware, so you won't have to rely on third party keys.

TobiSGD
Great news if you are correct, but the above comment from 'mjg59' who claims to have written most of the code says differently about 'blacklisting'. I guess I am just paranoid when in comes to MS and their tactics in the past.
[EDIT] the comment was from LWN.net[/EDIT]
[EDIT] the comments link https://lwn.net/Articles/519244/ -- 15 from the top[/EDIT]
thanks
john

Might you share the link?

see my edit above
john

Thanks.

Perhaps of interest: http://www.infoworld.com/d/open-sour...karound-204699

Will secure boot still allow you to run /sbin/lilo whenever you want to, or will Slackware need a new boot loader?

Thanks for the pointer to article, I am reading all of them that I can find. I just can't seem to get past a single corporation being allowed to control my ability to use my hardware, as I wish, if secure boot is enabled by default. Even with the Linux Foundation's key, it can still be blacklisted by that corporation. Is my system now a brick?

dugan As I am reading/understanding if secure boot is enabled by default you must have a key to do anything with your hardware. Remember that the fall back (disabling secure boot) is not guaranteed to be available by the UEFI definition/implementation.

I really hope and wish I am wrong about this.
john

Well, just disable it. Or add your own custom keys. if you don't trust Microsoft you shouldn't be using their software and without using their software, how should they blacklist your keys?

me too, sigh. It is clear to me that all the reasons put forward are fake, and the strategic impetus behind UEFI and Safeboot was to control which OS is allowed to be installed on any purchaseable hardware (ie. Windows).

Since then MS had to soften a bit, and the whole affaire wouldn't be so bad if UEFI was actually better than the BIOS crap we had to live with for decades. But behold: the full truth is revealed in a very entertaining talk given by Matthew Garrett, titled "UEFI and Linux: the future is here, and it's awful".

https://www.youtube.com/watch?v=V2aq5M3Q76U

Finally the words I was looking for.
 

I can use the advantages of secure boot (UEFI) without bowing to corporate America ie. MicroSoft. This is what I was wanting to hear, that someone with the knowledge of UEFI is bringing it back to its original intention of securely booting my hardware without needing to pay another corporate tax.
Thank you Matthew Garrett
I am forever in your debt
John
[EDIT Tob I would not be using MS software only the Linux Foundation boot loader and it could still be black listed, but after reading the above mentioned article I can see others feel like I do.[/EDIT]

How should that be possible? The UEFI firmware does not connect to a blacklist server and without Microsoft software installed to add the key to the blacklist in the firmware how should it appear on that list?

The person writing the software (Matthew Garrett) seems to think its possible.
It is no longer a concern to me since it now appears there is a way around the MS issued key being needed to boot my system in secure mode.
john

More from Matthew Garrett:
http://news.ycombinator.com/item?id=4643820

I'm not really understanding the concern, at least on PC architecture systems... It's mandatory to allow disabling secure boot in order to receive certification, so how is this a threat to Linux?

While, on one hand, I do not trust MS,... "Bricking" other OSes, by revoking keys from Linux Distros would be a really good way to find themselves back in Court as a defendant in another anti-trust action,... again.

I look at them lording over this as a way for them to reinvent themselves as a service company, rather than a software company ...

Unless I'm missing something, this is a contractual issue and not a technical issue.

Seems to me the entire debate is the Microsoft folks won't certify a Windows 8 computer unless that system uses UEFI and a Microsoft platform key in the secure boot process. Final result: a nice little sticker on the computer. No certification, no nice little sticker.

The same computer model can be sold without Windows 8 certification. No hardware vendor is required to certify all systems as such. Hardware vendors also are not required to use UEFI. They can use the older BIOS --- unless they want that nice little sticker.

Computers not certified for Windows 8 do not have to have secure boot enabled and do not have to have UEFI installed.

The terms of a Windows 8 licensing contract might require vendors to sell only certified systems, but that is a contractual issue, not technical. If the folks at large hardware companies such as Dell can't negotiate contracts to allow them to sell their hardware as they please, then that is their tough luck. Folks managing hardware companies that are not codependent upon Microsoft/Windows 8 likely will see an increase in sales as people not needing Windows 8 certification buy their products.

Stand-alone motherboards sold through retailers do not need and are unlikely to be sold with secure boot protected with a Microsoft Windows8 platform key. People who build their own systems won't be affected.

UEFI does not require secure boot to be enabled, but only supports the capability. A UEFI computer not certified to run Windows 8 and with secure boot not enabled should be able to run any Linux based system.

People who want to dual boot using a preinstalled Windows 8 certified computer might feel up the creek without a paddle, but otherwise I'm not seeing a problem. Just don't buy a Windows 8 certified computer. Don't buy a computer that has secure boot enabled with a platform key owned by people not supporting Linux based systems.

But they can have UEFI firmware with Secure Boot enabled, but without the option to disable it. It is mandatory to have a disable option to get the certificate.

You can be pretty sure that many mainboards will come with UEFI and Secure Boot. Many smaller and mid-size OEMs are not using custom-built mainboards, but mainstream hardware and they want to have the option to sell Windows 8 certified hardware. The mainboard manufacturers will also want to sell certified hardware.

In my eyes misleading advice. Again, mainboards/computers without the certificate can have UEFI with Secure Boot enabled without the option to disable it. This option is mandatory on hardware with certificate.

Okay, when buying a motherboard from Amazon or Newegg, buy one that is not Windows 8 certified. If a motherboard has UEFI and has secure boot enabled but is not Windows 8 certified, then whose key is active? A Windows 8 certification answers the question, but a motherboard without that certification? I don't see how such a board would have secure boot enabled. By whom?

Hmm, ok, well that being the case, how could they market a board like that? Something like that would probably get the crappiest ratings imaginable. (People buying motherboards are usually geeks anyway.)

I don't see a business incentive to force secure boot without the ability to disable.

Are you sure about that? If would go against MS's commercial intrest.

If I had to make a viable plan for world domination it would look like this:

(a) make Windows start only on UEFI/SB systems
(b) stipulate in the UEFI/SB specification that there must not be an option to disable SB
(c) enforce the UEFI/SB specification through legal measures

The result: you won't be able to buy hardware able to run anything other than Windows.

As long as secure boot can be turned off, distro diversity will be maintained. I think it's clearly an attempt by M$ to kill Linux.

This has been my policy for the last eleven years. Do not (ever) trust Microsoft. And do not (ever) use their software. Over the past years, this company has done repeatedly about all that can be done to earn my mistrust.

Having the key in the firmware and having the certificate is not in any way related. You can be sure that Microsoft will not be angry if there are mainboards that effectively lock out other OSes. They would prefer if any mainboard would do that, but for legal reasons they can't do that. You know, anti-trust and such things. They will not hesitate to give manufacturers the key, even if they don't go for the certificate.
But if you buy a mainboard/PC with certificate you can be sure that there will be options to disable Secure Boot and to manage keys, which means you can delete Microsoft's keys and you can add your own custom keys.

Most mainboards are not bought by the private person, they are bought by small and midrange OEMs. These OEMs don't use custom mainboards, they use mainstream mainboards. You can also be sure that a mainboard without certificate will be at least a little bit cheaper than those with certificate. Since the most OEMs sell their systems with Windows pre-installed anyways they couldn't care less about those options.

Yes I am sure. No offense meant, but I wonder why people don't actually read what Microsofts requirements are: http://msdn.microsoft.com/en-us/libr...dware/jj128256
For this topic relevant are the points 17 (key management) and 18 (disabling Secure Boot) in the paragraph System.Fundamentals.Firmware.UEFISecureBoot
Here the relevant excerpt from paragraph 18: That is the reason why I recommend always to buy mainboards with the certificate, so you can be sure that you have options to manage keys and disable Secure Boot, options that don't have to be implemented on mainboards without the certificate.
Microsoft would be sued to hell in the EU and I think even in the US of A they would see another anti-trust lawsuit.

In the EU, yes. In the US, maybe, but M$ will win.

wrong again, John
 

meaning me.
I would [unsolve] this post if there were a method.
First and foremost: I still believe that business' will develop a method to poll your computer that all financial transactions have secure boot enabled and operating. If they don't develop said method, some 'hot shot class action lawyer' or 'insurance provider' will declare that this business method does not do all it can to protect its user's financial transactions. Liability and blacklist enabled.
Secondly further reading in the comments section by mjg8, he states his shim is signed by MS. Unlike Tobi I believe any key issued by anyone can also be revoked by that entity.

To quote George Ure "Everything is a business plan"
So I am still undecided, do I build my next system with a UEFI Bios with secure boot or not? I have not had an MS system in my home since about 1998 (Win95). I do run a KVM (WinXp-VM) to access my wife's bank which polls the OS and sends you to a "We are having problems, please try again later" page if it does not get the expected answer. I have tried browser spoofing. It doesn't work at this bank. Will your bride change her favorite bank where her friend works for you?
To quote President o'bama "this is above my pay grade"
Apparently I will need to do much more RTFM'ing
Thanks to everyone for their opinion.
Also hope to hear more advice.
John

From the link to LWN you gave in a previous post:So if you don't use Microsoft software (which means you don't have the needed private key) or software provided by the boards manufacturer (which is pretty unusual on Linux, since they only provide Windows software) they can't revoke your keys.
But even if they do: If you have a Windows certified mainboard just disable Secure Boot or add your own keys.

And as I said, then I lose the advantage of secure boot. I would like to participate in the secure boot environment if it helps secure communications. I believe at some point financial institutions will require it. I am just looking for a way to do it without needing MicroSoft's keys or permission, if that can be accomplished with my own keys as you seem to indicate that suits me fine.
Not trying to be argumentative about it. Just looking for a way out.
Also trying to decide how to build my next system. Thinking if UEFI/SB is a bad thing for Slackware, I better snag an old bios super motherboard before they all disappear. Otherwise I can just wait until I really need a new system. Right now I have 2 working desktops vintage 1996 (actually has 3-1/2 and 5-1/4 onboard floppies and a 8" external) and a generic Dell 2007. They both are pretty solid for desktop use and some hobby programming.
Thanks
John

When they remove the option to disable secure boot (like on ARM), then you can mad rush to get the old mobos ... but I think they've planned for that too.

No offense taken. But do you really wonder why people do not keep reading documents containing 175 pages sitting on some server at Microsoft? Anyway, thanks for finding both the document and the relevant section!

Maybe they would, but you know what world we live in and what measures are possible in formerly democratic countries under the pretense of fighting (1) terrorists (2) music pirates and (3) child pornographers - in that order.

Secure Boot will neither protect from terrorists nor music or software piracy nor child pornographers. And I think the anti-trust authorities here in the EU wouldn't believe something like that.

Signed Kernel Modules Support For Linux 3.7
 

This is the title of an article from Michael Larabel I juste read on Phoronix. Let me quote a paragraph of it:
I don't know it that will add something useful the fu{n,d}. Just wanted to feed the discussion before going to sleep ;)