Does anyone understand Secure Boot?
Just tried to read and understand this article.
http://www.linuxfoundation.org/news-...em-open-source What I am understanding from all this is 2 or 3 years from now my bank sends me a letter saying all online access must be thru secure boot. No problem I have the pre-boot-loader from Linux Foundation signed by MicroSoft installed on my Slackware-69.9 system. 6 months later MS decides too many people using Linux are subverting the Linux Foundation signing key and puts it on the blacklist. Now I'm SOL I can't cash my check, pay my bills, transfer money etc. from my home computer. Someone please tell my I'm misinterpreting this. thanks john |
1. Your bank can't determine if you use Secure Boot or not, it is simply a way to prevent rootkits and other similar malware.
2. Microsoft has no blacklist to prevent your system from booting. According to Microsoft's guidelines it is not allowed to implement Secure Boot in a way that keys can be altered from software on a running system, otherwise the system will not get the Windows 8 logo. It is also mandatory to implement a function that the user can add his own custom keys to the firmware, so you won't have to rely on third party keys. |
Quote:
Quote:
Great news if you are correct, but the above comment from 'mjg59' who claims to have written most of the code says differently about 'blacklisting'. I guess I am just paranoid when in comes to MS and their tactics in the past. [EDIT] the comment was from LWN.net[/EDIT] [EDIT] the comments link https://lwn.net/Articles/519244/ -- 15 from the top[/EDIT] thanks john |
Might you share the link?
|
Quote:
john |
Thanks.
|
Perhaps of interest: http://www.infoworld.com/d/open-sour...karound-204699
|
Will secure boot still allow you to run /sbin/lilo whenever you want to, or will Slackware need a new boot loader?
|
Quote:
dugan As I am reading/understanding if secure boot is enabled by default you must have a key to do anything with your hardware. Remember that the fall back (disabling secure boot) is not guaranteed to be available by the UEFI definition/implementation. I really hope and wish I am wrong about this. john |
Quote:
|
Quote:
Since then MS had to soften a bit, and the whole affaire wouldn't be so bad if UEFI was actually better than the BIOS crap we had to live with for decades. But behold: the full truth is revealed in a very entertaining talk given by Matthew Garrett, titled "UEFI and Linux: the future is here, and it's awful". https://www.youtube.com/watch?v=V2aq5M3Q76U |
Finally the words I was looking for.
Quote:
Thank you Matthew Garrett I am forever in your debt John [EDIT Tob I would not be using MS software only the Linux Foundation boot loader and it could still be black listed, but after reading the above mentioned article I can see others feel like I do.[/EDIT] |
Quote:
|
Quote:
It is no longer a concern to me since it now appears there is a way around the MS issued key being needed to boot my system in secure mode. john |
More from Matthew Garrett:
http://news.ycombinator.com/item?id=4643820 Quote:
|
I'm not really understanding the concern, at least on PC architecture systems... It's mandatory to allow disabling secure boot in order to receive certification, so how is this a threat to Linux?
|
Quote:
I look at them lording over this as a way for them to reinvent themselves as a service company, rather than a software company ... |
Unless I'm missing something, this is a contractual issue and not a technical issue.
Seems to me the entire debate is the Microsoft folks won't certify a Windows 8 computer unless that system uses UEFI and a Microsoft platform key in the secure boot process. Final result: a nice little sticker on the computer. No certification, no nice little sticker. The same computer model can be sold without Windows 8 certification. No hardware vendor is required to certify all systems as such. Hardware vendors also are not required to use UEFI. They can use the older BIOS --- unless they want that nice little sticker. Computers not certified for Windows 8 do not have to have secure boot enabled and do not have to have UEFI installed. The terms of a Windows 8 licensing contract might require vendors to sell only certified systems, but that is a contractual issue, not technical. If the folks at large hardware companies such as Dell can't negotiate contracts to allow them to sell their hardware as they please, then that is their tough luck. Folks managing hardware companies that are not codependent upon Microsoft/Windows 8 likely will see an increase in sales as people not needing Windows 8 certification buy their products. Stand-alone motherboards sold through retailers do not need and are unlikely to be sold with secure boot protected with a Microsoft Windows8 platform key. People who build their own systems won't be affected. UEFI does not require secure boot to be enabled, but only supports the capability. A UEFI computer not certified to run Windows 8 and with secure boot not enabled should be able to run any Linux based system. People who want to dual boot using a preinstalled Windows 8 certified computer might feel up the creek without a paddle, but otherwise I'm not seeing a problem. Just don't buy a Windows 8 certified computer. Don't buy a computer that has secure boot enabled with a platform key owned by people not supporting Linux based systems. |
Quote:
Quote:
Quote:
|
Quote:
|
Hmm, ok, well that being the case, how could they market a board like that? Something like that would probably get the crappiest ratings imaginable. (People buying motherboards are usually geeks anyway.)
I don't see a business incentive to force secure boot without the ability to disable. |
Quote:
If I had to make a viable plan for world domination it would look like this: (a) make Windows start only on UEFI/SB systems (b) stipulate in the UEFI/SB specification that there must not be an option to disable SB (c) enforce the UEFI/SB specification through legal measures The result: you won't be able to buy hardware able to run anything other than Windows. |
As long as secure boot can be turned off, distro diversity will be maintained. I think it's clearly an attempt by M$ to kill Linux.
|
Quote:
|
Quote:
But if you buy a mainboard/PC with certificate you can be sure that there will be options to disable Secure Boot and to manage keys, which means you can delete Microsoft's keys and you can add your own custom keys. Quote:
Quote:
For this topic relevant are the points 17 (key management) and 18 (disabling Secure Boot) in the paragraph System.Fundamentals.Firmware.UEFISecureBoot Here the relevant excerpt from paragraph 18: Quote:
Quote:
|
Quote:
|
wrong again, John
meaning me.
I would [unsolve] this post if there were a method. First and foremost: I still believe that business' will develop a method to poll your computer that all financial transactions have secure boot enabled and operating. If they don't develop said method, some 'hot shot class action lawyer' or 'insurance provider' will declare that this business method does not do all it can to protect its user's financial transactions. Liability and blacklist enabled. Secondly further reading in the comments section by mjg8, he states his shim is signed by MS. Unlike Tobi I believe any key issued by anyone can also be revoked by that entity. To quote George Ure "Everything is a business plan" So I am still undecided, do I build my next system with a UEFI Bios with secure boot or not? I have not had an MS system in my home since about 1998 (Win95). I do run a KVM (WinXp-VM) to access my wife's bank which polls the OS and sends you to a "We are having problems, please try again later" page if it does not get the expected answer. I have tried browser spoofing. It doesn't work at this bank. Will your bride change her favorite bank where her friend works for you? To quote President o'bama "this is above my pay grade" Apparently I will need to do much more RTFM'ing Thanks to everyone for their opinion. Also hope to hear more advice. John |
Quote:
Quote:
But even if they do: If you have a Windows certified mainboard just disable Secure Boot or add your own keys. |
Quote:
Not trying to be argumentative about it. Just looking for a way out. Also trying to decide how to build my next system. Thinking if UEFI/SB is a bad thing for Slackware, I better snag an old bios super motherboard before they all disappear. Otherwise I can just wait until I really need a new system. Right now I have 2 working desktops vintage 1996 (actually has 3-1/2 and 5-1/4 onboard floppies and a 8" external) and a generic Dell 2007. They both are pretty solid for desktop use and some hobby programming. Thanks John |
When they remove the option to disable secure boot (like on ARM), then you can mad rush to get the old mobos ... but I think they've planned for that too.
|
Quote:
Quote:
|
Secure Boot will neither protect from terrorists nor music or software piracy nor child pornographers. And I think the anti-trust authorities here in the EU wouldn't believe something like that.
|
Signed Kernel Modules Support For Linux 3.7
This is the title of an article from Michael Larabel I juste read on Phoronix. Let me quote a paragraph of it:
Quote:
|
All times are GMT -5. The time now is 05:54 PM. |