The whole "security" model around CAs signing stuff is broken by design. So is "Secure Boot".

At the end of the day the black hats will take over your computer (with a cert from Microsoft) and you will be locked out. At that point your own hardware will "trust" them, but not you.

Linux shouldn't support nor promote that.

6 members found this post helpful.

Exactly. Bad ideas should not be used and the same goes for all kinds of software. Too much "trust" in one piece of software can leave a system not only vulnerable to failure, but lacking proper abilities to recover or correct as without redundancy or a fail-safe option to do so.

Putting all of one's eggs in a single basket leaves all the eggs prone to being broken from the basket failing.

2 members found this post helpful.

I am happy to see Linus take a stand. I have several problems with UEFI.

Secure boot. This has been talked about enough that I won't go into any more detail.

UEFI uses FAT32 even AFTER Microsoft has repeatedly launched legal challenges against companies using FAT file-systems. Intel architected EFI and chose FAT32. Why was FAT32 kept in the standard when it became UEFI? Why not an open file-system like EXT2? The UEFI standard actually does not require FAT32. However, I have never seen a computer with UEFI that does not require FAT32 for the system partition. Why are we not more vocal about having computers with UEFI also support EXT2 for a system partition?

So far UEFI has been an excuse for manufacturers to write buggy software that only works with Windows. Unfortunately I don't see manufacturers interested in fixing problems that don't affect Windows. Among other things some UEFI software does not easily allow the user to change the boot order. In fact, A new HP machine that I recently bought with Windows 8 did not come with the UEFI command shell at all. I had to download it from the UEFI developer's site to change the settings on MY computer.

Microsoft forced us all to live with the Boot Configuration Database because computers lacked UEFI. Supposedly UEFI was going to replace the BCD. Apparently Microsoft no longer wants to make the Boot Configuration Database belong to the computer. Making changes in the BCD to use a non-Microsoft boot-loader isn't possible. Also, Microsoft provided no way to chain to any other boot-loader. Add to that the fact that just starting the Microsoft boot-loader replaces the default boot-loader with Microsoft's. Instead of the consumer having more control, and a better integrated boot environment, we have less control, more complexity and more segregated boot environment. With UEFI we also have less visibility into the boot configuration.

The stark reality is that we're heading towards two different classes of PCs, Windows PCs and "open" PCs. Even without secure boot and UEFI, hardware has been slowly migrating away from open standards. Companies selling PCs really don't care if the hardware is incompatible with non-Windows operating systems, nor how expensive or complicated it is to write a non-Windows driver for their hardware. We've had a taste of this with "winmodems", "fake RAID" and wifi chip-sets.

Because of the dwindling PC market, I expect some computer retailers and manufacturers to go out of business, and some motherboard manufacturers as well. Whether that will spur some to better support non-Windows operating systems remains to be seen. Even if hardware supports other operating systems I expect companies to charge a premium for computers that can run the other operating systems. We are already seeing companies like HP decide to only support Linux on "business" class PCs. A lot of Linux support has been happening more by accident than design. Linux support is going to require serious effort as hardware moves further from standardization.

Linux distros and developers have contributed this problem by letting things get too fragmented. That has left only the big Linux developers in a position to affect how computer manufacturers support Linux. We need to figure out how to combine our forces at least for some things.

People don't always realize how important Linux is for innovation. On many occasions the only technical information I have been able to get for Intel or other hardware has been by looking at Linux source. Hardware companies are keeping more and more information secret. That stifles competition with the larger companies and discourages smaller companies from developing software and hardware for consumers. In the end, hardware and software will become more expensive. Anything open will be even more expensive.

2 members found this post helpful.

Every Windows version that comes with the BCD boot system has the program bcdedit installed by default, which provides the functionality to make changes to the bootloader and also chainload other bootloaders. If you don't want to use that you can use third party programs like EasyBCD to do that.

Neither chainloading the Vista bootloader nor the Windows 7 bootloader, both BCD bootloaders, from Lilo, Grub and Grub2 changed anything on my system, neither have Windows updates (not even installing Service Packs).

Which is better than not supporting Linux at all, like they did before, I would think. Seems like a natural thing to me, since by far more PCs that run Linux are running in a business environment, AFAIK. If Linux becomes more adopted on the consumer desktop I would expect that they support it on those machines also.

Seems like an odd statement considering some of the posts in the very thread are naive and uninformed. At least Tobi has a clue and is correcting some of the incorrect assumptions that have been posted.

I've been using computers since the days I hacked away on my dad's 8080 monoboard with a hex keyboard. I don't know the details about Secure Boot, but the one lesson I've learned over the years (I'm running a little IT business in France) is that Microsoft has established its world dominance by consistently selling crap using mafia methods. And folks who believe that something good will ever come from this company are like those handful of people in our village who still believe that the old priest who has been known to repeatedly abuse all the choir boys over the last two decades is "basically a good guy in his heart". My company is 100 % GNU/Linux, and as far as I'm concerned, it's a categoric "no thanks, not interested" to any "Microsoft technology".

3 members found this post helpful.

That is your choice and I can respect that but I can't respect people who continuously spread FUD based on their own lack of knowledge. Tobi and I don't agree on much, mainly on philosophical matter regarding methods, but I acknowledge he knows what he is talking here and at least he is standing up for what is real and not spreading some agenda. Anyway, the comment in the OP which is what I personally posted about shows how, and it's not the first time and he is not the first person to show this, very different and aloof to the rest of the Linux ecosystem Slackware users are. Posted in Slackware because other Linux users are naive? give us a break.

This is the point that all of the supporters of "secure boot" seem to be missing.

1 members found this post helpful.

Windows 8 certified??? Since when has a Toys'R'Us OS been a guarantee of quality?

1 members found this post helpful.

I'm curious. Have you actually tried this on a UEFI system?

BCD on the UEFI system I'm typing this message on refuses to chain load LILO/Linux.

Of course, it doesn't matter, because we can point UEFI to ELILO... BUT saying that BCD can chain load other bootloaders on all systems is patently wrong. Microsoft must have changed something because it works on my old [pre-UEFI] desktop machine.

3 members found this post helpful.

Reading through Pat's comments (both in this and at least one other thread), Linus' comments (gee, Linus, tell us what your really think), articles here and there about UEFI and remembering clearly every problem I've ever had with Microsoft software (from DOS through Win7, like it or not, it comes with the box and you've got to deal with the damned thing). I'm almost glad that I'm old (68) so I probably won't have to deal with the next generations.

I have a couple of Dell Inspiron 8400's sitting in a closet running large data bases. One of them had a bad capacitor a year ago or so (cost, like $65 for a new motherboard, sometimes older hardware pays off) and I know there's going to come a time when they'll be a puff of smoke and that's that. I cannot imagine the problems that I (and everybody else) will face buying a new server and not being able to install Slackware x.x on it without having to screw around with some damned Microsoft "thing" so I can use the platform -- given comments from people who know, say, Linus, Pat, the FSF -- things don't seem to bode well for this kid. Actually scare the hell out me unless somebody can demonstrate, for sure, with real hardware and real software, that the thing will actually work; opinions to the contrary are just that, opinions. Gimme facts and show me. I'm old, I'm tired and I don't really want to reinvent the wheel again.

I have to have Windows -- people give me money to do things who don't want to convert to a real operating system. I will not, under any circumstances, install Windows directly on a machine -- it goes in VirtualBox and that's proved to be fine so far. But, if I happen to live long enough for Win7 to EOL... then what? I've gotten to point that I won't buy a computer with proprietary graphics or sound cards because I don't want to deal with problems (the FOSS driver are getting better, but there are an awful lot of folks having problems and I don't need that -- the default Intel graphics and sound are just fine, thank you) -- I can't imagine having to screw around with UEFI (or have to pay micojunk for a license). I shudder at the prospect.

We're lucky, methinks, that we have one guy making the call on what goes into Linux, no committees, no politics, no compromises, no nonsense: Linus says yes or no and that's that. We're also lucky that we have Pat and crew (ditto). We're also subject to the whims of a 2-bit outfit that drives an entire industry (that goes along because it's their bread and butter) simply because that outfit demonstratively never has and cannot now make safe, secure products.

Alas.

1 members found this post helpful.

Precisely why I believe Linus put his foot down on this point, and to his credit.

I don't think it will negatively affect the server market much, if at all.

In the short term I think it will indeed hurt, or at least impede, the adoption of Linux as a desktop OS; yet looking forward, might lend itself to breaking the stranglehold Microsoft has over OEMs.

i.e., Windows 8, unlike all previous Microsoft OSes, searches for imbedded Microsoft code in the BIOS to determine whether it can self-activate. If it doesn't find it, then and only then does it need to phone home to activate its license.

Kindest regards,

.

1 members found this post helpful.

And yet you ignore the fact that ARM devices with that logo ARE locked-in and can ONLY boot secure boot. How long is it until x86 becomes the same or maybe even disappears, leaving you locked-in.

1 members found this post helpful.

how long before x86 goes the way of the dinosaurs and ARM is what is left

facebook and google are starting to use ARM in the server room

how long before x86 is gone ?

something will take it's place but with Win8 ARM laptops and tablets ALREADY locked out of running anything else besides win8 ........

the next few years will "be fun" and not HA, HA, fun


things WILL get straitened out ( one way or another) but in the mean time , it will be a mess

1 members found this post helpful.

I may be wrong, but I thought that the Boot Configuration Database was supposed to be the same database as the UEFI boot configuration (NVRAM variables), not a separate "Microsoft" database. If you look at how BCD was implemented you can see the analog to the NVRAM information, with UUIDs for boot entries and so forth. You make a valid point, because the BCD is no worse than the previous "BOOT.INI" boot configuration.

Based on the information I can find, on UEFI systems, the "bootmgr" cannot chain to any other UEFI boot loaders. The old BIOS method of chaining "APPLICATION BOOTSECTOR" only works in BIOS booting mode, not UEFI. A UEFI file ending in ".efi" cannot be loaded by the "bootmgr" unless it has a special header that is is present in "WINLOAD.efi". Specifically, "bootmgr" will load UEFI files that have a header with "EFI_IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION" and not "EFI_IMAGE_SUSBSYTEM_EFI_APPLICATION". That is true even with secure boot disabled. You are correct, that one can simply use ELILO or some other UEFI boot loader and then chain to the Windows boot manager.

I have no firsthand experience with trying to dual boot Windows on UEFI. I have seen posts from people using Windows 8 and UEFI with ELILO who claim that setting ELILO as the UEFI default boot loader does not remain in effect. The solution was to rename the Microsoft bootloader file and then replace the Microsoft bootloader with ELILO. This could be a system-specific issue. I guess we won't know until UEFI is more widely adopted.

I guess we disagree about whether supporting a specific Linux distro and version (probably RedHat) sold by a company for a "business" PC is progress. I haven't bought any of those PCs that claim to support Linux, so I may have the wrong impression of what "Linux" is actually supported.

And that gets back to what I think are the real issues. How much power should corporate Linux interests have to dictate the direction of Linux? Do their choices make Linux more compatible with consumer PCs, or do they burden Linux with complexity and reduce compatibility? Does giving Microsoft more control over PC hardware and the boot environment benefit or hurt consumers in the long run?