Feeds

back to article Linux Foundation ships UEFI Secure Boot workaround

The Linux Foundation's open source workaround for Unified Extensible Firmware Interface (UEFI) Secure Boot has shipped, and while it's not necessarily the easiest way to boot Linux on UEFI-enabled PCs, its authors claim it should now work with any bootloader and any distribution. The Linux community was first alerted to …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

"But Linux enthusiasts observed that some OEMs were actually disabling the Secure Boot switch in their firmwares, leaving customers with no way to turn it off (and thus, no way to boot Linux)."

Dear Auntie Reg,

Please list those manufacturers so I can decide where I spend my money.

Hugs and Cookies.

44
0
Anonymous Coward

I'm pretty sure these are the sorts of OEMs who would rather not receive loads of support issues from Linux newbies complaining about XYZ not working.

The whole "designed for Windows" sticker regime seems to suggest that is their thinking.

5
21
Anonymous Coward

What a surprise

MS lets the dust settle then quietly whispers in OEMs ears that they will get a discount if there is no secure boot off in their BIOS. In 12 months time rocking horse shit will be easier to find than a BIOS with a secure boot flip switch

"Everything is proceeding as I have foreseen" says MS

Well time for for an EU anti trust kicking MS.

20
3
Silver badge

@ AC 20:56

"I'm pretty sure these are the sorts of OEMs who would rather not receive loads of support issues from Linux newbies complaining about XYZ not working."

Yes, because everytime your copy of VirtuaGirl has a glitch you call Dell customer support to complain about it, do you? Kids these days...

14
1

This post has been deleted by its author

Anonymous Coward

Designed for Windows? ..

'The whole "designed for Windows" sticker regime seems to suggest that is their thinking`

Do you think the UEFI issues are part of some machiavellian strategy out of Redmond ?

6
1
Bronze badge

Re: What a surprise

Except that Microsoft has mandated that the switch to turn off SafeBoot is a required to pass the 'Designed for Windows 8' certification. The worry is Mother Board manufacturers that don't give two shits about MS's certifications and push out boards as soon as they can (looking at you Asus).

6
4
Meh

Acer: could be better

I've got several Acer Aspire One 725 netbooks here (AMD C70 based) and while it's not possible to disable Secure Boot in the UEFI BIOS, you can select a "Legacy BIOS" mode - better than nothing, but not ideal.

2
0
Anonymous Coward

Re: Acer: could be better

I thought the whole ethos of OS centred around sharing your findings... so had naively assumed that there would be somewhere on the net a list of Linux-friendly computers (in this example, those in which this UEFI Secure Boot feature can be disabled, but also taking into account certain Intel CPUs that Intel say are for Windows only) maintained by Linux users for Linux users. If there isn't, then you should start one- it would be a more helpful approach then hunting for scraps from mainstream tech sites.

Under the Distance Selling regulations, you can try a laptop for yourself, and sand it back for a refund if it doesn't do what you want it to.

4
2

This post has been deleted by its author

Re: @ AC 20:56

You mean like people who call their ISP when the get a virus or when they forget their windows logon password. People would call Dell to fix silly issues they created them self's.

2
0
Bronze badge

Fail

If I read the Microsoft documentation correctly (and it has not been revised), Windows 8 certified x86 compatible systems must allow the owner to disable secure boot. I am no fan of Microsoft in this matter, but the blame in such cases should be directed to the hardware manufacturers.

And yes, please out those manufacturers providing unsuitably locked-down boards.

7
0
Silver badge

Re: Fail

@Tom Dial - requiring the ability to allow the owner to disable secure boot would not, I think, preclude the only method of doing that to be, for example, a windows-only application.

For the record: the Acer V3-771 allows the secure function to be turned off, and Mint 14.1 works nicely with it.

2
1
Bronze badge
Headmaster

Re: What a surprise

Actually, MS certification requirements state that the Secure Boot off-switch is required on x86 devices and PROHIBITED on ARM devices (like the Surface).

4
0
Bronze badge
Boffin

"I'm pretty sure these are the sorts of OEMs who would rather not receive loads of support issues from Linux newbies complaining about XYZ not working."

To which the tech support Muppet replies..

"I'm sorry sir, we only support the originally installed OS on your machine". End of call. No further action necessary. Problem solved.

"The whole "designed for Windows" sticker regime seems to suggest that is their thinking."

Is that like Vista capable?

1
0
Silver badge

Re: Designed for Windows? ..

"Do you think the UEFI issues are part of some machiavellian strategy out of Redmond ?"

Actually, yes. This is Microsoft we are talking about. Considering the company history of lock-in and dubious business practices, would you put it past them?

9
5
Silver badge

Re: Acer: could be better

since linux effectively doesn't use the BIOS once it has booted, what's the problem with a 'legacy bios'?

Gone are the days when yo ran an OS on top of a bios that actually did something useful.

Its now just a way to boot..

3
0
Anonymous Coward

"designed for Windows"

I got one of those off a second-hand laptop. It now adorns the lid of our wastebin

0
0
Anonymous Coward

Re: Fail

@Neil Barnes - The whole point of UEFI secure boot is that it can't be enabled or disabled by the OS, that would mean that some dodgy software would be able to switch off secure boot and install a bootloader, defeating the whole point.

0
1
Windows

Panic ye not!

MS lets the dust settle then quietly whispers in OEMs ears that they will get a discount if there is no secure boot off in their BIOS. In 12 months time rocking horse shit will be easier to find than a BIOS with a secure boot flip switch

Fortunately that's not going to happen, at least on PCs. The ability to turn off Secure Boot is actually a requirement for Windows 8 compatibility certification on x86.

Not least, I suspect, because a licence for Windows 8 Professional (and up) allows the user to run Windows 7 instead ... and Windows 7 isn't signed, so you wouldn't be able to do that with Secure Boot enabled.

There's also the fact that if Microsoft say that turning off Secure Boot has to be allowed, nobody can really complain that they're using it to lock users in to Windows.

Note that on x86 Microsoft don't make the hardware themselves. On Arm it's a different matter ... Microsoft don't want you buying their nice (?) new surface hardware and running Android on it. I might be able to understand and even forgive that attitude if surface was competitively priced.

0
1
Silver badge
Unhappy

Re: Acer: could be better

"Its now just a way to boot.."

Unfortunately a lot of people are of the mind that the BIOS should be a mini OS. I have no idea why - if I want to use the computer I'll load the real OS thanks. The same thinking seems to be inherent in the design of grub. Lilo was nice , small and did what it said in the tin - booted Linux - and not much more. Grub on the other hand is on its way to becoming a small OS in its own right and all that does is make it more complicated for 99.9% of users.

3
0
Bronze badge

Re: Panic ye not!

Windows 7 is signed with Microsoft's private keys and would be allowed to run under SecureBoot, XP, Vista, Server 2003, 2008, 2008 R2 will all also run under SecureBoot.

0
0
Anonymous Coward

Re: Panic ye not!

@Crazy ops guy: Windows 7 isn't signed and doesn't support secure boot. In order to boot it and all the other Windows versions you mention, secure boot must be switched off.

That said, I'm pretty sure 2003 and XP don't even boot on UEFI, not sure about Vista and 2008 though.

0
0
Anonymous Coward

gummiboot at last

This is good news.

It makes it possible to secureboot with gummiboot directly to linux.

And the door is open to manipulating the PK obviating 3rd party revocation lists.

On my Lenovo laptop there seems to be the option of installing ones own PK. Understandably I haven't had to courage to go there yet, especially because of the difficulty I had just to get UEFI booting the damn thing. There were quite some CMS/UEFI settings mismatches.

What would be great news would be an qemu uefi sandbox for playing these configuration games.

0
0
Anonymous Coward

Wouldn't it be so much easier just to switch to a non-GPL'd bootloader to allow one to actually sign your own software? It's toxic anyway.

2
16
Silver badge

Re: sign your own software

Oh, you can sign your own software allright. The thing is, it needs to be signed _by Microsoft_ to work with Secure Boot UEFI. That's not a GPL issue.

11
1
Silver badge

Re: sign your own software

strange...

The latest machine I got seems to have the ability to install new keys... like a key I generate myself... and I use to sign a bootloader...

Not that I had to use that feature to boot linux on the thing (just disabled SecureBoot). I'll admit I haven't played with that feature yet, but if it works as described, I'll consider it a win.

4
0
Anonymous Coward

Re: sign your own software

Signed by Verisign you mean, do keep up.

0
0
Anonymous Coward

Re: sign your own software

No, it's a GPL issue. Anyone can add keys, assuming you're not buying from one of the aforementioned OEMs who lock down UEFI's Secure Boot options (which is actually a breach of the Windows certification - the options have to be left open, allowing both custom mode [adding your own keys] and turning it off entirely).

The problem is GRUB, as GPL software, cannot include baked-in keys. The GPL explicitly precludes one from distributing a binary-only version of the program with the secret key baked in. The only "proper" way to meet the requirements of the GPL and UEFI would be to provide a signed bootloader binary, while also providing the plaintext sourcecode, revealing the private key to all and sundry, of course making it utterly worthless. Were software authors using a more permissive license, they would be fully able to publish the bulk of the source code without a key, and provide a signed, official binary compatible with secure boot - even one signed with MS's keys to make the whole thing seamless for non-savvy users.

And, strangely enough you'll find this is exactly the approach taken by both the shim method and Fedora's method. Neither are distributing their bootloaders' source code with the keys included.

And you know what? At the end of the day, signed binaries are quite nice to have.

2
1
Anonymous Coward

Re: sign your own software

Thank you for this. A perfect explanation of why the GPL is a dangerous license that directly attacks user security.

1
12
Anonymous Coward

Re: sign your own software

Of course, in an alternate world controlled by Tivo, user freedom is hampered by key signing. Here, the GPL is effectively bypassed by distributing full source code, but not allowing a user to run any modified version of said software on a system by only allowing 'verified' signed software to run. Now my shiny box is impossible for me to hack on. I can't fix bugs in the software I am running, I can't add new features, I can't test new versions of the code and contribute them upstream. All of these freedoms are removed by the need for a key I can't get my hands on.

Naturally, I can peruse the source code like a novel, enjoying the wit and competence of those who have written the original source and admiring the beauty of their indentation. But that is a very weak freedom compared to the freedom to hack.

The GPL exists to grant freedom. The need for a private key you can't have is an obvious roadblock to this freedom. What security do you imagine is granted by a binary blob signed by someone you presume to trust that is not granted by a hashed source tree and a verified toolchain?

I certainly fancy my chances more with the latter.

7
1
FAIL

Re: sign your own software

GPL is *dangerous* - oh yes it certainly is (especially GPL V3 which protects against software patents) as it protects the open source community from self-serving corporations like Microsoft, Apple or Oracle who would like to subvert/destroy open source projects by embrace/extend/extinguish. The GPL protects the community and so ENHANCES user security! Anybody who relies of security by obscurity is asking for trouble - that is how public key encryption first came about - the more people know about the METHOD of security, the more that method can be checked for flaws by the community.

4
0
Anonymous Coward

Re: sign your own software

No, it doesn't need to be signed by MS, MS are offering a signing service for Linux, that's a remarkably different thing.

0
0
Boffin

Re: sign your own software

The only "proper" way to meet the requirements of the GPL and UEFI would be to provide a signed bootloader binary, while also providing the plaintext sourcecode, revealing the private key to all and sundry, of course making it utterly worthless.

I'm not an expert on the niceties of the GPL ... but the bootloader only needs access to the public key needed to check the signatures of the binaries that it loads. It may be possible to keep the private key private and remain GPL-compliant. I think it may depend whether the private key is regarded as a "derivative work" of the public key.

0
0
Silver badge
Facepalm

Re: sign your own software

"The problem is GRUB, as GPL software, cannot include baked-in keys. The GPL explicitly precludes one from distributing a binary-only version of the program with the secret key baked in. "

Please stop using the trendy hipster journo phrase "baked-in". It makes you sound like an ass. In english we say built in or included with.

Thanks.

4
1
Meh

Re: sign your own software

No, it doesn't need to be signed by MS

It needs to be signed using the private key that corresponds to the public key embedded in a certificate that's stored on the board.

There's been a lot of contradictory stuff written about this, but as I (now) understand it the norm is for UEFI PCs to be sold with a single certificate on the motherboard, and that certificate is for a key owned by Microsoft (the certificate is generated for them by Verisign, but it's not Verisign's key).

MS are offering a signing service for Linux, that's a remarkably different thing.

It's not that different a thing. If you want to run Linux from a signed bootloader on a bog-standard UEFI PC you either have to get Microsoft to sign your bootloader so that the signature can be verified using the manufacturer-distributed certificate or you have to add a certificate for another key to the motherboard (if the UEFI firmware will let you) so that you can use a bootloader signed using that key.

Or you turn Secure Boot off, or you switch off UEFI mode ... assuming the firmware allows you to. Then you can use any bootloader you like whether it's been signed or not.

1
0
Anonymous Coward

Re: sign your own software

@AC 09:54:

I don't think you understand how UEFI Secure Boot works.

0
1
Anonymous Coward

Re: sign your own software

@ac 12:26 - He's in the majority then, about 90% of the comments here suggest an utter lack of understanding of what UEFI is and why it's needed.

Comments like: "Switch secure boot off in the BIOS" are far too common for a supposed technical web site.

0
2
Silver badge

"PCs that shipped with Windows installed"

That presumably excludes "servers that are managed remotely", so far so good for the Foundation's approach then.

If you buy a windows-loaded, UEFI-Secure-Boot-locked PC to use it as a distantly managed Linux server, you're just looking for trouble. All the people I know who remotely administrate Linux servers either bought them with Linux pre-installed or bought them barebone and built them to their needs. I must admit that I don't know _everyone_ though, so that's remains anecdotic, but strongly supported by common sense.

0
1
Bronze badge

Re: "PCs that shipped with Windows installed"

Nearly all servers nowadays come with some sort of IPMI, BMC or LoM to allow you to do things like manipulate BIOS and UEFI settings.

2
0

back to hacking hardware

seems every few years I'm back to hacking hardware to make ıt do what I want... I love them manufacturers!

4
0
Silver badge
WTF?

MS mimicking Apple: It might be your property, but we hold the key

When is the right of ownership going to recognised and accepted by these damn American companies?

The EU bureaucracy might appear to be under employed but they do have a hight success rate of kicking US commercial butts. Even the near God-like MS and Apple have bowed to their demands, before, albeit reluctantly.

Perhaps the EU should mandate the MS walled garden feature must have a switch in the BIOS so the owners can decide their modus operandi. Not all PC users are Apple-subservient types.

10
3

This post has been deleted by its author

Anonymous Coward

Re: MS mimicking Apple: It might be your property, but we hold the key

There is no BIOS. Do keep up.

1
1
Trollface

Re: MS mimicking Apple: It might be your property, but we hold the key

Big difference is I can boot anything I want on my Mac. OSX of course, Windows if I want, and Linux no problem at all.

Its the PCs that are locked down.

1
1

There is no BIOS

@AC 09:20

There is no BIOS. Do keep up.

I know what you're saying ... but there is a BIOS -- it's the UEFI Firmware. What there isn't is an old-style real-mode IBM PC-compatible BIOS.

The problem is that BIOS has lost its original meaning of Basic Input/Output System and come to mean specifically an implementation of the firmware API exposed by the BIOS of the original IBM PC (and subsequent developments thereon). The UEFI Firmware is a BIOS in the older, more general, sense (among other things).

"BIOS" is a lot easier to write and to say and write than "UEFI Firmware", so I suspect we're stuck with it.

UEFIF anyone?

5
1
Anonymous Coward

Re: MS mimicking Apple: It might be your property, but we hold the key

"Big difference is I can boot anything I want on my Mac. OSX of course, Windows if I want, and Linux no problem at all."

Very nice too...just a shame you have to pay 3 times over the odds for the same parts when they break down, than the rest of us lowly PC crowd!

( If you're a careful shopper you can build an x64 box that will boot OSX, Windows and Linux, have 4+ times the power for a third of the cost of the "Apple Hardware Smug Tax"! )

1
0
Trollface

Re: MS mimicking Apple: It might be your property, but we hold the key

I guess you get what you pay for. if one ever breaks down I'll let you know.

0
1

From recent experience...

Dell do include an option to switch off Secure Boot in UEFI, as well as allowing a legacy mode for booting stuff that is non UEFI, like CDs. I also experienced Ubuntu's UEFI when installing alongside Windows 8 and it was quick and easy, no hassle at all. That should be the way forward.

Although I can see the intention with Secure Boot is itsn't without problems; when I did turn it back on, just for kicks, it wouldn't let me boot into either Windows or Ubuntu. So I think the OEMs should brace themselves for a raft of complaints and queries when the UEFI and/or Windows installations start becoming corrupted.

0
0

Re: From recent experience...

Indeed, Ubuntu and Kubuntu had no issues. Mint, OTOH, refused to install. It fell down.

Strange days indeed.

0
0

Page:

This topic is closed for new posts.