Can UEFI/secure boot brick your PC and violate your freedom?

Chat about just about anything else

Can UEFI/secure boot brick your PC and violate your freedom?

Postby Zorba on Thu Jun 05, 2014 7:39 pm

I have installed Linux Mint 17 and Ubuntu 14.04 in UEFI mode on a DEll Vostro i3 after disabling secure boot and everthing is running out of-the-box. Today I have read an alarmin article on Wikipedia saying that "In January 2013, a bug surrounding the UEFI implementation on some Samsung laptops was publicized, which caused them to be bricked after installing a Linux distribution in UEFI mode" and that secure boot restricts our control over our PC and allows a third party to control it without us knowing. Contradictingly, Ubuntu official documentation says that UEFI mode extends the life of your battery and prevents your hardware from heating up while making your PC boot faster!! Which one should I believe!!!! :roll: If this is the case why would Linux support this mode? :roll:


Now I'm worried sick about my laptop. Do I have to format it again and disable this mode? :roll:

Documentation here: http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Criticism and here https://help.ubuntu.com/community/UEFIBooting

More here http://www.networkworld.com/article/2358246/byod/new-attack-methods-can---39-brick--39--systems--defeat-secure-boot--researchers-say.html
Last edited by Zorba on Thu Jun 05, 2014 7:49 pm, edited 1 time in total.
Image
User avatar
Zorba
Level 8
Level 8
 
Posts: 2336
Joined: Tue May 29, 2012 10:12 pm
Location: Tunisia

Linux Mint is funded by ads and donations.
 

Re: Can UEFI/secure boot brick your PC and violate your free

Postby exploder on Thu Jun 05, 2014 7:48 pm

Your laptop will be fine.
exploder
Level 15
Level 15
 
Posts: 5917
Joined: Tue Feb 13, 2007 10:50 am
Location: HartfordCity, Indiana USA

Re: Can UEFI/secure boot brick your PC and violate your free

Postby WinterTroubles on Thu Jun 05, 2014 7:53 pm

Zorba

This quote
that secure boot restricts our control over our PC and allows a third party to control it without us knowing
is from the article linked to here http://forums.linuxmint.com/viewtopic.php?f=60&t=169470 and, as I pointed out just above your post in that topic, that article is clearly using photoshopped images labled as top secret photos, so I wouldn't trust anything on that site without external corroboration.
If solved please edit the subject line of your first post in the topic to include [Solved] so that other users know there is a solution in the thread.

Mint 17.1 Cinnamon 32 bit
User avatar
WinterTroubles
Level 5
Level 5
 
Posts: 892
Joined: Fri Apr 11, 2014 6:25 am
Location: UK

Re: Can UEFI/secure boot brick your PC and violate your free

Postby Zorba on Thu Jun 05, 2014 7:58 pm

Thank you guys I just got this laptop :D :D And yest that article using photoshop has confused me :D Why do they use these alarming techniques to put fear in our heaarts? :roll:
Image
User avatar
Zorba
Level 8
Level 8
 
Posts: 2336
Joined: Tue May 29, 2012 10:12 pm
Location: Tunisia

Re: Can UEFI/secure boot brick your PC and violate your free

Postby WinterTroubles on Thu Jun 05, 2014 8:12 pm

Because conspiracy theories about the amount of water in your favourite soft drink don't make 'them' feel special :lol:
If solved please edit the subject line of your first post in the topic to include [Solved] so that other users know there is a solution in the thread.

Mint 17.1 Cinnamon 32 bit
User avatar
WinterTroubles
Level 5
Level 5
 
Posts: 892
Joined: Fri Apr 11, 2014 6:25 am
Location: UK

Re: Can UEFI/secure boot brick your PC and violate your free

Postby Zorba on Thu Jun 05, 2014 8:14 pm

WinterTroubles wrote:Because conspiracy theories about the amount of water in your favourite soft drink don't make 'them' feel special :lol:


:lol: :lol: :lol:
Image
User avatar
Zorba
Level 8
Level 8
 
Posts: 2336
Joined: Tue May 29, 2012 10:12 pm
Location: Tunisia

Re: Can UEFI/secure boot brick your PC and violate your free

Postby srs5694 on Thu Jun 05, 2014 8:59 pm

Zorba wrote:I have installed Linux Mint 17 and Ubuntu 14.04 in UEFI mode on a DEll Vostro i3 after disabling secure boot and everthing is running out of-the-box. Today I have read an alarmin article on Wikipedia saying that "In January 2013, a bug surrounding the UEFI implementation on some Samsung laptops was publicized, which caused them to be bricked after installing a Linux distribution in UEFI mode"


This is true, although the word "surrounding" is wrong. Replace it with "in" and it's more accurate. Using "surrounding" in that context makes it sound ominous, as if the bug were some vaporous cloud that could spread and infect other (presumably EFI-based) computers. Furthermore, that quote in isolation omits certain critical details, such as the fact that at least two workarounds were quickly implemented in the Linux kernel, so that modern kernels will not trigger that bug. I don't know offhand if Samsung (or other affected vendors) have fixed their EFIs; some may still be susceptible to the problem from other OSes or EFI applications.

There's lots of information on this topic. Matthew Garrett (formerly a Red Hat developer and an expert on EFI issues) has written a number of blog posts on it, such as this one.

Overall, today this just isn't an issue.

and that secure boot restricts our control over our PC and allows a third party to control it without us knowing.


Viewed from a certain perspective, this is true, but the way it's phrased leads to runaway images of Big Brother watching our every keystroke, and that's simply inaccurate. Secure Boot is simply a way to control what EFI programs (such as boot loaders) can run on a computer. This is done by use of cryptographic keys and signed binaries, which implies that at least one public key must be stored in the firmware, either as delivered with the computer or placed there by the computer's owner/user. When enabled, Secure Boot prevents unsigned binaries, or those signed by private keys that don't have public counterparts in the key library, from running. Since every OS requires a boot loader, this means that OSes that lack such keys won't run. More importantly, it means that unsigned pre-boot malware won't run. Such malware is a real threat, and can be written in such a way as to make it impossible to detect from an infected OS -- hence the desire to block it with something like Secure Boot. Used properly, Secure Boot can increase the control of owners over their own computers. Implementing such improved control can be technically challenging, though.

The trouble, from a Linux perspective, is that Microsoft requires that Secure Boot be active by default on computers that ship with Windows 8 and 8.1. This in turn means that these computers need to have Microsoft's keys embedded in their firmware, and of course many manufacturers won't bother to embed any other key. Furthermore, the Linux community was caught off-guard by this new Microsoft requirement; if there'd been more of a warning about this coming, efforts might have been made to find or create some common independent third-party signing service and push to get its keys in every PC's firmware. As it is, though, we're stuck with Microsoft's keys being the only ones that are more-or-less guaranteed to be installed in every computer. Fortunately, Microsoft offers a service where it signs third-party binaries, and Linux distributions have used this to get a simple pre-bootloader signed. This pre-bootloader (there are two: Shim and PreLoader) adds new authentication tools and then launches GRUB, rEFInd, ELILO, or whatever other boot loader you specify. The new authentication tools provide a streamlined way to add your own keys to the process, thus giving Linux distributions a uniform method of managing keys and giving users more control over the process.

Furthermore, Microsoft's own requirements for Windows 8/8.1 on x86 and x86-64 PCs specify that users be able to disable Secure Boot. Thus, you can install completely unsigned binaries if you like. If you get an x86 or x86-64 PC and find that you can't disable Secure Boot, then the manufacturer has violated Microsoft's requirements. There is a darker side to this, though: Microsoft requires that Secure Boot can not be disabled by the user on ARM-based computers. The good news is that ARM devices that ship with Windows 8 are vanishingly rare -- they're mainly a few tablets and phones. Also, most manufacturers of such devices have long attempted to lock their devices down against end-user "tampering," so this really isn't anything new. (That's not to say isn't good, but if you're upset about it, you should have been equally upset about similar policies on lots of devices in the past, too.)

In sum, Chicken Little cries that the world is ending because of Secure Boot are ridiculous. Although Secure Boot could turn into a way to lock users into one OS, this risk is small for standard PCs and is no greater than the status quo for more specialized devices.

Contradictingly, Ubuntu official documentation says that UEFI mode extends the life of your battery and prevents your hardware from heating up while making your PC boot faster!!


I can't speak to heat, power, and battery-life claims, but EFI certainly can boot faster than BIOS. The effect occurs in the early stages of booting, before the GRUB menu appears, and it amounts to a savings of roughly 0-10 seconds. It's greater on the latest computers that take best advantage of EFI. (Early models often slapped EFI atop an inefficient BIOS, or didn't take advantage of some of the opportunities that EFI presents for shaving a few milliseconds off the boot time here and there, so there's no advantage on such computers.)

If this is the case why would Linux support this mode?


Because Linux must. Walk into a Fry's, Best Buy, or WalMart today and buy a standard x86-64 laptop or desktop computer. It will almost certainly have EFI firmware, not the old-style BIOS. A Linux distribution that ignores this fact and that sticks stubbornly to the BIOS mode of booting will be extinct before too long, or at least relegated to a niche category.

(There are ways to boot in BIOS mode even on a new EFI-based computer, but they tend to be inefficient and they make dual-booting harder.)

Now I'm worried sick about my laptop. Do I have to format it again and disable this mode?


No. If it's booting fine now it won't stop booting just because you used EFI. (Of course, it might stop booting for any number of reasons, but the same is true of a BIOS-mode installation.) Nor will Microsoft, Apple, the NRA, or Green Peace be able to take control of your computer just because you used EFI or Secure Boot.
srs5694
Level 6
Level 6
 
Posts: 1020
Joined: Mon Feb 27, 2012 1:42 pm

Re: Can UEFI/secure boot brick your PC and violate your free

Postby WinterTroubles on Thu Jun 05, 2014 9:09 pm

srs5694

I know your above post wasn't aimed at me, but, thank you for taking the time as you've just deepened my understanding of UEFI, which can only be a good thing :D
If solved please edit the subject line of your first post in the topic to include [Solved] so that other users know there is a solution in the thread.

Mint 17.1 Cinnamon 32 bit
User avatar
WinterTroubles
Level 5
Level 5
 
Posts: 892
Joined: Fri Apr 11, 2014 6:25 am
Location: UK

Linux Mint is funded by ads and donations.
 

Return to Open chat

Who is online

Users browsing this forum: No registered users and 1 guest