UEFI secure booting and the future

[Dry Lips]

Seems like this issue is already causing trouble for people as we speak:
http://benjaminkerensa.com/2011/10/23/u ... gin-linux/

(Edit: this is the current UEFI without secure boot)

[rijnsma]

Yes there are more occurances already.
It is war.

By the way, do you know if it gives problems, when one has UEFI and ONLY Linux (one or more partitions)?
So when there's no Windows involved.

[xenopeek]

By the way, do you know if it gives problems, when one has UEFI and ONLY Linux (one or more partitions)?
So when there's no Windows involved.

From the article Dry Lips shared, it would be a problem even if only running Linux.

A suggestion: for all those out there who already have a UEFI BIOS, perhaps you should not update your BIOS version. If Linux currently works with your UEFI BIOS, it might not after the manufacturer makes an update that includes secure boot...

I have a Asrock H67E-GE/HT motherboard, and this has a UEFI BIOS. So no more BIOS updates for me

[rijnsma]

But in my opinion 'Secure Boot' was something from Microsoft?
What has that to do with EUFI from the hardware-guys? So why a problem if Windows is not on the machine??
I don't understand.
And why can UEFI not be switched off like Microsoft has said?
http://www.theregister.co.uk/2011/09/23 ... i_lock_in/

[Dry Lips]

Apparently Linux supports UEFI, but it can be complicated to set up. Not exactly noob friendly
in other words:

https://help.ubuntu.com/community/UEFIBooting

It also seems as if quite a few people have problems setting up a UEFI system:
http://askubuntu.com/search?q=uefi

---
Edit: This is current UEFI without secure boot.

[rijnsma]

So that will stop Linux altogether you think?
People find it hard enough like it was I think. (One of the reasons Linux is not big.)

[xenopeek]

But in my opinion 'Secure Boot' was something from Microsoft?
What has that to do with EUFI from the hardware-guys? So why a problem if Windows is not on the machine??
I don't understand.
And why can UEFI not be switched off like Microsoft has said?
http://www.theregister.co.uk/2011/09/23 ... i_lock_in/

Secure boot is a UEFI feature, it is not something Microsoft has invented. What Microsoft has said, is that Windows 8 won't run unless UEFI secure boot is enabled on a system. The problem here is that it is up to the BIOS / motherboard manufacturer if you can switch off UEFI secure boot in the BIOS or not. Microsoft are saying they have not mandated UEFI secure boot must always be on, only that it must be on to boot Windows 8. So it is up to the BIOS / motherboard manufacturer how to deal with this.

HP is selling its PC division, so perhaps they are not the best example currently...

[Dry Lips]

But in my opinion 'Secure Boot' was something from Microsoft?
What has that to do with EUFI from the hardware-guys? So why a problem if Windows is not on the machine??
I don't understand.
And why can UEFI not be switched off like Microsoft has said?
http://www.theregister.co.uk/2011/09/23 ... i_lock_in/

From wikipedia:

Red Hat developer Matthew Garrett in his article "UEFI secure booting" raised a concern that UEFI "secure boot" feature may impact Linux (machines with the Windows 8 logo with secure boot enabled that ships with only OEM and Microsoft keys will not boot a generic copy of Linux)[41][42] In response, Microsoft stated that customers may be able to disable the secure boot feature in the BIOS.[2][43] Concern remains that some OEMs might omit that capability in their computers.

https://secure.wikimedia.org/wikipedia/en/wiki/Uefi

[xenopeek]

Apparently Linux supports UEFI, but it can be complicated to set up. Not exactly noob friendly
in other words:

https://help.ubuntu.com/community/UEFIBooting

It also seems as if quite a few people have problems setting up a UEFI system:
http://askubuntu.com/search?q=uefi

Ah. That explains a lot. My UEFI BIOS has the "Compatibility Support Module", allowing BIOS based operating systems to boot as normal...

[Dry Lips]

Microsoft are saying they have not mandated UEFI secure boot must always be on, only that it must be on
to boot Windows 8. So it is up to the BIOS / motherboard manufacturer how to deal with this.

Which is a problem when you think of the fact that quite a few people use dual-boot systems.

[rijnsma]

Apparently Linux supports UEFI, but it can be complicated to set up. Not exactly noob friendly
in other words:

https://help.ubuntu.com/community/UEFIBooting

It also seems as if quite a few people have problems setting up a UEFI system:
http://askubuntu.com/search?q=uefi

Ah. That explains a lot. My UEFI BIOS has the "Compatibility Support Module", allowing BIOS based operating systems to boot as normal...

That's better.

Don't buy ever, ever, where-ever you are and go in the world locked UEFI. (Everybody in the world can read this. )

And sign: http://www.fsf.org/campaigns/secure-boot/

[viking777]

And sign: http://www.fsf.org/campaigns/secure-boot/

Good link rijnsma - I have signed up.

I urge everyone on this forum do the same.

[rijnsma]

[AlbertP]

Apparently Linux supports UEFI, but it can be complicated to set up. Not exactly noob friendly
in other words:

https://help.ubuntu.com/community/UEFIBooting

This is UEFI without secure boot - and that is working. UEFI with Secure Boot is more problematic.

[Dry Lips]

Apparently Linux supports UEFI, but it can be complicated to set up. Not exactly noob friendly
in other words:

https://help.ubuntu.com/community/UEFIBooting

This is UEFI without secure boot - and that is working. UEFI with Secure Boot is more problematic.

Yes, that links were made in the continuation of the blog post I referred to
about people having trouble with the present UEFI:
http://benjaminkerensa.com/2011/10/23/u ... gin-linux/

You're absolutely right... I'm going to edit my original post in order to
prevent confusion.

[xenopeek]

Canonical together with Red Hat have released a white paper on the impact of UEFI Secure Boot on Linux. Announcement and download here: http://blog.canonical.com/2011/10/28/wh ... -on-linux/

The three main recommendations from white paper below, but is worth to read it fully (just 9 pages):

• "We recommend that all OEMs allow secure boot to be easily disabled and enabled through a firmware configuration interface"
• "We recommend that OEMs (with assistance from BIOS vendors) provide a standardised mechanism for configuring keys in system firmware"
• "We recommend that hardware ship in setup mode, with the operating system taking responsibility for initial key installation"

The second one especially is important. Meaning, a user should be able to add custom keys to the system firmware to enable secure boot of any signed operating system. That would open the way for secure boot of Linux. Secure boot is actually a good security improvement, but then it needs these recommendations implemented (they should have been part of the UEFI standard ).

[rijnsma]

Of course. Everybody in the Secure Boot domain. (Also the prop. software like drivers and so on).
And if not it has to be switchable.
But not MS 'yes' and other systems 'no'.

Friendly document btw..

[AlbertP]

That's also what developers from Red Hat, Canonical and the Linux kernel suggest in this paper: http://ozlabs.org/docs/uefi-secure-boot ... -linux.pdf
It's a long piece of text but at the end they suggest offering to add the keys when removable media (CD, USB, etc.) is booted.

[xenopeek]

That's also what developers from Red Hat, Canonical and the Linux kernel suggest in this paper: http://ozlabs.org/docs/uefi-secure-boot ... -linux.pdf
It's a long piece of text but at the end they suggest offering to add the keys when removable media (CD, USB, etc.) is booted.

Eh, it's the same paper

[AlbertP]

You're right. That previous link was indeed the summary of the paper, with a link to the full paper.