Page 1 of 1

secure boot

Posted: Sun Feb 24, 2013 7:08 am
by Calle
I am like a lot of other people concerned about privacy, it almost became an obsession at some point.

I know free sofware does not support secure boot[1] shall I been concerced about this? Is it supported by some packages?

[1]https://fsfe.org/campaigns/generalpurpo ... is.en.html

Re: secure boot

Posted: Sun Feb 24, 2013 7:22 am
by xenopeek
Out of the box, Linux Mint does not yet work with secure boot. You can disable secure boot in your computer's UEFI, which you can access as you start your computer. Your computer manual will have more information for doing that. Computers that come preloaded with Windows 8 will have secure boot enabled by default, older computers are unlikely to have secure boot enabled (or have it at all).

Re: secure boot

Posted: Sun Feb 24, 2013 11:45 am
by srs5694
There are definitely open source programs, and entire Linux distributions, that do support Secure Boot. The two individual programs available at the moment are:
  • Shim -- This program was developed by Matthew Garrett at Red Hat and is currently used by Ubuntu 12.10 and Fedora 18 (although Ubuntu's version is older and less flexible). Shim works by doing its own Secure Boot checks using cryptographic signatures, similar to the way secure Web sites work. EFI boot loaders, and often kernels, must be signed with a cryptographic key in order to be booted.
  • PreBootloader -- This program was written by James Bottomley of the Linux Foundation. AFAIK, it's not currently used by any Linux distribution. It works by enabling the end user to manually add CRCs of binaries to a "whitelist" of programs that are approved. This is simpler for an individual to do than the signing used by shim, but it requires the end user to take that action once for each binary, unlike shim, which can be configured in a way that requires no special actions on the part of the user.
As a practical matter, it's best for a Linux distribution, such as Mint, to include one or the other program in its package set. In this capacity, shim makes more sense but it takes more effort by the developers to set it up, and it works best if the developer is willing to shell out $100 for the right to get a custom-signed version of shim. PreBootloader is easier for a cash-strapped mini-distribution to use, and it's also likely to be easier for an individual to use with a distribution that doesn't support Secure Boot "out of the box." In such a case, it's necessary to temporarily disable Secure Booot in order to install Linux and either shim or PreBootloader. Once everything is installed, you can then re-enable Secure Boot.

In the long run, Secure Boot is likely to be nothing more than an annoying bump in the road for Linux; distributions are already beginning to include Secure Boot support (although Mint doesn't yet do so), and with a good implementation, you might not even realize that you're using Secure Boot unless you need to do something advanced like compile your own kernel. As the tools mature, Secure Boot will become more transparent even to such advanced operations.