UEFI secure booting and the future

Chat about just about anything else
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
factotum218

UEFI secure booting and the future

Post by factotum218 »

A friend emailed me this link:http://mjg59.dreamwidth.org/5552.html more less stating Apple??!! pfft, you haven't seen lock-in yet!

It seem that from what I've interpreted, it's absolute hardware/OS lock-in. Windows and windows only on the system, unless somehow the hardware vendors resist the bullying, which never lasts long.

As a genuine desktop linux enthusiast since Slackware 9, I've never used Linux in spite of another operating system, but this makes me sick. I've never been motivated to call...I don't know who...my local congressman?? LOL. This, whether or not it's legal, or will even gain traction with system sellers, is absolutely ridiculous!!!

Is there an actual possibility that I will not be able to choose what I run on my computer? I mean honestly, those that don't buy into it know full well that they will be able to charge a premium for freedium!

If I'm way off here, I'm sorry. But this just...pisses me off!
The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.
This impacts both software and hardware vendors. An OS vendor cannot boot their software on a system unless it's signed with a key that's included in the system firmware. A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware.
Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.
Last edited by LockBot on Wed Dec 07, 2022 4:01 am, edited 1 time in total.
Reason: Topic automatically closed 30 days after creation. New replies are no longer allowed.
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: UEFI secure booting and the future

Post by xenopeek »

Well, I'm curious how long it will take after first hardware release with this that we will read about the private key being hacked :wink: Of course both Apple and Microsoft want to restrict their user's freedoms as much as possible, which should come as no surprise.

If and when this becomes reality, imagine being a Linux friendly hardware manufacturer... Those guys are going to get some extra customers :mrgreen:
Image
zerozero

Re: UEFI secure booting and the future

Post by zerozero »

a few more links about the problem
http://www.webupd8.org/2011/09/windows- ... qus_thread

http://www.omgubuntu.co.uk/2011/09/wind ... tallation/
(looks like finally it hit the popular linux-related websites)

http://www.h-online.com/security/news/i ... 35246.html
and
http://lwn.net/Articles/447381/
(some of the information here may be duplicated, anyway i think it should be shared)

and now call me paranoiac, but i believe this http://forums.linuxmint.com/viewtopic.php?f=61&t=81315 is related with this topic (i hope i'm wrong)
gosa
Level 4
Level 4
Posts: 317
Joined: Mon Nov 01, 2010 5:12 am
Location: Spain

Re: UEFI secure booting and the future

Post by gosa »

zerozero wrote:a few more links about the problem
http://www.webupd8.org/2011/09/windows- ... qus_thread

http://www.omgubuntu.co.uk/2011/09/wind ... tallation/
(looks like finally it hit the popular linux-related websites)

http://www.h-online.com/security/news/i ... 35246.html
and
http://lwn.net/Articles/447381/
(some of the information here may be duplicated, anyway i think it should be shared)

and now call me paranoiac, but i believe this http://forums.linuxmint.com/viewtopic.php?f=61&t=81315 is related with this topic (i hope i'm wrong)
That was some scary stuff to read...

One "thing though" - I assume this will never be an issue for people who buy the parts (motherboard, processor, memory etc. etc.) and build their own computers, right? That you will still be able to buy yourself the stuff from for example Newegg (don't know what's popular on the other side of the pond, here in Barcelona I use other stores) and just piece them together and install your favourite distor onto it?
(Maybe there's a possible market for me... building Minty boxes.... Hmmmmm....)
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: UEFI secure booting and the future

Post by xenopeek »

gosa wrote:One "thing though" - I assume this will never be an issue for people who buy the parts (motherboard, processor, memory etc. etc.) and build their own computers, right? That you will still be able to buy yourself the stuff from for example Newegg (don't know what's popular on the other side of the pond, here in Barcelona I use other stores) and just piece them together and install your favourite distor onto it?
(Maybe there's a possible market for me... building Minty boxes.... Hmmmmm....)
Oh gosh, I do hope so. I always build my own boxes :D
Image
kijin

Re: UEFI secure booting and the future

Post by kijin »

Linuxers are probably being a little too paranoid about this.

Most "enthusiast" motherboards from Asus, Gigabyte, MSI, etc. will probably provide a very easy way to disable secure booting in the BIOS. The Linux userbase may be small, but we comprise a relatively large portion of the "enthusiast" community. No motherboard manufacturer would want us to bad-mouth them in well-trafficked tech review forums.

Another speculation I've heard is that Win8 will refuse to boot in a computer with secure booting disabled, making it difficult to dual-boot Win8 with Linux once you've disabled it. I'm not sure what to make of this speculation, because it would also mean that none of the computers that currently run Win7 will be able to boot Win8, either. But that doesn't make any sense from money's point of view.

Now, tablets are a different question, because they tend to be less configurable than desktop and laptop PCs already. It's entirely possible that the next generation of Windows tablets will refuse to boot anything but Windows.
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: UEFI secure booting and the future

Post by xenopeek »

kijin wrote:Linuxers are probably being a little too paranoid about this.
Comes with the territory... *adjusts tin foil hat*
kijin wrote:Most "enthusiast" motherboards from Asus, Gigabyte, MSI, etc. will probably provide a very easy way to disable secure booting in the BIOS. The Linux userbase may be small, but we comprise a relatively large portion of the "enthusiast" community. No motherboard manufacturer would want us to bad-mouth them in well-trafficked tech review forums.
Good point :D
kijin wrote:Another speculation I've heard is that Win8 will refuse to boot in a computer with secure booting disabled, making it difficult to dual-boot Win8 with Linux once you've disabled it. I'm not sure what to make of this speculation, because it would also mean that none of the computers that currently run Win7 will be able to boot Win8, either. But that doesn't make any sense from money's point of view.
Yeah, lets just wait and see. I do have a tendency to jump on the "Doom! I tell you, we're doomed!" bandwagon :lol:
Image
Fandangio

Re: UEFI secure booting and the future

Post by Fandangio »

kijin wrote:Another speculation I've heard is that Win8 will refuse to boot in a computer with secure booting disabled, making it difficult to dual-boot Win8 with Linux once you've disabled it. I'm not sure what to make of this speculation, because it would also mean that none of the computers that currently run Win7 will be able to boot Win8, either. But that doesn't make any sense from money's point of view.
That's a good point and something I'd not really thought about. There would be no upgrade path from Win 7 to 8. Not even MS could be that stupid. Additionally many large companies (and users) are just moving to Win 7, Win 8 could be totally circumvented by many users as by the time they next upgrade Win9 will have probably been released!
Fandangio

Re: UEFI secure booting and the future

Post by Fandangio »

zerozero wrote:and now call me paranoiac, but i believe this http://forums.linuxmint.com/viewtopic.php?f=61&t=81315 is related with this topic (i hope i'm wrong)
I wonder if MS are responsible for that virus???
zerozero

Re: UEFI secure booting and the future

Post by zerozero »

Fandangio wrote: I wonder if MS are responsible for that virus???
i tend not to believe in coincidences :mrgreen:

i usually don't bash microsoft (since i stop using theirs products more than 2 years ago, i honestly couldn't care less about what they do or release) but of course some things (like this one or the 4 primary partitions shipped in several laptops) really **** me off

now there's 2 points raised above i would like to go back:
Most "enthusiast" motherboards from Asus, Gigabyte, MSI, etc. will probably provide a very easy way to disable secure booting in the BIOS. The Linux userbase may be small, but we comprise a relatively large portion of the "enthusiast" community. No motherboard manufacturer would want us to bad-mouth them in well-trafficked tech review forums.
true, but we're missing the big market, we are alienating a lot (maybe all) of newcommers;
That's a good point and something I'd not really thought about. There would be no upgrade path from Win 7 to 8. Not even MS could be that stupid. Additionally many large companies (and users) are just moving to Win 7, Win 8 could be totally circumvented by many users as by the time they next upgrade Win9 will have probably been released!
i wouldn't say stupid, greedy suits them better
altair4
Level 20
Level 20
Posts: 11427
Joined: Tue Feb 03, 2009 10:27 am

Re: UEFI secure booting and the future

Post by altair4 »

Speaking of stupid, some interesting observations on EFI by some guy named Linus something or other: http://kerneltrap.org/node/6884
So EFI has this cool shell, a loadable driver framework, and other nice
features. Where "nice" obviously means "much more complex than the simple
things they designed in the late seventies back when people were stupid
and just wanted things to work".

Of course, it's somewhat questionable whether people have actually gotten
smarter or stupider in the last 30 years. It's not enough time for
evolution to have increased our brain capacity, but it certainly _is_
enough time for most people to no longer understand how hardware works any
more.
Please add a [SOLVED] at the end of your original subject header if your question has been answered and solved.
zerozero

Re: UEFI secure booting and the future

Post by zerozero »

this Roland Barthes paper describes what i think about Linus, the man and his work (wonderful btw)
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: UEFI secure booting and the future

Post by xenopeek »

Microsoft has directly responded to the concern from Red Hat on UEFI secure boot. I'm reading it now, but from the summary at top I'm breathing easier: http://blogs.msdn.com/b/b8/archive/2011 ... -uefi.aspx
Image
ThistleWeb

Re: UEFI secure booting and the future

Post by ThistleWeb »

Those hoping this won't apply to those who build their own have followed faulty logic to get that conclusion. All hardware is built to run Windows. It may be reasonably compliant or not crazy in the way it hooks into Windows so that it does run fine in Linux, but it's designed for the main use 99% of it's buyers will use it for; Windows. Those parts will be sold separately, as well as sold in bulk to vendors who then take them and build PCs to be sold as OEM prebuilds. If Microsoft mandate that this UFI secure boot must be in place for Windows 8, every hardware vendor will build their motherboards for that. Failure to do that will mean that 99% of their customers won't be able to use their product for it's intended purpose. It's either that or they advertise "won't work with Windows 8" on the product. Why would they make a product unfit for purpose intentionally?

The UFI future is coming. Microsoft have waited until the DOJ oversight has ended, and they have enough influence to ensure any anti-competition complaints just vanish without action to do this.

You'll notice they've been inspired by the Windows license runaround scam too. When you buy a prebuilt PC legally you can refuse the license and get a refund, but Microsoft, the retailer and vendor will all point you to each other in the hopes that you just get frustrated with the runaround that you give up and just accept you've paid for something you didn't want and can't get a refund on.

They're saying they demand the UFI enabled hardware, but insist it's up to the OEMs on whether to give out the keys allowing you to bypass it. In other words, "not our fault, see the OEMs". Sound familiar?

Right now there is no Linux hardware vendors. There are plenty who sell Linux compatible, or a few who do Linux prebuilds, but they're all working with hardware built for Windows that happens (for now) to be Linux friendly. With UFI being mandated, that compatible hardware will soon be extinct as new stock will be made with UFI.

The best hope we have is that it's like DRM, whereby there's a firmware flasher, vendors master key etc made available to bypass it. I'd bet on that. I'd also bet on the vendors playing the "piracy" and "security" cards when asked for the key to unlock something you already (in theory) own as a reason to refuse. I'd also bet on Microsoft "educating" OEMs that it's not in their interests to give out these keys to customers who demand it.

Perhaps it's time to make the opposition very vocal. Every PC that has this installed, slam it with 0 star reviews on every site you can find. "I want to run Linux, this vendor has actively decided to deny me that choice, it's not suitable, I'll buy something that is: lost sale".
gosa
Level 4
Level 4
Posts: 317
Joined: Mon Nov 01, 2010 5:12 am
Location: Spain

Re: UEFI secure booting and the future

Post by gosa »

ThistleWeb wrote: Perhaps it's time to make the opposition very vocal. Every PC that has this installed, slam it with 0 star reviews on every site you can find. "I want to run Linux, this vendor has actively decided to deny me that choice, it's not suitable, I'll buy something that is: lost sale".
- Me like!
AlbertP
Level 16
Level 16
Posts: 6701
Joined: Sun Jan 30, 2011 12:38 pm
Location: Utrecht, The Netherlands

Re: UEFI secure booting and the future

Post by AlbertP »

Secure boot only has to be in place on systems that have Windows 8 pre-installed. This is not a technical requirement but a licence requirement from MS. You will just be able to install Windows 8 on any system without secure boot. Only when you are a manufacturer and want to sell the Windows 8 computer, you have to enable secure boot, to avoid getting sued by Microsoft for breaking the licence.
Registered Linux User #528502
Image
Feel free to correct me if I'm trying to write in Spanish, French or German.
ThistleWeb

Re: UEFI secure booting and the future

Post by ThistleWeb »

AlbertP wrote:Secure boot only has to be in place on systems that have Windows 8 pre-installed. This is not a technical requirement but a licence requirement from MS. You will just be able to install Windows 8 on any system without secure boot. Only when you are a manufacturer and want to sell the Windows 8 computer, you have to enable secure boot, to avoid getting sued by Microsoft for breaking the licence.
This is true, but look at the loophole. Those vendors who piece systems together then install Windows need to get parts from somewhere. Those parts will be UFI enabled so that they can be sold in bulk to OEM vendors. If those parts are not UFI enabled, OEMs won't be able to buy and use them because the resulting product will break Microsofts spec. Any PC you buy with Windows 8 will have UFI enabled. The key is whether the OEM are gracious enough to allow you to bypass it.
AlbertP
Level 16
Level 16
Posts: 6701
Joined: Sun Jan 30, 2011 12:38 pm
Location: Utrecht, The Netherlands

Re: UEFI secure booting and the future

Post by AlbertP »

Those parts are UEFI enabled because the computer manufacturers flash a BIOS on it, which has UEFI enabled.

UEFI is just a BIOS feature. It isn't carved into silicon. And the BIOS is flashed by the OEM vendor or motherboard manufacturer. So you just depend on the goodwill of that company only.
Registered Linux User #528502
Image
Feel free to correct me if I'm trying to write in Spanish, French or German.
ThistleWeb

Re: UEFI secure booting and the future

Post by ThistleWeb »

AlbertP wrote:Those parts are UEFI enabled because the computer manufacturers flash a BIOS on it, which has UEFI enabled.

UEFI is just a BIOS feature. It isn't carved into silicon. And the BIOS is flashed by the OEM vendor or motherboard manufacturer. So you just depend on the goodwill of that company only.
Ahh, I didn't know that. In that case there is some rays of hope.
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: UEFI secure booting and the future

Post by xenopeek »

From the Microsoft clarification on UEFI and secure boot:
... For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision. ...
... In the screenshot below you will notice that we designed the firmware to allow the customer to disable secure boot. ...

Image
Image
Locked

Return to “Open Chat”