secure boot

Questions about other topics - please check if your question fits better in another category before posting here
Forum rules
Before you post please read how to get help
Level 1
Level 1
Posts: 6
Joined: Sun Feb 24, 2013 5:52 am

secure boot

Postby Calle » Sun Feb 24, 2013 7:08 am

I am like a lot of other people concerned about privacy, it almost became an obsession at some point.

I know free sofware does not support secure boot[1] shall I been concerced about this? Is it supported by some packages?

Last edited by Calle on Sun Feb 24, 2013 7:24 am, edited 1 time in total.
Do you want to help the Free Sofware Foundation Europe?
Do you want to learn what an hacker really is? Learn from Stallman! From 2:40 he talks about us.

User avatar
Level 24
Level 24
Posts: 21652
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: secure boot

Postby xenopeek » Sun Feb 24, 2013 7:22 am

Out of the box, Linux Mint does not yet work with secure boot. You can disable secure boot in your computer's UEFI, which you can access as you start your computer. Your computer manual will have more information for doing that. Computers that come preloaded with Windows 8 will have secure boot enabled by default, older computers are unlikely to have secure boot enabled (or have it at all).

Level 6
Level 6
Posts: 1389
Joined: Mon Feb 27, 2012 1:42 pm

Re: secure boot

Postby srs5694 » Sun Feb 24, 2013 11:45 am

There are definitely open source programs, and entire Linux distributions, that do support Secure Boot. The two individual programs available at the moment are:

  • Shim -- This program was developed by Matthew Garrett at Red Hat and is currently used by Ubuntu 12.10 and Fedora 18 (although Ubuntu's version is older and less flexible). Shim works by doing its own Secure Boot checks using cryptographic signatures, similar to the way secure Web sites work. EFI boot loaders, and often kernels, must be signed with a cryptographic key in order to be booted.
  • PreBootloader -- This program was written by James Bottomley of the Linux Foundation. AFAIK, it's not currently used by any Linux distribution. It works by enabling the end user to manually add CRCs of binaries to a "whitelist" of programs that are approved. This is simpler for an individual to do than the signing used by shim, but it requires the end user to take that action once for each binary, unlike shim, which can be configured in a way that requires no special actions on the part of the user.

As a practical matter, it's best for a Linux distribution, such as Mint, to include one or the other program in its package set. In this capacity, shim makes more sense but it takes more effort by the developers to set it up, and it works best if the developer is willing to shell out $100 for the right to get a custom-signed version of shim. PreBootloader is easier for a cash-strapped mini-distribution to use, and it's also likely to be easier for an individual to use with a distribution that doesn't support Secure Boot "out of the box." In such a case, it's necessary to temporarily disable Secure Booot in order to install Linux and either shim or PreBootloader. Once everything is installed, you can then re-enable Secure Boot.

In the long run, Secure Boot is likely to be nothing more than an annoying bump in the road for Linux; distributions are already beginning to include Secure Boot support (although Mint doesn't yet do so), and with a good implementation, you might not even realize that you're using Secure Boot unless you need to do something advanced like compile your own kernel. As the tools mature, Secure Boot will become more transparent even to such advanced operations.

Return to “Other topics”