The real problem here

Story: Debian Developers Discuss UEFI SecureBoot PlansTotal Replies: 7
Author Content
caitlyn

Jul 10, 2012
3:49 PM EDT
Quoting:The developers went over the UEFI SecureBoot state, the approach Fedora is going with, the major UEFI SecureBoot work being done by Red Hat's Matthew Garrett, SecureBoot on QEMU-KVM virtualization, and Ubuntu's controversial approach.

While this work was discussed, nothing genuinely new was brought up during the 45-minute discussion. It's still not decided what approach Debian will ultimately support whether it's like Fedora using GRUB2 and singing the entire stack, Ubuntu using efilinux and only signing the low-level bits, or some entirely new approach for handling EFI/SecureBoot. However, something has to be decided for Debian 7.0 "Wheezy" seeing as when it ships early next year there will be a number of motherboards and PCs shipping with this headache-inducing technology.


The news in this article as that there is no news. Both Red Hat and Canonical did what they felt they had to do to survive. Both approaches have drawn ire from around the Linux community. Neither approach is a real solution to the real problem. The real problem is that UEFI doesn't enhance security and does curtail the freedom of users. The real problem is that Microsoft still is enough of a virtual monopoly to shove UEFI down the throat of hardware manufacturers and OEMs, many of whom will swallow it willingly. The net effect is that the public gets UEFI shoved down our collective throats as well.

Quoting:It is quite possible that one or more OEM's will simply not bother to implement the option to disable SecureBoot or put it in but not adequately test it. Current certification requires a switch to be available but no requirement for this to be obvious.


Worse, on ARM, where Microsoft has not been able to get a foothold in the marketplace, they are insisting that it cannot be turned off and that it's Windows 8 RT or the highway.
Bob_Robertson

Jul 10, 2012
4:43 PM EDT
"they are insisting that it cannot be turned off and that it's Windows 8 RT or the highway."

To the extent that manufacturers do not tell Microsoft to shove it, is the extent to which Microsoft controls the computing market.

This may be the break point, where Microsoft finally pushes the issue far enough that the OEMs decide.

It will, at least, be interesting.
kennethh

Jul 10, 2012
6:15 PM EDT
I don't see Debian going along with the status quo, they will likely make no changes as it's not their problem. Will debian work on your pc? More then likely but it may not be able to boot so that you can actually run debian.

[rant] As far as ARM goes that would be quite a monopolistic move on the part of Microsoft who is bold enough to go down that road, this is something that will either cost them money or a real revelating turn to show the masses that it's not just the big banks who run the show but also other NGO's... But, I don't forsee this as happening, I do however envision this as a something that both China & the E.U. tackling in the near future.

Here I am though in amazement of how this is playing out. Thankfully there is plenty of hardware out there to choose from for personal use. For those cross-developer's I feel your pain and just wished to hell you would have quit supporting non-free software long ago so that you could jump ship w/out care like myself & others. Now your stuck in the shackles of MSFT and their minions: _____.[/rant]
gary_newell

Jul 10, 2012
7:21 PM EDT
I think the ARM device thing isn't so much a problem. There are more than enough android devices out there and I don't see Microsoft instantly stealing the market that Google has managed to generate. Therefore there will be windows devices and android devices (and Apple I guess. Yawn). How well has Microsoft done with their mobile devices thus far. They haven't really gained much of a foothold in the mobile phone market.

The desktop/laptop market bothers me a little bit. Yes the secure part can be turned off but why should Microsoft be able to control how everyone now has to operate? It is almost as bad as their idea that people should pay tax to pay for their security fixes.

The Fedoras, Debians, Suses and Ubuntus of the world will find a way around this issue but what about all the smaller distros, the 3 men in a room distros? Will this kill them off?
caitlyn

Jul 10, 2012
7:46 PM EDT
Quoting:Yes the secure part can be turned off
Don't be so sure. That will be determined by the OEM. It's their choice, not yours or mine, and Microsoft can bring all sorts of pressure to bear behind the scenes to eliminate that choice. Worse, you may not even know if the option exists on a given piece of consumer hardware until you have it in your hands.

Quoting:but what about all the smaller distros, the 3 men in a room distros? Will this kill them off?
No. First, per what Red Hat claims about their solution, you can buy a signed key for $99 if you really want your distro to work on UEFI enabled hardware. Second, this only applies to new hardware and some of those systems will have the ability to disable UEFI because corporate customers will demand it.
BernardSwiss

Jul 10, 2012
9:49 PM EDT
It's my understanding that a Secure Boot enable/disable switch is listed as a "Mandatory" requirement, to qualify for Microsoft's Wibdows 8 certification and logo program.

from the site: http://msdn.microsoft.com/en-us/library/windows/hardware

PDFs here: http://msdn.microsoft.com/library/windows/hardware/hh748188

Quoting: this document: http://msdn.microsoft.com/en-us/library/windows/hardware/jj1...

17. Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:

    [1] It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.

    [2] If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system is operating in Setup Mode with SecureBoot turned off.

    [3] The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults.On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enabled.


18. Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows Server may also disable Secure Boot remotely using a strongly authenticated (preferably public-key based) out-of-band management connection, such as to a baseboard management controller or service processor. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure Boot must not be possible on ARM systems.


Of course, that's the "official" documentation. Six or so months ago these weren't laid out so carefully, because of course, actual details were "officially" purely the responsibility of the OEMs. (Hah!)

And how well these requirements will actually be implemented, or whether they will actually be properly tested, is still an open question. After all, it's not like we haven't seen major OEMs like Foxcon or Gigabyte screw it up, and even reply to complaints that the problem isn't a bug in their implementation, but simply caused by not using Windows.
Fettoosh

Jul 11, 2012
11:03 AM EDT
Quoting:Six or so months ago these weren't laid out so carefully, because of course, actual details were "officially" purely the responsibility of the OEMs. (Hah!)


That is what I recall reading in Matt Garrett's early articles too, non-ARM were left to the OEMs to decide. Now MS is making it a mandated requirement. I would wait a little longer to see what the EU is going to say about locking down ARM based systems and whether MS is going to change its mind or not. I bet keeping UEFI on ARM based systems locked is not going to fly with the EU, which will prevent MS from doing business unless it makes it open just like Intel based systems.

Quoting:After all, it's not like we haven't seen major OEMs like Foxcon or Gigabyte screw it up, and even reply to complaints that the problem isn't a bug in their implementation, but simply caused by not using Windows.


I have couple Foxconn low cost mini-form factor (NanoPC) systems and I can tell you their BIOS is not that reliable. I guess they recognize that and made a special button available on front panel to push and reset the CMOS when it miss behaves. I had to use that on occasions. They are bare-bone systems and no mention of Windows or Microsoft in their web pages at all.

These systems are low cost but very functional and performance is really good and they have everything the average user needs in a computer. Atom CPUs, 4 GB mem, small SATA drive bay (Memory & Drive not included), Wireless & Ethernet, 6 USB ports, HDMI, VGA, and Audio. I haven't had any issues running Linux (Kubuntu) at all and everything worked without needing any special configuration or attention. The only thing I occasionally need is to reset the CMOS by holding the reset button for 4s.

I think such systems are not going to have any UEFI unless MS resorts to arm twisting. We will see.

penguinist

Jul 11, 2012
11:28 AM EDT
Fettoosh: The problem with these Atom based boxes like the Foxconn is that the accelerated driver is not available yet for Linux.

I picked up a Foxconn nT-i1500 which is based on the Intel D2700 which includes a GMA3600 graphics core (based on the proprietary PowerVR design), and was hoping to use it as a high power media center, but I was disappointed to see that the performance of the non-accelerated driver was quite insufficient to drive even a 720p signal to the hdmi output.

Alan Cox submitted the gma500 driver to the kernel in version 3.4, so that part is in place (for example in an updated Fedora 17), but right now the only user space xorg driver that supports it is "fbdrv" which has limited resolution and no acceleration support.

So, the bottom line seems to be that these systems based on the Intel Atom cpu/gpu combinations are not ready for Linux-PrimeTime yet.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!