At last some good news

Story: Secure Boot bootloader for distributions available nowTotal Replies: 20
Author Content
tracyanne

Dec 01, 2012
6:57 PM EDT
with all the usual caveats due to the necessity of having to trust non community entities.
Ridcully

Dec 01, 2012
8:54 PM EDT
Tracyanne, does this mean Microsoft's UEFI lock is now circumvented ? Or is it that a Microsoft key is needed to make the secure bootloader.......and then if everybody has the same secure bootloader, then does the same key fit all computers ? I am now totally confused, but one interpretation could be that Microsoft's UEFI has been rendered useless ?
tuxchick

Dec 01, 2012
8:59 PM EDT
You still need the Microsoft key. This just makes it a little easier.
Ridcully

Dec 01, 2012
11:59 PM EDT
Thanks Tuxchick.....okay, so I see it like this. Let's pretend we have just bought a Win8 - UEFI boot controlled computer. IF, and only IF the UEFI bootloader can be turned "off" so it no longer requires the Microsoft key, Linux can be loaded onto and will replace a Win8 system without any reference to Microsoft and assuming you only want to run a standard, vanilla Linux system.......But if you can NOT turn off UEFI, the new computer is a very expensive doorstop unless you want to restrict yourself to a Redmond controlled universe or unless the distro you want to install has one of these "shim keys". How am I doing ?

Lemme make a guess. Business and those in the know will hang onto Win7 (or earlier) systems like crazy because they know those versions can be placed easily into virtual machines on top of Linux servers......yes ?? And I also strongly suspect that the problems Microsoft has brought into computer hardware with its UEFI lock will mean that business and those in the know, will resist hardware upgrades as long as possible in order to avoid the problems that UEFI is now causing.

Oh yes, and on a personal matter, I thought I knew the fundamental meaning of the phrase "loathe and detest Microsoft and all its works".........I have just had UEFI re-education on that point and it didn't improve.
tuxchick

Dec 02, 2012
2:26 AM EDT
You should be able to turn off Secure Boot in your shiny new UEFI BIOS. It's part of the spec that users must be allowed to disable it, or install their own private keys. All this drama over these shims and workarounds is for enabling Linux users who aren't comfortable with poking around in their BIOS to run Linux on their Win 8 computers. Or to use Secure Boot more easily. I think it's all a bunch of half-baked bushwah.
Ridcully

Dec 02, 2012
2:43 AM EDT
Thanks Tuxchick......under those circumstances, UEFI becomes an April shower in a teacup......and not a big shower at that. Really, the only nauseating bits are that I perceive it's Redmond engineered in order to attempt to control the "great unwashed masses". Oh.......and I truly really haven't bought a shiny new Win8 machine. I'd run a mile before I did that, or if I did, Redmond would NEVER get the chance of logging it as a sale via internet registration..........ever.
tuxchick

Dec 02, 2012
3:07 AM EDT
Same here. I do not buy Windows PCs, except when I actually need Windows. My last windowz computers is my Thinkpad I bought a couple years ago to get Windows 7. What I'm not clear on is how new UEFI mobos are shipping, with or without "secure" boot enabled. At any rate, Microsoft inserting itself into an industry standard yet again is just business as usual for a craven industry that lets itself be bullied by Redmond.
Fettoosh

Dec 02, 2012
10:49 AM EDT
Personally, I used, managed, developed on, and supported Windows. But I never bought my own copy of or a computer with Windows. I never will because I never liked it or liked PCs in general until I saw Linux.

I bought two HP Evo PCs many years back when they came with Mandrake. The latest desktop PC I purchased were from Newegg, they are booksize-barebone that I assembled myself and never seen Windows.

Newest Model of the nt-Series

tracyanne

Dec 02, 2012
6:25 PM EDT
Quoting:Personally, I used, managed, developed on, and supported Windows. But I never bought my own copy of or a computer with Windows.


Same here. Windows was either supplied, or it was in my contract that the client supply a copy.

Now that I'm officially retired (actually I receive a carers pension to look after my partner, who has a heart condition)I don't have to touch Windows, so I don't.
tracyanne

Dec 02, 2012
6:28 PM EDT
Actually even though this shim now makes it possible to install Linux over Windows 8, I still won't purchase any computer with Windows pre installed, There are now several places here in Australia offering computers with Linux (mostly Ubuntu) pre installed, and many of those offer the same hardware cheaper than with Windows, so i actually have a real choice.
BernardSwiss

Dec 02, 2012
9:26 PM EDT
Well, for what it's worth...

A "Windows 8 Certified" / Windows 8 Logo-ed PC is supposed to have two relevant features regarding the EUFI Secure Boot implementation.

1) A physically present user can disable and re-enable Secure Boot mode. (How simple or difficult this might be is "up to the OEM").

2) A physically present user can enroll a Secure Boot key of their own choice. (Again, how simple or difficult this might be is "up to the OEM").

also,

3) That user can always restore the Microsoft Secure Boot key (a sort of "reset to default" option).

CFWhitman

Dec 03, 2012
10:54 AM EDT
The problem with "Secure Boot" isn't really how it affects most people who already use Linux. They will generally know or discover how to handle this relatively quickly. The problem is with live CD trials and/or new installations. A person who hasn't used Linux will not be able to easily put a disc in his optical drive or a USB key into a slot, reboot, go to the boot device select menu, select the device, and boot into a live Linux session or start installing Linux. That could be a serious impediment to the growth of Linux This development may help mitigate that issue.

You have to realize that Linux desktop installations have increased significantly over the last several years. It's growth in enterprise settings is particularly worrisome to Microsoft. "Secure Boot" is designed to help curtail easily trying Linux out, or, if you're one of those that has received a Linux box at your workplace, switching your home computer to what you've started to use at work.
jdixon

Dec 03, 2012
11:24 AM EDT
> That user can always restore the Microsoft Secure Boot key (a sort of "reset to default" option).

So when the Microsoft Secure Boot is finally hacked, there will no way to actually secure the system, as it can always be restored. Wonderful move. :(
caitlyn

Dec 03, 2012
12:40 PM EDT
Actually, SUSE says they will use Matthew Garrett's code but will use a self-signed key rather than the Microsoft key. So... it is possible to get around using the Microsoft key entirely.
tuxchick

Dec 03, 2012
1:29 PM EDT
It is possible to avoid using the MS key only if you don't want to run Windows 8 with Secure Boot. The spec allows for only a single key, which is why all this hoop-jumping and nutty workarounding with shim bootloaders to load additional keys. And the fact that these workarounds are possible reinforces my belief that Secure Boot is security theater.
caitlyn

Dec 03, 2012
1:51 PM EDT
tc: I'm not disagreeing with you at all. I've been saying the only reason for UEFI Secure Boot is to lock in Windows for quite some time. I've been called paranoid and worse since you can turn it off. Sure you can, but as we read in Jesse Smith's piece for DistroWatch last week it's often not documented by the vendor and is anything but easy. Anyone who sn't quite technically literate isn't about to try installing Linux on a new system or, if they do try, they aren't going to succeed easily. This is precisely what MS wanted in the first place.
tuxchick

Dec 03, 2012
2:42 PM EDT
Yep.
tracyanne

Dec 03, 2012
4:29 PM EDT
Time to start helping those companies, like ZaReason, who pre install Linux by buying their prodcut, so that they can reach the sorts of volumes that reduce prices to a point where there is a competitive advantage.
tuxchick

Dec 03, 2012
7:19 PM EDT
Quoting: Time to start helping those companies, like ZaReason, who pre install Linux by buying their prodcut, so that they can reach the sorts of volumes that reduce prices to a point where there is a competitive advantage.


Amen, sistah!
BernardSwiss

Dec 03, 2012
7:57 PM EDT
tuxchick wrote: It is possible to avoid using the MS key only if you don't want to run Windows 8 with Secure Boot. The spec allows for only a single key, which is why all this hoop-jumping and nutty workarounding with shim bootloaders to load additional keys. And the fact that these workarounds are possible reinforces my belief that Secure Boot is security theater.
(emphasis mine)

And there you have it: "Secure Boot" -- as it has been implemented -- is more concerned with controlling the user, rather than enabling the user to improve the security of his/her system.
Ridcully

Dec 03, 2012
10:55 PM EDT
Agreed BernardSwiss.....I have believed since day 1 of this disgusting episode that UEFI wasn't about security and said words to that effect in my post above:

Quoting:Really, the only nauseating bits are that I perceive it's Redmond engineered in order to attempt to control the "great unwashed masses".


Redmond is now getting seriously worried about increasing Linux update on commercial/corporate desktops and the use of Android by the younger generation. Anything that can be used to slow down the uptake of Linux on the laptop/desktop will be employed by this utterly amoral and unethical company. A flat commercial playing field dominated by simple competition is furthest from Redmond's concepts.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!