Find the answer to your Linux question:
Page 1 of 3 1 2 3 LastLast
Results 1 to 10 of 23
Here 's another thing I found in the Forum eBulletin. Basically what is being suggested is a digitally-signed "pre-boot" which then chain-loads your Linux bootloader. To ensure that the pre-boot ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Engineer hazel's Avatar
    Join Date
    May 2004
    Location
    Harrow, UK
    Posts
    1,167

    Linux Foundation comes up with a solution to UEFI secure boot


    Here's another thing I found in the Forum eBulletin. Basically what is being suggested is a digitally-signed "pre-boot" which then chain-loads your Linux bootloader. To ensure that the pre-boot does not get corrupted by malware, it would not load anything without the user's OK.
    "I'm just a little old lady; don't try to dazzle me with jargon!"

  2. #2
    Linux Enthusiast cousinlucky's Avatar
    Join Date
    Dec 2005
    Location
    New York City
    Posts
    676
    I needed that years ago.
    PCLinuxOS Gnome and PCLinuxOS Mate
    Linux user # 414321
    You Should Not Give In To Evils, But Proceed Ever More Boldly Against Them!! -from book six of Virgil's Aeneid
    Everything Within The Universe Is Related; We Are All Cousins!!

  3. #3
    oz
    oz is offline
    forum.guy
    Join Date
    May 2004
    Location
    arch linux
    Posts
    18,733

    Angry Ouch!

    I'm really happy that they've found a fix but find it irritating and unnerving that Microsoft has to be a part of any Linux solution for using computer hardware:

    In a nutshell, the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which will, in turn, chain load (without any form of signature check) a predesignated boot loader which will, in turn, boot Linux (or any other operating system)
    oz

  4. #4
    Just Joined!
    Join Date
    Oct 2012
    Location
    Fort Worth, Texas
    Posts
    8
    Had to boot KNOPPIX from a flash-drive on a new HP last week. Went into the BIOS and boot-menu and found six options; UEFI- hard-drive, media (USB or CD), and network or Legacy- hard-drive, media (USB or CD), and network.
    Selected Legacy- media, and got to work.

  5. #5
    Just Joined!
    Join Date
    Oct 2012
    Location
    Fort Worth, Texas
    Posts
    8
    I suspect that someone from the Linux Foundation got a message through to Microsoft saying, in essence, "you can pass us a key for Secure Boot, or we can publish the code that simply breaks the lock. Which is going to look better in the news while you're launching Windows8?"

  6. #6
    Just Joined!
    Join Date
    Dec 2010
    Posts
    21
    I have another solution for Secure Boot. Just disable the sucker and forget it. Better yet, just switch to Legacy Bios. I have done a bit of research on this because for the past few days I have been fighting with getting Mint 14 to install correctly under UEFI with Secure Boot disabled. Even though Mint 14 is using Ubuntu's workaround I'm still having tons of problems. I really wanted it to work because of the faster hardware access coupled with a fast 64 bit system. People are calling the new bios/uefi systems hybrids but they really are not. These are bios based systems that have a Uefi interpreter. It's nothing more than a boot manager that's used when called on by a system when it requires UEFI such as a system that needs Secure Boot. It's a very small part of what would otherwise be a large UEFI code base with much more functionality than these systems have. This was told to me by a Microsoft engineer. This may account for a lot of confusion people have about what they read on Uefi and what they experience in practice.

    Last I heard and it's January 31 now, The Linux Foundation is still struggling to get it's system to work properly. I read that hardware developers are struggling to make device drivers that work well with Uefi. Then there is also this wonderful video showing the joys and horrors of a UEFI system that's not ready for prime time. It tells of UEFI's many bugs and an industry that doesn't have good standards in place to fix the issues.: EFI and Linux: the future is here, and it's awful - Matthew Garrett - YouTube

  7. #7
    oz
    oz is offline
    forum.guy
    Join Date
    May 2004
    Location
    arch linux
    Posts
    18,733

    UEFI Secure Boot Fix Released

    The Linux Foundation's fix for UEFI Secure Boot has reportedly been released, but I have no idea about how well it works:

    Linux Foundation Secure Boot System Released
    Last edited by oz; 02-11-2013 at 05:55 PM. Reason: oops, left out a word
    oz

  8. #8
    Just Joined!
    Join Date
    Dec 2010
    Posts
    21
    Quote Originally Posted by oz View Post
    The Linux Foundation's fix for UEFI Secure Boot has reportedly been released, but I have no idea about how well it works:

    Linux Foundation Secure Boot System Released
    Thanks for the update Oz. But I take serious issue with this:
    Originally this was going to be part of our signed release kit. However, during testing Microsoft discovered that because of a bug in one of the UEFI platforms, it could be used to remove the platform key programmatically, which would rather subvert the UEFI security system.
    This is Pure BS. It would not subvert the UEFI security system, it might subvert UEFI's feature called Secure Boot. They are trying to use UEFI and Secure Boot as one and the same to throw people off and further confuse this issues. According to the Windows Hardware Certification Requirements for Client and Server Systems, the user Must have the ability to remove any PK's ( platform keys) they wish to remove, including Microsoft's through the advanced settings in UEFI. Oddly enough, I cannot find one computer with these advanced settings enabled. They say one thing to pacify the masses then do another. ( see my other posts on this issue)

    I think it's great they released this but time will tell how well it plays with other boot managers and boot loaders. I have a feeling it's going to still have tons of problems and you'd be better off using legacy bios mode instead of uEFI.

  9. #9
    Linux Newbie SL6-A1000's Avatar
    Join Date
    May 2011
    Location
    Australia
    Posts
    119

    Smile

    Quote Originally Posted by merelyjim View Post
    I suspect that someone from the Linux Foundation got a message through to Microsoft saying, in essence, "you can pass us a key for Secure Boot, or we can publish the code that simply breaks the lock. Which is going to look better in the news while you're launching Windows8?"
    lol your probably right... Though put more eloquently. Someone probably has already broken the lock before Microsoft has agreed, that would be the leverage or the Linux Foundation is paying Microsoft for a Secure Boot Key...

    Quote Originally Posted by DarkPenquin View Post
    I have another solution for Secure Boot. Just disable the sucker and forget it. Better yet, just switch to Legacy Bios. I have done a bit of research on this because for the past few days I have been fighting with getting Mint 14 to install correctly under UEFI with Secure Boot disabled. Even though Mint 14 is using Ubuntu's workaround I'm still having tons of problems. I really wanted it to work because of the faster hardware access coupled with a fast 64 bit system. People are calling the new bios/uefi systems hybrids but they really are not. These are bios based systems that have a Uefi interpreter. It's nothing more than a boot manager that's used when called on by a system when it requires UEFI such as a system that needs Secure Boot. It's a very small part of what would otherwise be a large UEFI code base with much more functionality than these systems have. This was told to me by a Microsoft engineer. This may account for a lot of confusion people have about what they read on Uefi and what they experience in practice.

    Last I heard and it's January 31 now, The Linux Foundation is still struggling to get it's system to work properly. I read that hardware developers are struggling to make device drivers that work well with Uefi. Then there is also this wonderful video showing the joys and horrors of a UEFI system that's not ready for prime time. It tells of UEFI's many bugs and an industry that doesn't have good standards in place to fix the issues.: EFI and Linux: the future is here, and it's awful - Matthew Garrett - YouTube
    Quote Originally Posted by DarkPenquin View Post
    Thanks for the update Oz. But I take serious issue with this:

    This is Pure BS. It would not subvert the UEFI security system, it might subvert UEFI's feature called Secure Boot. They are trying to use UEFI and Secure Boot as one and the same to throw people off and further confuse this issues. According to the Windows Hardware Certification Requirements for Client and Server Systems, the user Must have the ability to remove any PK's ( platform keys) they wish to remove, including Microsoft's through the advanced settings in UEFI. Oddly enough, I cannot find one computer with these advanced settings enabled. They say one thing to pacify the masses then do another. ( see my other posts on this issue)

    I think it's great they released this but time will tell how well it plays with other boot managers and boot loaders. I have a feeling it's going to still have tons of problems and you'd be better off using legacy bios mode instead of uEFI.
    My guess is that the hybrid you are talking about in your previous post is just a medium between the new and old. So while the current UEFI enabled systems still have a legacy bios backend it wouldn't be a surprise if the future motherboards and retail laptops, desktop etc do not have this, to put it blatantly its all rather new technology and they can't just stop the old and bring in the new it requires a phase out period. Which would be a large reason why it can't just be ignored. Sure you can run with the legacy BIOS for the time being but at some point you will have to change over as it won't be a viable option, as in hardware capabilities etc.
    --------------------------------
    On the topic though, this preloader sounds very cool, sorta like what they should have introduced as apart of the grub2 bootloader or any bootloader. Although hopefully none of you get too annoyed at me to hear me out when when i say the process seems convoluted...
    They have introduced a workaround for the problem which is great , but why introduce it as a separate "pre-loader"; why make another step to worry about when booting up, i.e. more things that could possibly go wrong. Why not introduce it has apart of GRUB2 or GRUB, provide the code as source so that the current bootloaders in extisence can integrate it into the features and it just becomes apart of what they develop and improve etc.
    Otherwise this whole pre-loader thing is just going to become another step like an extension of whats there. Its all well and good if you understand whats going on, but you get to the newer users and the not so tech savvy they are going to have a mental fit.
    So why the f' doesn't my Linux system boot, oh your telling me because my laptop uses UEFI i need to have a preloader installed as well as a bootloader...!
    or
    My preloader won't recognize my bootloader even though i gave the preloader security permission.

    Its just adds a hell of alot more problems to what people already have trouble with, at least if its integrated with the bootloader in use then the initial problems will be ironed out by the developers of the bootloader (i.e. the ones that understand it the best) and not a hit and miss with a mass influx of problems that i can just foresee arising.
    Last edited by SL6-A1000; 02-12-2013 at 12:32 PM.

  10. #10
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    794
    SL6, to answer you question about why sign the pre-loader and not the whole kernel/boot stack, read this page:
    [Phoronix] The UEFI SecureBoot Saga For Linux Continues
    "So, we'll be moving to requiring signed kernel modules and locking down certain aspects of kernel functionality. The most obvious example is that it won't be possible to access PCI regions directly from userspace, which means all graphics cards will need kernel drivers. Userspace modesetting will be a thing of the past." (This will also cause problems for the proprietary Linux graphics drivers.)
    So, there are two schools of thought here: Enable Linux to boot in a mixed environment or enable linux to use the new software secure boot in the same way Microsoft does.

Page 1 of 3 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •