Re: [Discuss] UEFI secure boot pre-loader security considered further Re: Fwd: [linux_forensics] Did you see this ? - Linux Foundation Announces Secure Boot Solution ....
Rich Pieri wrote: Jerry Feldman wrote: The bottom line here is that UEFI will prevent some Linux users from installing Linux, especially in the near future. No, it will not. Anyone who tells you otherwise is either lying or has bought into the anti-Microsoft propaganda. There is no truth to the claim that UEFI Secure Boot will lock users out of running the OS of their choice. I haven't seen any recent articles that have made this claim. What I have seen expressed is a concern that non-technical users that aren't comfortable changing BIOS settings will find the requirement to turn off secure boot too high of a barrier to trying out a Linux CD. Whether that's true is another matter. I'm sure such users exist, but how many people are adventurous enough to want to try a Linux CD, but not knowledgeable enough to change BIOS settings? I guess with the quantity of Ubuntu CDs handed out at user group meetings, and subsequently being passed on to colleagues, there could be a bunch of casual users curious to check it out. The dual-boot issue Jerry mentioned I hadn't heard of before. I agree that further confirmation is required before that is declared a problem. In the case of ARM hardware that ships with Windows 8, which is Windows Phone and Surface/RT, you can't run Linux on any of it anyway due to lack of hardware support. UEFI Secure Boot has nothing to do with that. I don't understand what you mean by lack of hardware support. Have you seen the wide range of ARM-based devices that Linux has been ported to? Do you really believe it would take more than a few weeks for some motivated Linux hackers to port Linux to the Surface tables, if there wasn't a BIOS barrier? (Chances are, they'll do it anyway. Should probably do a search on YouTube to see if it has already happened.) -Tom -- Tom Metro Venture Logic, Newton, MA, USA Enterprise solutions through open source. Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] UEFI secure boot pre-loader security considered further Re: Fwd: [linux_forensics] Did you see this ? - Linux Foundation Announces Secure Boot Solution ....
On Mon, 05 Nov 2012 13:00:56 -0400 Tom Metro tmetro+...@gmail.com wrote: I haven't seen any recent articles that have made this claim. What I The Linux Foundation article that sparked this thread repeatedly made precisely this claim. have seen expressed is a concern that non-technical users that aren't comfortable changing BIOS settings will find the requirement to turn off secure boot too high of a barrier to trying out a Linux CD. This is a legitimate concern, true, but it has nothing to do with UEFI Secure Boot per se. BIOS and EFI changes were required in the early days of SATA disks due to lack of driver support in the Linux kernel. These changes sometimes still are required, notably on computers using soft RAID drivers and Intel RST. The dual-boot issue Jerry mentioned I hadn't heard of before. I agree that further confirmation is required before that is declared a problem. Agreed, and this is a thing that requires verifiable testing. Some web site I read said... doesn't cut it. This is something I intend to do but I need time to do it right and materials to ensure that I have a viable backout plan. I don't understand what you mean by lack of hardware support. Have you seen the wide range of ARM-based devices that Linux has been ported to? Do you really believe it would take more than a few weeks I've seen more ARM devices that don't have Linux ports (Newton, the entire line of Windows Phone devices for examples) along with plenty of incomplete ports (like the iPAQ and Palm Tungsten lines). Given that it took a team of clever folks several years to get Familiar into a usable state on iPAQ, and that's only a portion of the devices sold under that brand, I genuinely do not expect anyone will get a working Linux deployment on ARM Surface with just a few weeks worth of effort. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] UEFI secure boot pre-loader security considered further Re: Fwd: [linux_forensics] Did you see this ? - Linux Foundation Announces Secure Boot Solution ....
The bottom line here is that UEFI will prevent some Linux users from installing Linux, especially in the near future. I suspect that all major distros will be able to install on a UEFI system with very little user interaction. However, we also need to gain some knowledge so that when we do encounter UEFI at installfests, we know what to do. On 11/02/2012 08:59 AM, Bill Ricker wrote: On Thu, Nov 1, 2012 at 4:02 PM, Rich Pieri richard.pi...@gmail.com wrote: This is a lie. Harsh. Not all errors are lies. Sometimes people are just wrong without malice. Writing is an inexact science. Sometimes editing for style destroys accuracy, even with formerly technical people doing it. The statement is closer to the UEFI's (failed) intent than it's (actual) result, but is not phrased thus, so it is false in detail. I didn't read the rest of the article. Your loss. If your point is it only prevents execution of unsigned bootloaders, you are correct. The rest of the article explains that. Since you already knew that, no loss to you perhaps. The intent of course is to prevent installing malware, Hackintosh, Linux, and *BSD. But no one expects it will prevent VMware, IBM, HP, Oracle from shipping ESX RHEL OEL Solaris86 to their commercial server customers. So far I've seen PLANS by top distros and the Foundation to buy a Key from M$. I will be happy when i see evidence they've received the goods. Will MS accept their money, or make some excuse to defend their monopoly? The wrong sentence we should take exception to is Bottomley noted that this pre-bootloader “provides no security enhancements over booting linux with UEFI secure boot turned off,” This does not seem true, since it will require a user acceptance of an unsigned 2nd load, it will provide a bar to programatic reboot to elevate privilege by starting unattended install or installing a malware hypervisor when rebooting with a USB/DVD mounted. I won't call that a lie either, it's just sloppy thinking. Sounds like for SERVERS (that we often want to reboot remotely or automatically) we either need to turn UEFI SecureBoot off in the mobi FLASH UEFI settings OR stick to distros that have their own purchased signatures. Servers mostly use the big three or their derivatives anyway, but Debian still has some % of server share, this may push them to Ubutu's Server spin. -- Jerry Feldman g...@blu.org Boston Linux and Unix PGP key id:3BC1EB90 PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66 C0AF 7CEA 30FC 3BC1 EB90 ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] UEFI secure boot pre-loader security considered further Re: Fwd: [linux_forensics] Did you see this ? - Linux Foundation Announces Secure Boot Solution ....
On Fri, 02 Nov 2012 10:17:21 -0400 Jerry Feldman g...@blu.org wrote: The bottom line here is that UEFI will prevent some Linux users from installing Linux, especially in the near future. I suspect that all No, it will not. Anyone who tells you otherwise is either lying or has bought into the anti-Microsoft propaganda. There is no truth to the claim that UEFI Secure Boot will lock users out of running the OS of their choice. If you buy x86 hardware with the Windows 8 sticker then it MUST be possible to disable UEFI Secure Boot. Microsoft will not allow the manufacturer to ship the hardware with Windows 8 otherwise. I keep hearing about how manufacturers will forget to include the option. No, they won't forget, or they'll correct it with a hotfix, because if they forget and don't fix then Microsoft will pull their Windows 8 certifications and the OEMs don't get to ship Windows 8 until they undergo the certification process again. If you buy x86 hardware without the Windows 8 sticker then it won't have UEFI Secure Boot enabled or it will be a switch for specific operating systems that have signed boot loaders. In none of these cases does UEFI Secure Boot prevent the installation and operation of the OS of your choice. In the case of ARM hardware that ships with Windows 8, which is Windows Phone and Surface/RT, you can't run Linux on any of it anyway due to lack of hardware support. UEFI Secure Boot has nothing to do with that. major distros will be able to install on a UEFI system with very little user interaction. However, we also need to gain some knowledge so that when we do encounter UEFI at installfests, we know what to do. I am writing this right now on a Dell (Alienware) notebook running Windows 7. The system firmware has UEFI Secure Boot which Windows 7 does not recognize. I use a Clonezilla live USB image to perform backups with this firmware on the system. I sometimes try out new Linux live CD spins on it. None of these recognize or support UEFI Secure Boot and none of them are blocked by it. Why? Because it's turned off. You shut it off in the EFI configuration screen. That's it. Press whatever key sequence during POST, shuffle over to the appropriate settings tab, and set it to OFF. Save and reboot. Do the same thing on servers -- although why you'd buy a server with Windows 8 on it is beyond me. The Windows 8 trust chain runs from the firmware all the way up through the kernel going multi-user (maybe further; I'm not sure about that). Each step of the startup process validates the signature on the next step before executing it. Linux has no such trust chain so there's no point to having UEFI Secure Boot enabled on Linux computers. Just turn it off. In the oddball case where you need Secure Boot and you can't use one of the Big Three-provided signed boot loaders then install your own certificates in the UEFI protected storage and use that to sign your otherwise standard boot loader. The example that I'm looking at requires three commands with the Windows 8 SDK (because if you're even looking at this option then you have Windows 8) to generate the certificates and one to sign an EFI executable. Installing the certs from the EFI shell is a simple process: Enroll KEK, Enroll PK. Copy the self-signed EFI loader to the correct place and you're done. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss