Fedora to use Microsoft-signed bootloader on EFI Secure Boot enabled hardware

Discussion in 'all things UNIX' started by Gullible Jones, May 31, 2012.

Thread Status:
Not open for further replies.
  1. http://mjg59.dreamwidth.org/12368.html

    This seems like an exceptionally bad idea to me. But then again, everything associated with EFI Secure Boot has seemed like an exceptionally bad idea to me.

    Speaking of which, I had no idea how bad the ARM situation was. Vendors are required to keep Secure Boot on, with no option to turn it off? Please explain to me how that is not anticompetitive!
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I disagree. It's actually pretty cool. Secureboot has incredible potential for Linux security. All anyone has to do is pay 90 dollars (it's less to get accepted into DistroWatch) and they're included in the key.

    Also it seems that you can turn it off. I haven't seen anything indicated otherwise.
     
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    This is awesome, wonder what the haters are going to spin now.

    Hope Ubuntu follows suit, then Xubuntu/Mint should be compatible, whenever I buy a new MB.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It's not hard to spin anything. Because MS has massive market share Fedora is now forced to pay just to be able to boot on "Windows 8 Approved Systems." If MS weren't so dominant they could take their time or even choose not to implement the feature.

    Still, I really am glad that Secureboot is coming to Linux. I definitely hope it's picked up. Ubuntu has canonical behind them so shelling out 90 bucks isn't an issue.
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    Actually, it would be worse if MS wasn't so dominant, just read this:

    If MS wasn't so dominant, they would also be in the situation Fedora is in, the entire MB purchase process would become a fragmented hell for consumers trying to pick the one that works with your system.

    MS's dominance in this regard ensures that every MB manufacturer will WANT to have their keys and if Linux distros like Fedora only need to leach off MS's keys that solves everything for Linux.

    Also, $99? Most low-popularity Linux distros have donation links, I think the fans would be more than willing to help out for a good cause, I know I would.

    Indeed, just read this, seems like it will really beef up security even for Linux:

     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah my statement was an oversimplification. I mean, if MS weren't dominant the world would be a very different place. My only point is that Fedora isn't implementing this because they want to they're implementing it because the vast majority of computers being sold to users will run Windows and they don't want to get locked out.

    Definitely. 90 isn't much at all but it's more of the principal of it.
     
  7. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Hopefully multi booting several different distros or installing say Vbox, will by the time the dust has settled pose no problems.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  9. This is all assuming Microsoft is trustworthy. How do we know MS doesn't put a backdoor in the bootloader, courtesy of the federal government? How do we know other companies that sign bootloaders won't do that? Granted that they probably don't now... How do we know they won't in the future?

    This may be great for security against malware, but IMO it's placing far too many variables out of the control of the users and in the control of corporations (and by extension, governments).
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It is very simple to verify that the bootloader they provide to MS hasn't been changed.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    You seem to forget the fact that secure boot can be disabled.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    That's up to the PC makers.
     
  14. sunoracle

    sunoracle Registered Member

    Joined:
    Mar 25, 2010
    Posts:
    51
    I've seen a number of mentions of not being able to disable it on the ARM platform.
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    That's true, on ARM you're locked in apparently.

    Dell will be providing other PCs with the ability to disable it though and multiple other OEMs will almost certainly do the same.

    It also is discouraging if you have to say "Hey, you can dual boot your system and get the best of both worlds! Except you have to disable a really important security feature..."
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    Err, that's not what the first paragraph of the article says:

    But that's besides the point, you painted your blog in such a doom and gloom way it made me wonder if you knew.
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    My earlier post on it was much more positive.

    Good to know that they'll be required to allow users to disable it. The last I'd heard was that they'll provide the means to do so but not require anyone, which is when Dell came out and stated they'd allow people to disable it.

    edit: And I haven't found any other sources saying they require this, do you have another one?

    Regardless of being able to disable it harder to convince people to use a dual boot configuration when you have to tell them to disable a security feature. By design the feature locks unsigned code out and that's a problem for Linux, especially on ARM where you can't disable it (unuless this has changed as well.)
     
  18. sunoracle

    sunoracle Registered Member

    Joined:
    Mar 25, 2010
    Posts:
    51
    At which point you have paid for a feature you can't use.

    I think secure boot could have been done in a way that was open, and not dependent upon MS.
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Unfortunately I don't think it's possible for this.
    See: http://lists.fedoraproject.org/pipermail/devel/2012-May/167698.html

    I hope that it is the case that Microsoft forces OEMs to allow users to disable it. It just sucks that the choices for Linux are:
    1) "Install Linux, you just have to disable a security feature"
    or
    2) Pay Microsoft
     
    Last edited: Jun 1, 2012
  20. guest

    guest Guest

    Protecting the pre-OS environment with UEFI

     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    And for ARM?

    Again, great that users can disable it. Doesn't really change much. Options for installing Linux are "disable security" or pay up.
     
  22. guest

    guest Guest

    They are free to sell ARM devices with their distros as long as they pay for the manufacturing etc.
     
  23. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    No, it was news to me when I read it here.

    No idea about ARM, but I'm not sure what you mean by convincing people to use a dual boot config. Why are you trying to "convince" people to do something? If they want to do it they do it, if they ask for your help, help them. If I understood you correctly it sounds like you're complaining because its harder to make people do something they otherwise wouldn't want to.

    Anyway, back to the point, you can boot both Windows 8 and Linux in dual boot fine with Secure Boot off. You're not losing anything by doing so, you're just not gaining anything.

    I don't think anyone will be paying for a motherboard just because it has secure boot, especially Linux users. It will just come with the next motherboard upgrade and the user can choose if the feature is useful to them or not.

    I have to agree with Hungry on this case, I personally don't see how something that is inherently intended to restrict code execution be implemented in an open way. Do you have any ideas?
     
  24. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    Except for the fact you're looking at it from a view that you've lost security. You haven't, you've just not gained any. You can't complain that a Linux distro isn't compatible with a core feature of secure boot (Digital Certificates). If that bothers you, blame the secure boot designers and suggest something better. But I'd wager anything more "open" than the current implementation would further (the risk of a cert going missing is a valid one in any implementation) risk the feature being defeated in some form.
     
  25. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Can you please explain what kind of "security" will I have with UEFI secure boot that will protect me more than I'm protected now (on a normal BIOS)?
     
Loading...
Thread Status:
Not open for further replies.