Fedora to use Microsoft-signed bootloader on EFI Secure Boot enabled hardware

http://mjg59.dreamwidth.org/12368.html

This seems like an exceptionally bad idea to me. But then again, everything associated with EFI Secure Boot has seemed like an exceptionally bad idea to me.

Speaking of which, I had no idea how bad the ARM situation was. Vendors are required to keep Secure Boot on, with no option to turn it off? Please explain to me how that is not anticompetitive!

 

I disagree. It's actually pretty cool. Secureboot has incredible potential for Linux security. All anyone has to do is pay 90 dollars (it's less to get accepted into DistroWatch) and they're included in the key.

Also it seems that you can turn it off. I haven't seen anything indicated otherwise.

 

This is awesome, wonder what the haters are going to spin now.

Hope Ubuntu follows suit, then Xubuntu/Mint should be compatible, whenever I buy a new MB.

 

It's not hard to spin anything. Because MS has massive market share Fedora is now forced to pay just to be able to boot on "Windows 8 Approved Systems." If MS weren't so dominant they could take their time or even choose not to implement the feature.

Still, I really am glad that Secureboot is coming to Linux. I definitely hope it's picked up. Ubuntu has canonical behind them so shelling out 90 bucks isn't an issue.

 

Actually, it would be worse if MS wasn't so dominant, just read this:

If MS wasn't so dominant, they would also be in the situation Fedora is in, the entire MB purchase process would become a fragmented hell for consumers trying to pick the one that works with your system.

MS's dominance in this regard ensures that every MB manufacturer will WANT to have their keys and if Linux distros like Fedora only need to leach off MS's keys that solves everything for Linux.

Also, $99? Most low-popularity Linux distros have donation links, I think the fans would be more than willing to help out for a good cause, I know I would.

Indeed, just read this, seems like it will really beef up security even for Linux:

 

Yeah my statement was an oversimplification. I mean, if MS weren't dominant the world would be a very different place. My only point is that Fedora isn't implementing this because they want to they're implementing it because the vast majority of computers being sold to users will run Windows and they don't want to get locked out.

Definitely. 90 isn't much at all but it's more of the principal of it.

 

Hopefully multi booting several different distros or installing say Vbox, will by the time the dust has settled pose no problems.

 

P.S. I wrote about this a few hours ago.

 

This is all assuming Microsoft is trustworthy. How do we know MS doesn't put a backdoor in the bootloader, courtesy of the federal government? How do we know other companies that sign bootloaders won't do that? Granted that they probably don't now... How do we know they won't in the future?

This may be great for security against malware, but IMO it's placing far too many variables out of the control of the users and in the control of corporations (and by extension, governments).

 

It is very simple to verify that the bootloader they provide to MS hasn't been changed.

 

https://insanitybit.wordpress.com/2...r-linux-what-it-means-for-the-little-guys-12/

To skip to the conclusion:

 

You seem to forget the fact that secure boot can be disabled.

 

That's up to the PC makers.

 

I've seen a number of mentions of not being able to disable it on the ARM platform.

 

That's true, on ARM you're locked in apparently.

Dell will be providing other PCs with the ability to disable it though and multiple other OEMs will almost certainly do the same.

It also is discouraging if you have to say "Hey, you can dual boot your system and get the best of both worlds! Except you have to disable a really important security feature..."

 

Err, that's not what the first paragraph of the article says:

But that's besides the point, you painted your blog in such a doom and gloom way it made me wonder if you knew.

 

My earlier post on it was much more positive.

Good to know that they'll be required to allow users to disable it. The last I'd heard was that they'll provide the means to do so but not require anyone, which is when Dell came out and stated they'd allow people to disable it.

edit: And I haven't found any other sources saying they require this, do you have another one?

Regardless of being able to disable it harder to convince people to use a dual boot configuration when you have to tell them to disable a security feature. By design the feature locks unsigned code out and that's a problem for Linux, especially on ARM where you can't disable it (unuless this has changed as well.)

 

At which point you have paid for a feature you can't use.

I think secure boot could have been done in a way that was open, and not dependent upon MS.

 

Unfortunately I don't think it's possible for this.
See: http://lists.fedoraproject.org/pipermail/devel/2012-May/167698.html

I hope that it is the case that Microsoft forces OEMs to allow users to disable it. It just sucks that the choices for Linux are:
1) "Install Linux, you just have to disable a security feature"
or
2) Pay Microsoft

 

Protecting the pre-OS environment with UEFI

 

And for ARM?

Again, great that users can disable it. Doesn't really change much. Options for installing Linux are "disable security" or pay up.

 

They are free to sell ARM devices with their distros as long as they pay for the manufacturing etc.

 

No, it was news to me when I read it here.

No idea about ARM, but I'm not sure what you mean by convincing people to use a dual boot config. Why are you trying to "convince" people to do something? If they want to do it they do it, if they ask for your help, help them. If I understood you correctly it sounds like you're complaining because its harder to make people do something they otherwise wouldn't want to.

Anyway, back to the point, you can boot both Windows 8 and Linux in dual boot fine with Secure Boot off. You're not losing anything by doing so, you're just not gaining anything.

I don't think anyone will be paying for a motherboard just because it has secure boot, especially Linux users. It will just come with the next motherboard upgrade and the user can choose if the feature is useful to them or not.

I have to agree with Hungry on this case, I personally don't see how something that is inherently intended to restrict code execution be implemented in an open way. Do you have any ideas?

 

Except for the fact you're looking at it from a view that you've lost security. You haven't, you've just not gained any. You can't complain that a Linux distro isn't compatible with a core feature of secure boot (Digital Certificates). If that bothers you, blame the secure boot designers and suggest something better. But I'd wager anything more "open" than the current implementation would further (the risk of a cert going missing is a valid one in any implementation) risk the feature being defeated in some form.

 

Can you please explain what kind of "security" will I have with UEFI secure boot that will protect me more than I'm protected now (on a normal BIOS)?