Linux Distros Supports Secure Boot UEFI, FOR SOME TIME!

[MadSprite]

http://techreport.com/news/27999/windows-10-pcs-wont-need-a-secure-boot-off-switch

 

 

That said, common Linux distributions like Ubuntu and Fedora have worked with Microsoft to get their bootloaders signed with the company's key, and other, distribution-agnostic workarounds do exist. As a result, Linux won't necessarily be locked out on PCs with Secure Boot permanently enabled.

 

I'm just tired of seeing people scream over the fact that many are saying linux and steamos will be unsuseable.

 

IT'S NOT!

 

Major linux distros now support secure boot uefi and only require you to NOT to flash your usb using tools like rufus or windows 7 usb tool,

but only to copy and paste the files of the extracted iso and onto the usb. (ensuring you have boot from usb set first or manually choose to boot from)

 

I'm currently using secure boot on both my laptop and Self Built Desktop. They both have Ubuntu and Mint respectively, all under UEFI secure boot.

 

This does affect smaller distros that are not commonly use. Making it harder for them to inquire Microsoft to sign their distro.

Mircosoft should give the unix board a key, assuming that they can keep it secure so they can manage sigining software.

With the nature of linux, not everyone will win if they attempt to have a more secure environment since Secure Boot is way to go.

I like comparing Secure Boot as what HTTPS is trying to achieve, all it needs is Mircosoft to have full participation of signing distros or hand a key to

an authority that audit's a distro code.

 

Operating systems that are user-compiled by necessity, like Gentoo Linux, might require complex workarounds for Secure Boot, and there's no guarantee that OEMs will continue allowing end users to modify the database of approved keys in firmware.

[qwertywarrior]

its more complicated than what you think

http://web.dodds.net/~vorlon/wiki/blog/SecureBoot_in_Ubuntu_12.10/

[MadSprite]

its more complicated than what you think

http://web.dodds.net/~vorlon/wiki/blog/SecureBoot_in_Ubuntu_12.10/

 

Future OSes will be able to deal with this.

It's like saying Vista should be able to load on secure boot because it windows.

[qwertywarrior]

Future OSes will be able to deal with this.

It's like saying Vista should be able to load on secure boot because it windows.

microsoft holds the keys they could do what they did with windows RT and lock it down completely if they wished

 

 

The Ubuntu first-stage EFI bootloader is signed by Microsoft, but the key that is used for signing is one that's recommended by Microsoft, not one that's required by the Windows 8 certification

 

it will depend on how much noise  microsft can handle before they allow it

[DacStugly]

@MadSprite the problem with secure boot, it's forcing linux distro to have a workaround <-- thisword. This should not be the case. Any hardware you bought with your money should not dictate what you can and cannot install (in this case support). Secureboot / UEFI is MS brainchild (not entirely). Essential then all OEM hardware is windows OS only!  Forcing such technology and then holding the keys to that is not fair business practice. Because work around is dependent on windows keys (I know WTF right. Essentialy @ the mercy of MS). Any one remember NETSCAPE!! guess they never learn from their mistakes. Sigh

[DacStugly]

http://www.pcworld.com/article/2900536/windows-10s-secure-boot-requirement-could-make-installing-linux-a-big-headache.html<-this might help

[MadSprite]

@DacStugly

 

You are right that they are dependent on Microsoft for signing the keys.

There is still a benefit working with Secure boot regardless as long as Microsoft is willing to be open to sign common linux distros.

With secure boot enabled, it prevents malware from being installed or utilizing your boot to install more maliscious software/firmware.

This approach is the same with web browsing where an official digital certificate authority will sign website certificates in order to prevent you from

visiting hijacked sites.

 

Until you see Microsoft not signing anymore keys, it will be a problem

 

 

http://www.pcworld.com/article/2900536/windows-10s-secure-boot-requirement-could-make-installing-linux-a-big-headache.html<-this might help

I will add a note to the last quote of my post.

Yes it does affect smaller distros that are not commonly use. Making it harder for them to inquire Microsoft to sign their distro.

Mircosoft should give the unix board a key, assuming that they can keep it secure so they can manage sigining software.

With the nature of linux, not everyone will win if they attempt to have a more secure environment.

[Master Disaster]

Ubuntun 14.04 LTS and 14.10 (i think?) actually support UEFI booting really easily. I've personally played around with them and I have to say the process is every bit as simple as Windows.

 

Also you do realise that UEFI was originally a prerequisite of SteamOS? It was Stephensons Rocket which added support for BIOS into the setup routine.

[Misanthrope]

So Microsoft should keep control of the system because.....what, reasons? If past actions, statements and court cases are anything to go by that's actually a pretty terrible idea. And no I do not subscribe to the "forgive and forget" philosophy, thanks but no thanks I will remember, bitterly.

[suicidalfranco]

and gnu/linux distros becoming dependent on microsoft i a goo thing because....?

[patrickjp93]

@MadSprite the problem with secure boot, it's forcing linux distro to have a workaround <-- thisword. This should not be the case. Any hardware you bought with your money should not dictate what you can and cannot install (in this case support). Secureboot / UEFI is MS brainchild (not entirely). Essential then all OEM hardware is windows OS only! Forcing such technology and then holding the keys to that is not fair business practice. Because work around is dependent on windows keys (I know WTF right. Essentialy @ the mercy of MS). Any one remember NETSCAPE!! guess they never learn from their mistakes. Sigh

You're too aligned with Richard Stallman for your own good. Hardware ALWAYS dictates what you may install on it until you crack it. Tech and software companies deserve to make money for the products they make and are entitled to making closed standards. Consumers are not King in the end.

[DacStugly]

You're too aligned with Richard Stallman for your own good. Hardware ALWAYS dictates what you may install on it until you crack it. Tech and software companies deserve to make money for the products they make and are entitled to making closed standards. Consumers are not King in the end.

 

I do take offence on the Richard Stallman remark .

 

1. Hardware does dictate what you install on it -> but this only the architecture and the software. example.. ARM vs x86 (The Machine language) and not  BIOS & UEFI (How to iniatate harware). Essentialy blocking that hardware form running any other software other than MS. The current UEFI was built on HP andd Intels code. Hence the UEFI consortium. Hardware vendors in the past have made it such UEFI can be disablled how ever MS is enforcing this (This is where the anti-competative behaviour starts).

 

2. Tech and software companies deserve to make money for the products they make and entitled to make it closed -> Sure by all means I would pay for it myself. But i do want my money worth and freedom to use it how I wish. It's like buying a car and the manufacturer is forced by the Toll operator to limit the owners to drive on their roads only just because they designed the ignition system with gps. In most countries this would be unconstitutional.

 

3. Consumers are not King in the end --> Only because we do not know any better. Money talks and bullshit walks. Remember the Xbox One debacle. Consumers are the one with the money. Business is all about supply and demand.

 

At the end of the day if I cannot use something how I want it i should not buy it. How ever when such things like UEFI/BIOS which is designed by a consortium and adopted by many as a standard for safer and secure computing, a single for profit company should be allowed to dictate the use of it.

[RexinOridle]

I don't even know what secure boot UEFI is!!

[Master Disaster]

I do take offence on the Richard Stallman remark .

 

1. Hardware does dictate what you install on it -> but this only the architecture and the software. example.. ARM vs x86 (The Machine language) and not  BIOS & UEFI (How to iniatate harware). Essentialy blocking that hardware form running any other software other than MS. The current UEFI was built on HP andd Intels code. Hence the UEFI consortium. Hardware vendors in the past have made it such UEFI can be disablled how ever MS is enforcing this (This is where the anti-competative behaviour starts).

 

2. Tech and software companies deserve to make money for the products they make and entitled to make it closed -> Sure by all means I would pay for it myself. But i do want my money worth and freedom to use it how I wish. It's like buying a car and the manufacturer is forced by the Toll operator to limit the owners to drive on their roads only just because they designed the ignition system with gps. In most countries this would be unconstitutional.

 

3. Consumers are not King in the end --> Only because we do not know any better. Money talks and bullshit walks. Remember the Xbox One debacle. Consumers are the one with the money. Business is all about supply and demand.

 

At the end of the day if I cannot use something how I want it i should not buy it. How ever when such things like UEFI/BIOS which is designed by a consortium and adopted by many as a standard for safer and secure computing, a single for profit company should be allowed to dictate the use of it.

So its OK for Apple to use HFS+, a closed and proprietary standard on Macs to prevent other OS installs outside of VM (which is also possible on Windows to BTW) but when MS try to lock Windows down in the same way its anti competitive?

Please, if you don't wanna be locked into one OS then don't buy OEM and your fine, don't blame MS for doing something their competition have been doing since day one.

It's funny that MS always take heat for stuff they do which Apple have done since day one and no one cares about.

[DacStugly]

So its OK for Apple to use HFS+, a closed and proprietary standard on Macs to prevent other OS installs outside of VM (which is also possible on Windows to BTW) but when MS try to lock Windows down in the same way its anti competitive?

 

 

HFS+ = NTFS on MS.  They already have a proprietory filesystem its NTFS. In the past you could not install Linux on that filesystem and even today its not recomended or stable ( although its possible). The point I was trying to make is not the saftware/filesystem layer. Imagine if seagate is forced by Windows to only allow to install their OS on the harware level. On a MAC/Apple you can change that. Further Apple uses EFI (From Intel), at the cost of firmware updates you can disable this feature. Further apples business is sound. They do not sell their OS seperate from the hardware and don't support the OS on other harware unless its their own. Problem solved. Hence the higer asking price for the technology they sell. In my mind is absolutely fair as pointed out by @patrickjp93. Even they do not lock down their hardware so you cannot install other os on them.

 

 

Please, if you don't wanna be locked into one OS then don't buy OEM and your fine, don't blame MS for doing something their competition have been doing since day one.

It's funny that MS always take heat for stuff they do which Apple have done since day one and no one cares about.

 

Note: OEMs are manufacturers who resell another company's product under their own name and branding. (Eg. Dell, HP etc..)

 

OEM essentialy are selling their hardware bundled with Windows. Hence why is Windows dictating what should run on the OEM hardware. They do how ever have 100% right to dictate how the software is used (copyright law).  Going back to Apple's argument, the MS Surface Pro is 100% microsoft = Macbook/IPAD2. Thats fine by me. One should expect better performance of such device since the hardware and software and tailored to each other.

 

Do not compare Apple and Windows. Apple's kernel is Open Sourced. Their OS is fully POSIX compliant. They hardware is not locked down and they have a right to charge for the products they produce while not intefering in how and who uses them. This is not anti competative behaviour. The actualy innovate and ask accordingly for that innovation. That does not mean Windows does not Innovate. How ever they do engage in anti competative bahaviour by forcing UEFI (or at least the keys) on OEM to bundle Windows essentially locking other OS'es out. It's looks like Internet Explorer vs Netscape all over again.

[Master Disaster]

HFS+ = NTFS on MS.  They already have a proprietory filesystem its NTFS. In the past you could not install Linux on that filesystem and even today its not recomended or stable ( although its possible). The point I was trying to make is not the saftware/filesystem layer. Imagine if seagate is forced by Windows to only allow to install their OS on the harware level. On a MAC/Apple you can change that. Further Apple uses EFI (From Intel), at the cost of firmware updates you can disable this feature. Further apples business is sound. They do not sell their OS seperate from the hardware and don't support the OS on other harware unless its their own. Problem solved. Hence the higer asking price for the technology they sell. In my mind is absolutely fair as pointed out by @patrickjp93. Even they do not lock down their hardware so you cannot install other os on them.

 

 

 

Note: OEMs are manufacturers who resell another company's product under their own name and branding. (Eg. Dell, HP etc..)

 

OEM essentialy are selling their hardware bundled with Windows. Hence why is Windows dictating what should run on the OEM hardware. They do how ever have 100% right to dictate how the software is used (copyright law).  Going back to Apple's argument, the MS Surface Pro is 100% microsoft = Macbook/IPAD2. Thats fine by me. One should expect better performance of such device since the hardware and software and tailored to each other.

 

Do not compare Apple and Windows. Apple's kernel is Open Sourced. Their OS is fully POSIX compliant. They hardware is not locked down and they have a right to charge for the products they produce while not intefering in how and who uses them. This is not anti competative behaviour. The actualy innovate and ask accordingly for that innovation. That does not mean Windows does not Innovate. How ever they do engage in anti competative bahaviour by forcing UEFI (or at least the keys) on OEM to bundle Windows essentially locking other OS'es out. It's looks like Internet Explorer vs Netscape all over again.

 

Oh wow, i'm really sorry but i actually mistyped here, i didn't mean HFS+, what i actually meant to type was EFI (it was really early when i typed this out plus HFS+ isn't closed or proprietary either).

 

Yeah i am aware that HFS+ is just the Mac OS FS and really has nothing to do with them locking the system down.

 

The point still stands though, Apple choose to use EFI rather than UEFI on their systems precisely because they do not want users installing any other OS onto their systems. Its achieves the same thing as MS forcing Secure Boot onto OEM machines just by taking a different path. Plus don't forget MS are officially giving Windows 10 away for free this time around and its not like MS are jumping up and down to support a Windows install on a Mac now is it. The only reason you can't walk into a shop and buy Mac OS 10 on DVD for a PC is because they choose to lock it down to Macs only, that was their decision and you'd better believe that if they chose to make Mac OS 11 use UEFI and support any PC they'd have retail copies of it on shelves quicker than superman on laundry day.

 

Also i don't think you really understand what secure Boot actually does. It doesn't force anything to be installed in a hardware layer, what it does it create a partition on the main boot drive where the boot information is stored then uses the secure boot key to encrypt the partition so only the system UEFI is able to see the contents meaning its not possible for any other boot loader and/or malware to alter the drives boot information.

 

Furthermore i believe (though i might be wrong) that its all academic anyway. I'd heard somewhere that the GRUB developers have worked out a way to install GRUB into a different partition on the SB protected HD then tell Linux to boot from GRUB rather than bootmgr meaning that locking down a system with SB will only stop malware from attacking the boot information, Linux will just work around it.

 

Now onto OEMs.

 

Your looking at it too simplistic here, OEM hardware is not 100% owned by the OEM, they use (just one example of each BTW) Intel or AMD CPUs, Kingston RAM, Seagate HDDs, Nvidia GPUs etc, exactly like Apple do in their hardware. If Apple made PCs then they would be defined as an OEM as they buy in hardware, build it into a system then retail it on to the end user. Sure i get the fact that there is an extra layer involved here, MS make the OS but they don't build the systems unlike Apple who do both in house but i don't see how that changes anything. If your buying an OEM system which has come with a (possibly heavily discounted) license for Windows included in the price then its not unreasonable to ask the end user to respect the integrity of the software and to not alter it.

 

Plus I don't think their forcing OEMs to lock machines down are they? Isn't it just an option the OEM can choose to adhere to if they wish?

 

 

Hardware that sports the "Designed for Windows 8" logo requires machines to support UEFI Secure Boot. When the feature is enabled, the core software components used to boot the machine are verified for correct cryptographic signatures, or the system refuses to boot. This is a desirable security feature, because it protects from malware sneaking into the boot process. However, it has an issue for alternative operating systems, because it's likely they won't have a signature that Secure Boot will authorize. No worries, because Microsoft also mandated that every system must have a UEFI configuration setting to turn the protection off, allowing booting other operating systems. This situation may now change. At its WinHEC hardware conference in Shenzhen, China, Microsoft said the setting to allow Secure Boot to be turned off will become optional when Windows 10 arrives. Hardware can be "Designed for Windows 10," and offer no way to opt out of the Secure Boot lock down. The choice to provide the setting (or not) will be up to the original equipment manufacturer.

 

As i suspected, if an OEM wan'ts to have the designed for Windows 10 logo they have to lock the system down however there is nothing stopping them from selling their machines without the sticker and allowing SB to be disabled.

 

So i ask again, if its OK for Apple to dictate to their customers that they must use Mac OS on their systems why is it wrong for Microsoft to dictate that users must use Windows on their systems?

[dmegatool]

 The point still stands though, Apple choose to use EFI rather than UEFI on their systems precisely because they do not want users installing any other OS onto their systems. Its achieves the same thing as MS forcing Secure Boot onto OEM machines just by taking a different path. Plus don't forget MS are officially giving Windows 10 away for free this time around and its not like MS are jumping up and down to support a Windows install on a Mac now is it. The only reason you can't walk into a shop and buy Mac OS 10 on DVD for a PC is because they choose to lock it down to Macs only, that was their decision and you'd better believe that if they chose to make Mac OS 11 use UEFI and support any PC they'd have retail copies of it on shelves quicker than superman on laundry day.

 

[...]

 

So i ask again, if its OK for Apple to dictate to their customers that they must use Mac OS on their systems why is it wrong for Microsoft to dictate that users must use Windows on their systems?

Well yeah Microsoft ain't a hardware company, Apple is. I don't think Microsoft cares on what type of personal computer you install the OS, Apple hardware included. They just want everybody to use it... Also, Windows 10 is a free upgrade for a year. So you need a valid Windows license within the first year launch. After that, you'll be paying just as past version so it's not free for ever (At least that's what we know for now). So if you install Windows 10 on a Mac, thats mean you paid for it (be it the 7-8 or full retail 10) 

 

And for the Mac you're wrong. You can install whatever OS you want on it. I've installed Windows and Linux without any Apple software involved. You can just boot of a bootable drive as usual. I've used Ubuntu live CD, Disk Warrior and many other bootable disc in the past. The restriction is the other way around. OSX can't be install on normal PC. It validate that you're using Apple hardware, not that the Apple computer is running OSX. Once again, Apple is an hardware company. OSX is an incitative to buy their hardware. 

[LAwLz]

Okay I am tired of people defending Microsoft over this change which is obviously bad for us consumers.

 

Here is how secure boot works (a lot of people defending Microsoft does not seem to understand it):

1) Your UEFI has a list of valid signatures stored on it.

2) All the components in the boot chain (first stage bootloader, second stage bootloader, kernel, some drivers etc) has to be signed.

3) When your UEFI tries to boot, it will compare each and every signature of the components in the bootchain. If it detects 1 signature in the boot chain that does not match a signature in the signature list it will refuse to boot.

 

That is how it works. "Linux distros supports secure boot" only means that step 2 is done, not step 1. The only company that can be sure that their signature will be in the list stored in UEFIs is Microsoft. The reason why is because companies contact Microsoft since they need things like Windows keys. For a GNU/Linux distro, they have to contact each and every motherboard manufacturer and ask them to include their key in the list. This is a huge task with minimal chance of success.

On top of taking a very long time, there is also a big chance of them just flat out being rejected. It costs a lot of money to keep a signature secure, and if a key is leaked then all computers with that key on the list will be deemed unsecure. Because of this, motherboard manufacturers don't want to add a bunch of keys to the list. Adding a key is also more work for the motherboard manufacturer since they need to validate that it is a real key.

 

Since it is such a huge task, distros like Ubuntu and Red Hat has come up with a way around this. Instead of making their own signatures they instead pay to have access to Microsoft's signature. So now they are signing their components with the same key as Microsoft. Any UEFI that supports Microsoft things will now support Ubuntu and Red hat's distros as well... In theory (there have been some issues for some people).

 

Sounds good in practice, until you realize that Microsoft now have full control over the signatures of their competitors. They could kill off support for all distros using their key whenever they want by simply saying their old key is not longer valid and generate a new key.

 

If you don't understand why this is bad then let's make an analogy. Imagine if ALL ISPs in the world were owned by Comcast, and Comcast could shut down all other ISPs whenever they felt like it. This is the situation we are heading towards, except replace Comcast with Microsoft. Microsoft, a company which has a horrible track record when it comes to putting their own needs before customers, and for using anti-competitive tactics to gain an advantage. Nobody in their right mind would trust them.

 

Even if you disregard all the older history we still shouldn't trust Microsoft. Windows RT, the Windows version for ARM processors (like in the Microsoft Surface) REQUIRES that users were UNABLE to turn secure boot off. If manufacturers gave users the option to turn secure boot off then Microsoft did not allow that manufacturer to sell the device. Smartphone and tablet manufacturers are also pushing for locked bootloaders. For them it is great. It's a way to do planned obsolescence, and it also minimizes the risk of people messing up their devices.

 

Even people in the Microsoft "eco-system" could potentially be negatively effected by this. People sticking with Windows XP and 7 is a very bad thing for Microsoft since they want people being able to buy things from their store. If they were in control over which OS you can and can't use on your computer they would use secure boot to make sure you HAVE to upgrade. People who didn't upgrade could end up not being able to use newer hardware because newer hardware only allowed the latest Windows to boot.

 

 

 

 

But let's put all that aside. Let's say that this won't become an issue despite historical evidence pointing towards it being a real possibility. Why did they make this change? I believe that if you are going to change something then there should be a benefit to doing so. So even if all manufacturers just go "we should still give the users the option to unlock it", the outcome still won't be positive. This policy change from Microsoft can only end in two ways.

1) Nothing happens.

2) Customers gets screwed.

None of the outcomes is enough for Microsoft to justify the chance.

 

If you can't give me a reason why this chance is good then you should frankly shut the hell up and stop defending Microsoft. They do not deserve being defended when they are making a chance that has 0 benefits, but could potentially hurt consumers.

Also, don't bother responding to this post unless you can point out some factual error (objective, solid facts, not some opinion or how much you trust Microsoft or how this just moves the responsibility to OEMs) and also answer the question above about how this benefits consumers.

[Misanthrope]

-Beautiful, deadly rant-

 

[DacStugly]

Well said @dmegatool & @LAwLz. @Master Disaster it is your choice to support MS. Who knows in the future they might defy all our speculation here prove us all wrong. But to date all we have is the facts and their past track record. It's not doing them any favors.

 

In the process UEFI has made harder for alternative OS's (Haiku, ReactOS, FreeDOS) to exist or even compete in home desktops. Which is sad. The only people who are in the loosing end is us the consumer.