Linked by Thom Holwerda on Thu 3rd Nov 2011 19:34 UTC, submitted by lucas_maximus
Hardware, Embedded Systems A big issue right now in the world of operating systems - especially Linux - is Microsoft's requirement that all Windows 8 machines ship with UEFI's secure boot enabled, with no requirement that OEMs implement it so users can turn it off. This has caused some concern in the Linux world, and considering Microsoft's past and current business practices and the incompetence of OEMs, that's not unwarranted. CNet's Ed Bott decided to pose the issue to OEMs. Dell stated is has plans to include the option to turn secure boot off, while HP was a bit more vague about the issue.
Thread beginning with comment 495756
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[6]: Comment by Soulbender
by Alfman on Thu 3rd Nov 2011 23:38 UTC in reply to "RE[5]: Comment by Soulbender"
Alfman
Member since:
2011-01-28

lucas_maximus,

"But you guys keep chanting the same shit again and again and again."

Until our concerns are addressed, I'm afraid your going to have to continue listening this same shit again and again... You haven't addressed them either by the way, I welcome answers from you or anyone else (although I need official sources in order to take them seriously), but it seems the details are being kept behind closed doors.

These are the same questions you haven't answered before, but feel free to take a stab at them this time:

Will duel booting be possible without switching bios settings back and forth and without crippling windows?

Will users be able to use system utilities like barepe or utlimate boot cd?

Will owners be able to control the platform keys out of the box?

Will owners be able to get access to keys by contacting manufacturers?

Will manufacturers use shared or individual platform keys? If shared, then how can they transfer control for some machines while maintaining secure ownership of all the others? If individual, then how will they verify the ownership of the person requesting the transfer?

Will independent operating systems (smaller than linux) be able to get their keys signed in practice?

Will owners have the ability to not trust microsoft on their personal system?

How will manufacturers who hold the platform keys verify that independent operating systems (like Neolander's here) aren't in fact malware?

If an exploit is found in the installation media for a signed OS, will that key be revoked? If so, how will people reinstall their OS?

How will vendors convey these restrictions at the point of sale?

Will people be entitled to refunds if they find secure boot giving them trouble?

Will the manufacturers continue updating OS keys for older systems after warranties expire?

Can we trust that vendors won't tighten their grip over secure boot restrictions as time goes by and more and more systems have it installed?


You may find some of these questions irrelevant to you, but they are extremely relevant to anyone who believes in the merits of open computing.

Reply Parent Score: 8

lucas_maximus Member since:
2009-08-18

tl;dr;

Read the f--king article.

UEFI doesn't allow any OS interaction with it. That is the whole idea there isn't an OS API to interact with it .. which is why it is secure.

There are manufacturers (big ones) that say they aren't going to be dicks and not give you the option. Even the BIOS guys are saying "We want you do to it not piss people off". WTF more do you guys want?

You can boot your precious Operating System (I am an OpenBSD/Win 7 user).

GPL is incompatiple with secure boot (thanks to RMS, but BSD is alright).

WTF more do you want?

Edited 2011-11-03 23:58 UTC

Reply Parent Score: 2

RE[8]: Comment by Soulbender
by Alfman on Fri 4th Nov 2011 03:17 in reply to "RE[7]: Comment by Soulbender"
Alfman Member since:
2011-01-28

lucas_maximus,

"tl;dr;"
"WTF more do you want?"

Honestly, I just want you to stop side stepping the issues and then pretending your right.

Edited 2011-11-04 03:27 UTC

Reply Parent Score: 6

RE[8]: Comment by Soulbender
by lemur2 on Fri 4th Nov 2011 03:37 in reply to "RE[7]: Comment by Soulbender"
lemur2 Member since:
2007-02-17

There are manufacturers (big ones) that say they aren't going to be dicks and not give you the option.


That would be good, if true. However, to this point in time, it is just CNet's Ed Bott saying this, not manufacturers (big ones).

Even the BIOS guys are saying "We want you do to it not piss people off".


Not a problem anyway, FOSS guys have their own BIOSes.

WTF more do you guys want? You can boot your precious Operating System (I am an OpenBSD/Win 7 user). GPL is incompatiple with secure boot (thanks to RMS, but BSD is alright).


GRUB is GPL

http://en.wikipedia.org/wiki/GNU_GRUB

... but LILO isn't

http://en.wikipedia.org/wiki/LILO_%28boot_loader%29

... and Splashtop is proprietary.

http://en.wikipedia.org/wiki/Splashtop

WTF more do you want?


Control over hardware that we purchase. "Sovreignity", if you will. If the hardware has UEFI with secure boot, then the owner of the hardware (the person who pays for it) should be the one to have control over keys. Not OEMs.

Edited 2011-11-04 03:39 UTC

Reply Parent Score: 1

RE[7]: Comment by Soulbender
by Neolander on Fri 4th Nov 2011 07:42 in reply to "RE[6]: Comment by Soulbender"
Neolander Member since:
2010-03-08

Hi,

Did you have a look at the proposal made to the UEFI standards body to allow installing new signing keys from live media ? It's linked to somewhere in the first 30 comments of this article. Although not yet full user control on keys (can users revoke the Microsoft key if they want to ?), it would already be something...

Reply Parent Score: 3

RE[8]: Comment by Soulbender
by Alfman on Fri 4th Nov 2011 17:44 in reply to "RE[7]: Comment by Soulbender"
Alfman Member since:
2011-01-28

Neolander,

I think there are a number of possible remedies, the Linux Foundation's suggestion is good but toothless. Prompting the user about new media keys is good for choice, but admittedly somewhat dangerous. Ideally there needs to be a mechanism where a user can easily explicitly define the chain of trust (like going into the BIOS and configuring it), but accidental approval (like a y/n prompt) might be avoided. Of course now that the spec and windows certification requirements are in place, there isn't much room left for re-engineering.

The only engineering reason not to explicitly put the owner at the top of the secure boot trust model is for DRM. Either the engineers failed to anticipate the user restriction/control issues (in which case they deserve to loose their jobs), or they knew exactly what they were doing (in which case they knowingly committed a huge disservice for the personal computing community).

There is one subtle, but major technical issue with the current spec which means OEMs won't be able to transfer control over shared OEM platform keys to individual end users even if they wanted to in the future (using the mechanisms in the spec). Resetting the PK requires the a token signed by the old private platform key, however this token would be effective on any system, which means whoever possess this reset token could incorporate it into malware and therefor compromise the secure boot security of every other computer sharing the same platform key. This ultimately means OEMs will not be able to release PKs in the future unless they explicitly engineer some alternate backdoor mechanisms up front.

Hopefully there is enough public criticism to make a difference and force secure boot to be fixed.

Reply Parent Score: 4