Linked by Thom Holwerda on Fri 22nd Jun 2012 23:17 UTC
Ubuntu, Kubuntu, Xubuntu After Fedora, Ubuntu has now also announced how it's going to handle the nonsense called "Secure" Boot. The gist: they'll use the same key as Fedora, but they claim they can't use GRUB2. "In the event that a manufacturer makes a mistake and delivers a locked-down system with a GRUB 2 image signed by the Ubuntu key, we have not been able to find legal guidance that we wouldn't then be required by the terms of the GPLv3 to disclose our private key in order that users can install a modified boot loader. At that point our certificates would of course be revoked and everyone would end up worse off." So, they're going to use the more liberally licensed efilinux loader from Intel. Only the bootloader will be signed; the kernel will not.
Thread beginning with comment 523409
To read all comments associated with this story, please click here.
meh
by Auzy on Sat 23rd Jun 2012 01:37 UTC
Auzy
Member since:
2008-01-20

Sorry Thom, but I've been here for a few years now, and whilst Secure boot might not be nice for Linux, it does exist for a good reason. And I was hoping that OSNews of all people would take a fair all-rounded look at it, rather than jump on the "microsux-bandwagon"

Security. Being able to shove any boot code in a system is a security risk. It makes it possible for a virus to persist on a system, and eliminate anti-virus programs from being able to ever delete the files. I can't blame Microsoft for wanting to patch it, particularly because every-time windows gets a virus, Apple and Linux users beat their drums about "Microsoft's security sucks, blah blah blah".

Is it good for Linux? In some ways, yes, but in others no. Its not Microsoft's fault that Linux vendors aren't working together, and that they have made it near impossible for all of their keys to be pre-installed on computers. If they did though, the key would be pre-installed.

And yes, I do want to see Linux succeed in the future. However, the reason why it hasn't already, is that we keep making excuses for shortcomings.

Reply Score: -5

RE: meh
by Hypnos on Sat 23rd Jun 2012 01:50 in reply to "meh"
Hypnos Member since:
2008-11-19

Preventing the loading of unauthorized boot code is potentially quite useful.

However, unless Secure Boot allows you to sign your own software and upload your own keys easily, it comes at the cost of using your hardware as you see fit.

In general, this is the cost of "appliance-ware" in which hardware and software are bundled and difficult to tease apart.

This is not only a problem for Linux, but any software and hardware freedom -- your only remaining option is to choose between bundles.

Edited 2012-06-23 01:52 UTC

Reply Parent Score: 6

RE: meh
by WereCatf on Sat 23rd Jun 2012 02:21 in reply to "meh"
WereCatf Member since:
2006-02-15

and whilst Secure boot might not be nice for Linux, it does exist for a good reason.


I really have to say that all this feels more like trying to kill a fly with a god damn nuclear weapon; there are extremely few modern boot-sector viruses -- I atleast am not aware of a single one -- and you don't need boot-sector viruses anyway to cause damage. As long as the virus/malware has access to users' files and input devices then the users are already screwed and Secure Boot does not prevent that. Besides, a virus shouldn't even get to the point of being able to infect the boot sector in the first place.

That is to say that Secure Boot solves only a highly theoretical issue that really isn't all that pressing a matter, atleast for now. It doesn't mean it's useless, but it's given way too much weight. The bigger issue, though, is that Secure Boot is all controlled and designed by Microsoft. If it was really aimed at securing end-users then there would be a public design-and-approval process and some sort of a multi-party committee to govern the keys and Secure Boot-usage in order to ensure proper cross-platform functionality, to find and fix any faults with the implementation and to not let only a single party control the whole thing when it has the potential of affecting every single PC-user and manufacturer. That right there is my one, single biggest issue with Secure Boot.

Reply Parent Score: 17

RE[2]: meh
by hoak on Sat 23rd Jun 2012 03:23 in reply to "RE: meh"
hoak Member since:
2007-12-17

I agree with WereCatf and would add this reeks of 'Security Theater' to move an agenda forward that has more to do with control of revenue opportunity then real security.

Not to say that boot security is not a concern without veracity, but the aggressive move to adoption, lack of anything that resembles peer review, and obvious pressure from the Vole -- just smells bad.

Reply Parent Score: 4

RE[2]: meh
by Drumhellar on Sat 23rd Jun 2012 17:57 in reply to "RE: meh"
Drumhellar Member since:
2005-07-12

Well, Stuxnet contained a rootkit, which is SecureBoot would prevent from operating.

Granted, it also ran in user mode, which SecureBoot wouldn't stop, but that's a freakin' complicated bit of malware.

Reply Parent Score: 2

RE: meh
by Soulbender on Sat 23rd Jun 2012 13:51 in reply to "meh"
Soulbender Member since:
2005-08-18

Security. Being able to shove any boot code in a system is a security risk


Yeah, sure, until one of the companies that has had their keys signed by MS have their private keys leaked and it's a matter of when, not if. When that happens everyone is screwed and back to square one.
Not to mention that this "security" measure in no way will prevent companies from installing malware or rootkits.
Trusting big business to do what's right and safe for you? Never a good idea.

Reply Parent Score: 2