Linked by Howard Fosdick on Thu 6th Dec 2012 05:26 UTC
With computers now shipping with UEFI Secure Boot enabled, users of any OS other than Windows 8 will want to know how to circumvent it. Jesse Smith of DistroWatch tells how he did it here. The Linux Foundation describes its approach here. If you want to boot an OS other than Windows 8, you'll want to figure this out before you buy that new computer.
Thread beginning with comment 544357
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Member since:2006-07-12
Does this mean that,
if using Windows Signature,
and BIOS activate the network,
then Microsoft could
play with my linux?
I know that UEFI is about identity;
The first in the stack "owns" the stack.
But, could it be that
the BIOS designer,
-the non writable part of the BIOS-
is the real "owner" of the stack?
Member since:2010-01-21
Does this mean that,
if using Windows Signature,
and BIOS activate the network,
then Microsoft could
play with my linux?
I know that UEFI is about identity;
The first in the stack "owns" the stack.
But, could it be that
the BIOS designer,
-the non writable part of the BIOS-
is the real "owner" of the stack?
if using Windows Signature,
and BIOS activate the network,
then Microsoft could
play with my linux?
I know that UEFI is about identity;
The first in the stack "owns" the stack.
But, could it be that
the BIOS designer,
-the non writable part of the BIOS-
is the real "owner" of the stack?
Looks that way.
http://mjg59.dreamwidth.org/11235.html
Also, the reference UEFI implementation most motherboard builders are using is demonstrably buggy and at least as complex as your average OS kernel.
https://www.youtube.com/watch?v=V2aq5M3Q76U
One of the reasons I'll probably be trying to source BIOS-based motherboards for as long as possible and, when that's no longer an option, I'll try to source something known to support reflashing with CoreBoot so I can prune it down to the minimum amount of code needed to boot Linux.
http://www.coreboot.org/
On the plus side, it does mean plenty of room for rooting the UEFI itself which could really put some egg on Microsoft's face.
(I'm sort of hoping that UEFI rootkits make such a mess of things that Microsoft is forced to backpedal on this idiotic "kernel-sized, under-tested, buggy firmware blob" idea)
Member since:2011-01-28
Brendan,
"I think Fedora are also planning to create a 'shim'. The basic idea is that it's signed with Microsoft's key, and boots other boot loaders."
It's not exactly that simple. Because of the way secure boot was designed (for 3rd party control rather than security), it cannot pass control back to users without compromising security.
Consider that malware could exploit this and install the unrestricted bootloader (signed by microsoft's key) and then install a backdoor through the unrestricted bootloader. This would break secure boot's security on every secure boot desktop in the world and not just your desktop. Now MS would be forced to admit that secure boot is permanently broken, or it would revoke Fedora's key and break legitimate linux installs everywhere.
This is another reason I hate microsoft's secure boot design. Even if they had the best of intentions, it creates a single point of failure. One bug or leak breaks everybody's secure boot security worldwide. It just reaffirms how secure boot has been designed for 3rd party control rather than security.
The shim you referred to can only run locked down versions of linux running signed components. It's probably ok for normal users, but it's not the same free/open linux kernel that we're fond of. We'll become dependent upon Fedora provided kernels, and they'll become dependent upon MS, all so that home users can dual boot a restricted linux on their own machines.
Member since:2005-08-07
Alfman posted...
This is another reason I hate microsoft's secure boot design. Even if they had the best of intentions, it creates a single point of failure. One bug or leak breaks everybody's secure boot security worldwide. It just reaffirms how secure boot has been designed for 3rd party control rather than security.
Which is exactly why the hacking scene needs to get on breaking this single point of failure as hard and spectacularly as they can, then release something that crashes every system running "secure boot" in such a way to make it clear that it is worse than useless at what it was ostensibly designed to do. Better yet it needs to crash the hardware in such a way the OEMs are liable and it costs them enough pain they instinctively shy away from any future types of such systems. Maybe then it would make the whole thing go away again...
--bornagainpenguin
Features
Linked by Thom Holwerda on 06/13/13 14:35 UTC
The third and final WWDC product I want to talk about is - of course - OS X 10.9 Mavericks. While iOS 7 was clearly the focus of this year's WWDC, its venerable desktop counterpart certainly wasn't left behind. Apple announced OS X 10.9 Mavericks, the first OS X release not to carry the name of a big cat.
Linked by Thom Holwerda on 06/11/13 17:07 UTC
We already talked about iOS 7 yesterday (after a night of sleep, it's only looking worse and worse - look at this, for Fiona's sake!), so now it's time to talk about the downright stunning and belly flutters-inducing new Mac Pro. As former owner and huge, huge, huge fan of the PowerMac G4 Cube - I haven't been this excited about an Apple product since, well, I would say the iMac G4. This is the Apple I used to love.
Linked by Thom Holwerda on 06/10/13 23:13 UTC
Apple held its big keynote event thing at WWDC earlier this evening, but since I was away with friends I've had to read up on it later in the evening. The company announced iOS 7, OS X 10.9 Mavericks, and they gave a preview of the new Mac Pro. Especially the Mac Pro impressed me, and while iOS 7's new Holo/Metro-inspired theme looks messy and garish to me, I do commend Apple for finally breaking the mold. This news item will focus on iOS 7 - I'll dive into the Mac Pro and OS X 10.9 tomorrow (it's late here now).
Linked by Thom Holwerda on 06/08/13 14:57 UTC
And yes, the PRISM scandal is far, far from over. More and more information keeps leaking out, and the more gets out, the worse it gets. The companies involved have sent out official statements - often by mouth of their CEOs - and what's interesting is that not only are these official statements eerily similar to each other, using the same terms clearly designed by lawyers, they also directly contradict new reports from The New York Times. So, who is lying?
Linked by Thom Holwerda on 06/07/13 11:40 UTC
This story is getting bigger and bigger. Even though most Americans probably already knew, it is now official: the United States government, through its National Security Agency, is collecting the communications and data of all American citizens, and of non-Americans using American services, through a wide collaboration with the large companies in technology, like Apple, Google, Microsoft, Facebook, and so on. Interestingly enough, the NSA itself, as well as the US government, have repeatedly and firmly denied this massive spying on Americans and non-Americans took place at all.
Linked by Thom Holwerda on 06/04/13 12:45 UTC
Ah, patents - the never-ending scourge of the technology industry. Whether wielded by companies who don't actually make any products, or large corporations who abuse them because they can't compete in the market place or because they're simply jerks, they do the industry a huge disservice and are simply plain dangerous. According to The Wall Street Journal (circumvention link), president Obama is about to take several executive actions to address patent trolls - which may seem like a good idea, but I am very worried that all this will do is strengthen the positions of notorious patent system abusers such as Apple and Microsoft.
Linked by nfeske on 05/31/13 10:12 UTC
With version 13.05, the developers of the Genode OS Framework take measures to ensure that Genode continues to scale well with a growing number of users and the steadily broadening platform coverage. Further highlights are the improved SoC support for Exynos 5, OMAP4, Raspberry Pi, i.MX, and new components for realizing headless systems.
Linked by Thom Holwerda on 05/29/13 16:59 UTC
At the D11 conference, Apple CEO Tim Cook once again took the stage to be interviewed by Walt Mossberg and Kara Swisher. While most of the interview can be replicated by picking and reading 10 random Apple fanblog stories - there were still a number of very interesting things that warrant some closer scrutiny.
Linked by Thom Holwerda on 05/24/13 17:26 UTC
So, the Xbox One disaster continues. Microsoft's policy for dealing with the used games market has reportedly leaked - and it's a clear and direct attack to destroy the used games market. Prices for used games will be set at the retail value of a new game, and retailers have to hook into Microsoft's computer systems and comply with Microsoft's terms and conditions.
Linked by Thom Holwerda on 05/21/13 21:38 UTC
At an event earlier today, Microsoft unveiled the next Xbox - the third model, but confusingly named Xbox One. The big focus was TV, integrated Kinect, and all the other stuff we all expected to be forced down our throats. I think it took them 25 minutes to actually come to what should be the core of the story: gaming. Nothing groundbreaking in the gaming department, except for how Microsoft intends to handle the used games market and borrowing games from friends: pay up, buddy!More Features »
Sponsored Links
Member since:
2005-11-16
Hi,
I think Fedora are also planning to create a "shim". The basic idea is that it's signed with Microsoft's key, and boots other boot loaders.
It's possibly not that simple though - I think they're planning to allow end users to add keys to UEFI's store; so that if you try to boot a signed boot loader with the shim, it'll ask if the key should be added. This way Linux can use secure boot too; and all those dual booting Linux users don't have to worry about getting their Linux OS infected by viruses that Windows let in. :-)
- Brendan