UEFI secure boot and Linux
Moderator: Forum Moderators
UEFI secure boot and Linux
I recently read an article that says that Windows 10 will require Secure Boot enabled and the possibility of deactivation is left to the OEM manufacturers.
If they decide that you can not disable Secure Boot, you can not install Linux or any other alternative OS. It is very sad for me, because it seems a deliberate limitation of user's rights. They should not dictate what I install on my system. The personal computer is not personal anymore.
Perhaps I exaggerate ... or maybe we're heading towards an Orwellian society.
Thoughts?
If they decide that you can not disable Secure Boot, you can not install Linux or any other alternative OS. It is very sad for me, because it seems a deliberate limitation of user's rights. They should not dictate what I install on my system. The personal computer is not personal anymore.
Perhaps I exaggerate ... or maybe we're heading towards an Orwellian society.
Thoughts?
Re: UEFI secure boot and Linux
Sounds pretty ambiguous to me.
For some customers, like if you are Sony for instance, maybe you care only about not getting rooted, and then this is probably a desirable feature.
I think it comes down to who is "authorized". If "authorized" is a free and open system and legitimate competitors can all get authorized, then its probably a good thing. If not I guess it's probably anticompetitive. Maybe microsoft will get sued again.
For some customers, like if you are Sony for instance, maybe you care only about not getting rooted, and then this is probably a desirable feature.
I think it comes down to who is "authorized". If "authorized" is a free and open system and legitimate competitors can all get authorized, then its probably a good thing. If not I guess it's probably anticompetitive. Maybe microsoft will get sued again.
Re: UEFI secure boot and Linux
What I wanted to say is that everything becomes more restrictive. For Windows 8, Microsoft requested that Secure Boot is activated and the user be able to disable SB, if desired.
But for Windows 10, Microsoft requires that Secure Boot to be activated, and the OEMs can choose to implement the on/off switch for the feature or not.
This "small" difference is what worries me.
And it seems to me abnormal the fact that in order to install another OS, you must ask for a digital certificate from Microsoft. Why do I need permission from Microsoft for this?
But for Windows 10, Microsoft requires that Secure Boot to be activated, and the OEMs can choose to implement the on/off switch for the feature or not.
This "small" difference is what worries me.
And it seems to me abnormal the fact that in order to install another OS, you must ask for a digital certificate from Microsoft. Why do I need permission from Microsoft for this?
Re: UEFI secure boot and Linux
I read that it's basically the NSA's TPM being white-washed. And that it means you can't flash your bios. And that the NSA has bios backdoors. And the decision if you are able to flash the bios or install linux will be made by Dell, HP, Lenovo... And since their machines came with a lot of crapware, one should maybe judge it by that.Naron wrote:Perhaps I exaggerate ... or maybe we're heading towards an Orwellian society.
Thoughts?
I have a cunning plan.
Re: UEFI secure boot and Linux
So Microsoft is becoming more restrictive by NOT requiring manufacturers to implement certain features in their products? Scandalous power abuse!
Re: UEFI secure boot and Linux
I don’t think this is about Microsoft becoming restrictive, but rather about allowing OEMs to do as they want when they are historically known to not care enough about supporting non-Microsoft operating systems.lipk wrote:So Microsoft is becoming more restrictive by NOT requiring manufacturers to implement certain features in their products? Scandalous power abuse!
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
Re: UEFI secure boot and Linux
I will say, having some sort of validation process for OS's is one thing, I mean that is a legitimate security worry.
However, if the keys are not in the hand of the user, but in the hands of Microsoft or even the OEM manufacturer, that seems broken.
I guess I would draw an analogy between this, and the common practice of car manufacturers, and Apple for that matter, to put custom screws in their product so that you can't use a phillips or flathead screwdriver to open them up, and have to use a crazy "triangle" screwdriver (or similar) which you either must purchase separately, or which is only available to dealerships.
These practices are not considered illegal currently, just annoying and cheesy, but in my opinion it would be a good thing if they were illegal. They are anti-competitive in my opinion.
However, if the keys are not in the hand of the user, but in the hands of Microsoft or even the OEM manufacturer, that seems broken.
I guess I would draw an analogy between this, and the common practice of car manufacturers, and Apple for that matter, to put custom screws in their product so that you can't use a phillips or flathead screwdriver to open them up, and have to use a crazy "triangle" screwdriver (or similar) which you either must purchase separately, or which is only available to dealerships.
These practices are not considered illegal currently, just annoying and cheesy, but in my opinion it would be a good thing if they were illegal. They are anti-competitive in my opinion.
Re: UEFI secure boot and Linux
Well, they already provide approximately zero support for everything different than Windows, but simply allowing them on their hardware is an entirely different matter. It doesn't require any effort on their part and I can't see why they wouldn't do it.I don’t think this is about Microsoft becoming restrictive, but rather about allowing OEMs to do as they want when they are historically known to not care enough about supporting non-Microsoft operating systems.
If by 'key' you mean the possibility to turn Secure Boot off, then I agree entirely, however in this case the system didn't become any more broken than it was by passing the decision to the OEMs. It should be the lawmakers' job to guarantee free and fair competition, not Microsoft's. If you literally mean the RSA keys, I'm interested in whose hands would you like to see them? Should we all sign our bootloaders with our own keys or what?However, if the keys are not in the hand of the user, but in the hands of Microsoft or even the OEM manufacturer, that seems broken.
- Elvish_Hunter
- Posts: 1575
- Joined: September 4th, 2009, 2:39 pm
- Location: Lintanir Forest...
Re: UEFI secure boot and Linux
However, there's a difference: one can easily get such kind of screwdrivers on eBay, but one can't so easily get a modified BIOS...iceiceice wrote:I guess I would draw an analogy between this, and the common practice of car manufacturers, and Apple for that matter, to put custom screws in their product so that you can't use a phillips or flathead screwdriver to open them up, and have to use a crazy "triangle" screwdriver (or similar) which you either must purchase separately, or which is only available to dealerships.
Maybe I'm wrong, but I seem to remember that EU laws allow users to refuse the license of an operating system and ask to have it refunded. I need to find some more infos, but if that's the case I guess that several manufacturers may end up getting sued.iceiceice wrote:These practices are not considered illegal currently, just annoying and cheesy, but in my opinion it would be a good thing if they were illegal.
Anyway, if every other computer will end up being locked in a way that I can't disable, probably I'll buy a Raspberry Pi 2 or some similar board - at least, these aren't locked. Not the best solution, I know, but what else can I do without involving lawyers?
Current maintainer of these add-ons, all on 1.16:
The Sojournings of Grog, Children of Dragons, A Rough Life, Wesnoth Lua Pack, The White Troll (co-author)
The Sojournings of Grog, Children of Dragons, A Rough Life, Wesnoth Lua Pack, The White Troll (co-author)
Re: UEFI secure boot and Linux
Exactly that's the problem. Microsoft could force the OEMs to not implement the on/off switch. Of course, unofficially. Maybe it's exaggerated, but given Microsoft's history, it is possible. In response, maybe the open-source movement will develop an open hardware that will run any OS.shadowm wrote:I don’t think this is about Microsoft becoming restrictive, but rather about allowing OEMs to do as they want when they are historically known to not care enough about supporting non-Microsoft operating systems.lipk wrote:So Microsoft is becoming more restrictive by NOT requiring manufacturers to implement certain features in their products? Scandalous power abuse!
Time will show how things will evolve. I hope that everything will be fine, but somehow I doubt it.
Re: UEFI secure boot and Linux
Sure, we should be free to do so if we want.lipk wrote:If by 'key' you mean the possibility to turn Secure Boot off, then I agree entirely, however in this case the system didn't become any more broken than it was by passing the decision to the OEMs. It should be the lawmakers' job to guarantee free and fair competition, not Microsoft's. If you literally mean the RSA keys, I'm interested in whose hands would you like to see them? Should we all sign our bootloaders with our own keys or what?
Normally, if I buy a house or a car, I'm free to go to a locksmith and get new keys made. I shouldn't need to consult the contractor who built the house to do this, and it's not like he should have keys to my house forever either.
I guess that this is part of UEFI:
http://en.wikipedia.org/wiki/Unified_Ex ... ecure_boot
wikipedia wrote: Additional "Key Exchange Keys" (KEK) can be added to a database stored in memory to allow other certificates to be used, but they must still have a connection to the private portion of the Platform key. Secure boot can also be placed in "Custom" mode, where additional public keys can be added to the system that do not match the private key.
If you can't use your own signed keys or publicly available signed keys, only the keys that came with the device, that sounds pretty broken to me, and it seems to be the whole issue -- whether "configuration" and "custom mode" should be possible or not.wikipedia wrote: Other developers raised concerns about the legal and practical issues of implementing support for secure boot on Linux systems in general. Former Red Hat developer Matthew Garrett noted that conditions in the GNU General Public License version 3 may prevent the use of the GRUB bootloader without a distribution's developer disclosing the private key (however, the Free Software Foundation has since clarified its position, assuring that the responsibility to make keys available was held by the hardware manufacturer),[67] and that it would also be difficult for advanced users to build custom kernels that could function with secure boot enabled without self-signing them.[90] Other developers suggested that signed builds of Linux with another key could be provided, but noted that it would be difficult to persuade OEMs to ship their computers with the required key alongside the Microsoft key.[3]
I doubt that you won't be able to find normal hardware that can run linux. Linux has too much marketshare to just be abandoned by all major manufacturers, I think. Maybe many or most of them, but not all of them.Elvish Hunter wrote: I know, but what else can I do without involving lawyers?
https://www.youtube.com/watch?v=zaGUr6wzyT8Naron wrote: I hope that everything will be fine, but somehow I doubt it.
Re: UEFI secure boot and Linux
I always assumed this place was full of computer nerds- who buys brand name gear when it's so much more rewarding to get a custom rig
Sooner or later someone will figure out a way to bypass the lock out I'm sure, it's only code after all.
Sooner or later someone will figure out a way to bypass the lock out I'm sure, it's only code after all.
Re: UEFI secure boot and Linux
I probably should rephrase my statement above. As I understand it, this is not about Microsoft forbidding anything, but rather about not forcing OEMs to allow disabling secure boot. I don’t think Microsoft could possibly get away with forbidding the option to disable secure boot, given its track record in U.S. and European courts. However, if OEMs are not required to provide the option to disable secure boot, it’s not too unlikely that they won’t provide it at all. They are known to be lazy when it comes to supporting other operating systems at the firmware level, which is why e.g. ACPI support on Linux is a nightmare — a large number of systems out there are designed specifically for compatibility with Windows and require workarounds integrated in the Linux kernel or custom (unsupported) patched firmware to work fully or correctly.Naron wrote:Exactly that's the problem. Microsoft could force the OEMs to not implement the on/off switch. Of course, unofficially. Maybe it's exaggerated, but given Microsoft's history, it is possible. In response, maybe the open-source movement will develop an open hardware that will run any OS.
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
Re: UEFI secure boot and Linux
It depends also on how much of an influence Microsoft has had on the various OEM's decisions.
I don't think courts would look at OEMs, just out of the blue, deciding to lock out all non-Microsoft OS's as just a happy accident for Microsoft. The last time Microsoft was sued, it was found that they colluded illegally with Intel and others to try to make their products only interoperate with one another and box out their respective competitors. So if there's another lawsuit it might play out the same way -- I don't think the "it's not Microsoft doing it, it's the OEMs" line of argument would necessarily be persuasive. If there's any kind of collaboration or exchange I think it could be illegal. (Not a lawyer.)
I don't think courts would look at OEMs, just out of the blue, deciding to lock out all non-Microsoft OS's as just a happy accident for Microsoft. The last time Microsoft was sued, it was found that they colluded illegally with Intel and others to try to make their products only interoperate with one another and box out their respective competitors. So if there's another lawsuit it might play out the same way -- I don't think the "it's not Microsoft doing it, it's the OEMs" line of argument would necessarily be persuasive. If there's any kind of collaboration or exchange I think it could be illegal. (Not a lawyer.)
- Pentarctagon
- Project Manager
- Posts: 5527
- Joined: March 22nd, 2009, 10:50 pm
- Location: Earth (occasionally)
Re: UEFI secure boot and Linux
I don't know about here in the US, but I could see Microsoft getting sued in the EU again, since they previously sued them over having only IE pre-installed with Windows.
99 little bugs in the code, 99 little bugs
take one down, patch it around
-2,147,483,648 little bugs in the code
take one down, patch it around
-2,147,483,648 little bugs in the code