LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Something to keep an eye on but I'm not seeing a big issue yet.

Something to keep an eye on but I'm not seeing a big issue yet.

Posted Sep 23, 2011 17:25 UTC (Fri) by mgross (subscriber, #38112)
Parent article: Garrett: UEFI secure booting (part 2)

I don't see a big difference between this and what's running on the chrome books. From the end of the referenced MS response http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-... shows a simple bios option to turn off secure boot.

I suspect anti trust challenges would quickly happen if the option to disable the secure boot was not available.

I am more interested in making sure we can make our own signed secure boot images and understand how to install deployment keys for our own locked down deployments (enterprise servers/clients or POS cash registers and what not.) What do the signing and key generation tools need to look like? Can we make such tools? What would os updates look like on such deployments?

I think our biggest problem is to get Linux distros installers and boot loaders to "just work" on such uefi systems. I had a hell of a time getting ubuntu 11.04 to install on a Cr48 and in the end I had to just flash a EFI bios that included the compatibility layer.

(Log in to post comments)

Something to keep an eye on but I'm not seeing a big issue yet.

Posted Sep 23, 2011 17:45 UTC (Fri) by cjwatson (subscriber, #7322) [Link]

I expect it would be straightforward enough to add an option to grub-setup to sign generated GRUB core images for UEFI, although I doubt any GRUB developer (including myself) would be remotely interested in locking down the system more than necessary. The actual signature protocol is pretty simple.

I haven't brought it up on grub-devel yet because the whole thing is intensely political and honestly I'd rather only do it once it's clear that we have no choice if we want to keep booting; I don't want "GRUB works with UEFI secure boot" to be a check on somebody's checklist.

Something to keep an eye on but I'm not seeing a big issue yet.

Posted Sep 23, 2011 23:53 UTC (Fri) by iabervon (subscriber, #722) [Link]

I think it would be good if computers came with a USB frob, and the only way to create a boot image that the BIOS wouldn't warn you about would be to plug in the frob and get it to sign the image. The thing is "the key to your computer", and it is needed as part of any OS installation (although it is also possible to use "the key" on a different computer to set up a linux image on a USB drive that your computer will trust). If that system were available, the next step is FUD saying, "If you got a Windows 8 computer, and it didn't come with 'its key', then Microsoft can hack into your system no matter what OS you use! They'll be able to force you to use broken versions like Vista, even if you don't want to, because your computer automatically trusts them. If you have 'the key', you control when you upgrade and what you run."

Of course, UEFI doesn't really provide any meaningful security in the first place, but if you postulate that it has some benefit, allowing Microsoft to circumvent it would be obviously very bad.

The key to your computer

Posted Oct 4, 2011 11:41 UTC (Tue) by robbe (guest, #16131) [Link]

Cool idea. The two problems I see with this:

* Users will misplace their key, especially if it is needed very rarely. Will you offer a backdoor, or is that tough luck?

* I have a hard time imagining manufacturers, that shave off single jumpers for the cost savings, throwing in an USB key.

USB

Posted Oct 4, 2011 16:39 UTC (Tue) by mathstuf (subscriber, #69389) [Link]

> an USB

Is this a typo or do you pronounce "USB" as "us-buh" rather than "yoo ess bee"? Just wondering if there are people that don't just spell "USB" when saying it.

Something to keep an eye on but I'm not seeing a big issue yet.

Posted Sep 24, 2011 14:47 UTC (Sat) by mgross (subscriber, #38112) [Link]

One question WRT all this posturing: Would have a secure boot implementation prevented the rootkit that took down kernel.org from happening?

Something to keep an eye on but I'm not seeing a big issue yet.

Posted Sep 24, 2011 14:50 UTC (Sat) by mjg59 (subscriber, #23239) [Link]

Possible, but unlikely.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds