LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Most points are valid...

Most points are valid...

Posted Jan 18, 2012 13:47 UTC (Wed) by khim (subscriber, #9252)
Parent article: Garrett: Why UEFI secure boot is difficult for Linux

But this is pure FUD: Any description of the UI. It's effectively impossible to document Linux installation when the first step becomes (a) complicated and (b) vendor specific.

Sorry, but this was the case for ages. To install Linux (or Windows, for that matter) you must boot from floppy or CD/DVD/UMS. Long time ago computers tried floppy first then continued with HDD. Boot viruses exploited this capability quite efficiently and since then the very first step in the process of installation of any OS is (a) complicated and (b) vendor specific. Singed boot does not change anything materially in this regard.

(Log in to post comments)

Most points are valid...

Posted Jan 18, 2012 13:57 UTC (Wed) by stumbles (guest, #8796) [Link]

Secure boot is a sham no matter which way its looked at.

Most points are valid...

Posted Jan 18, 2012 17:14 UTC (Wed) by wdaniels (guest, #80192) [Link]

Agreed. When was the last time you actually found malware that was running from the bootloader? I know it can and does happen on occasion, but I've not actually seen it since the days of floppy disks and I doubt anyone I know has either.

Usually when we hear about these things it is some secret service or police force, and I don't expect those organisations will have much trouble signing whatever code they like.

And what about virtualisation? Are we going to see VM BIOS with secure boot? If we do I should think it will be changed to allow remote administration of keys for unattended installs etc. Just one more reason to head for virtualised infrastructure.

This whole UEFI thing is a complete waste of time. But hopefully it will encourage dedicated Linux hardware retailers...ultimately that's how the non-techies prefer to shop anyway.

Open source BIOS not looking so silly now! :D

Most points are valid...

Posted Jan 18, 2012 17:57 UTC (Wed) by wmf (guest, #33791) [Link]

AFAIK there's a bootloader that bypasses Windows activation. Whether that's malware depends on whether you're Microsoft or not.

Most points are valid...

Posted Jan 18, 2012 20:28 UTC (Wed) by Fowl (subscriber, #65667) [Link]

Well Microsoft's anti-malware suite doesn't think so, at least. Surprisingly quite a few other vendors do though.

Most points are valid...

Posted Jan 20, 2012 3:35 UTC (Fri) by hitmark (guest, #34609) [Link]

I seem to recall reading about a botnet of some kind that employed bootloader infection as a way to spread.

Most points are valid...

Posted Jan 18, 2012 14:00 UTC (Wed) by cortana (subscriber, #24596) [Link]

Secure Boot makes the situation worse though--the user still has to select a boot medium, but now also has to find a way to disable SB...

Actually things were just improving beyond that point. (WUBI)

Posted Jan 18, 2012 15:34 UTC (Wed) by werth1 (subscriber, #48435) [Link]

Actually you don't need to fiddle with boot disks and iso images.
There are easier ways:
http://www.ubuntu.com/download/ubuntu/windows-installer

So this is not "pure FUD"

Most points are valid...

Posted Jan 18, 2012 16:03 UTC (Wed) by ayers (subscriber, #53541) [Link]

Back then the folks who installed GNU/Linux where already computer literate. Today the user spectrum is much wider. Very few of those ordinary users will consider removing or replacing "security" keys just to install an alternate OS.

Today they can be running Windows and install a GNU/Linux distribution as if it were yet another application. I'm not sure whether UEFI would disallow the installation but AFAIU it will definitely not allow the execution of an alternate boot loader and even if the installation where able to reconfigure the existing boot loader, it would still not boot the kernel unless it has been signed by an existing authority.

Even if Red-Hat, Canonical and SuSE were able to have their bootloaders and kernels signed by some authority, even if SPI manages to get Debian signed, even if the FSF manages to get gNewSense signed, there are so many other valid distributions out there that you would probably end up with many signing authorities who all would need there keys supported by all vendors that we'd most likely end up in same mess that we have with SSL.

Currently we have hundreds of authorities in our browsers including very dubious ones. Hardly anyone currently is able to manage them, even technical inclined. Do you expect ordinary users to be able to manage the keys even if they were to have the tools?

The hurdle is, by far, way to high. This will dampen the spread of all free operating systems considerably.

Most points are valid...

Posted Jan 18, 2012 17:05 UTC (Wed) by NAR (subscriber, #1313) [Link]

The user spectrum may be wider, but those who're installing Linux for them are still the computer literate family members or friends: I mean I know a lot of people who can use a computer (send e-mails, update facebook pages, etc.), but don't have a clue about what BIOS is. On the other hand the computer literate family members or friends might not want to mess with the keys...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds