| |||||||||||||
Ubuntu details its UEFI secure boot plansUbuntu details its UEFI secure boot plansPosted Jul 3, 2012 19:38 UTC (Tue) by jmorris42 (subscriber, #2203)In reply to: Ubuntu details its UEFI secure boot plans by mjg59 Parent article: Ubuntu details its UEFI secure boot plans
Most early flash BIOS machines had emergency reflash from a boot floppy, write protect jumpers, etc. All that went away as mass production happened. I'd expect the same to happen here, top of the line boards for workstations and servers will still tend to do the right thing but cheap consumer products won't.
The cheap ones will also stop allowing the user to rekey or disable the secure boot. On the good side there will be exploits aplenty since it will just be security theater to appease the Hollywierd content gods and vendor locks to stop casual Linux use. It is a feature no customer is likely to ask for and no sales will depend on it being effective, so they will make it as cheap as Microsoft will let them qualify for the Windows 8 sticker with.
(Log in to post comments)
Ubuntu details its UEFI secure boot plans Posted Jul 3, 2012 19:41 UTC (Tue) by mjg59 (subscriber, #23239) [Link]
You don't qualify for the Windows 8 sticker without the ability to rekey and disable secure boot.
Ubuntu details its UEFI secure boot plans Posted Jul 4, 2012 2:56 UTC (Wed) by giraffedata (subscriber, #1954) [Link] You don't qualify for the Windows 8 sticker without the ability to rekey and disable secure boot. I don't think that's so. From what I can tell from various reports on the web, Microsoft defines a "custom mode" in which the user has the ability to rekey and disable secure boot, but it is optional for Windows 8 certified computers. And for ARM systems, it isn't even an option -- custom mode is prohibited. For those where it's optional, I predict manufacturers will provide it, and other commentators seem to agree, but there is still an objection to the Windows 8 certification program because it's not easy enough to enter custom mode - the computer is required to ship in "standard mode" (boots only Microsoft-approved things) by default and you have to go into a machine setup dialog to do it (obviously, standard mode doesn't let an installer program just switch out of standard mode programmatically).
Ubuntu details its UEFI secure boot plans Posted Jul 4, 2012 3:07 UTC (Wed) by naptastic (subscriber, #60139) [Link]
All of this begs the question: Is anyone seeking an injunction against this behavior, which is clearly an antitrust violation?
Ubuntu details its UEFI secure boot plans Posted Jul 4, 2012 3:30 UTC (Wed) by raven667 (subscriber, #5198) [Link]
Check out section System.Fundamentals.Firmware.UEFISecureBoot in document http://msdn.microsoft.com/en-us/library/windows/hardware/... especially paragraphs 17 and 18 which state that custom mode and enable/disable are mandatory on x86.
You might want to be more skeptical of some of the "various reports on the web", the sites you have been reading clearly aren't doing even the most basic of research and are probably not worth your time to read. Stick to LWN 8-)
Ubuntu details its UEFI secure boot plans Posted Jul 4, 2012 3:32 UTC (Wed) by mjg59 (subscriber, #23239) [Link]
> I don't think that's so.
'MANDATORY. On non-ARM systems, the platform MUST implement the ability for a
Followed by a requirement that it be possible to clear PK, which guarantees you the ability to enrol whatever set of keys you want.
Ubuntu details its UEFI secure boot plans Posted Jul 4, 2012 4:08 UTC (Wed) by Fowl (subscriber, #65667) [Link]
"Custom mode" must be user (not programmatically) accessible in order to certify.
On the other hand, it only requires the ability to disable secure boot, not re-key it.
Ubuntu details its UEFI secure boot plans Posted Jul 4, 2012 4:15 UTC (Wed) by mjg59 (subscriber, #23239) [Link]
Argh no really the entire point of custom mode is that it allows re-keying. It's distinct from being able to just disable secure boot.
Ubuntu details its UEFI secure boot plans Posted Jul 5, 2012 21:01 UTC (Thu) by jmorris42 (subscriber, #2203) [Link]
I wasn't referring to official policy, I'm in the real world discussing what will actually happen. Most motherboard vendors have trouble making a lot of 'mandatory' things that customers actually care about work. Just how much effort do you think they will put into making this stuff work beyond what is required to boot Windows 8 and get the little sticker?
How many motherboards have you fought to make power management work on? How about the temp/voltage/fan sensors? Last I heard working ACPI is also a requirement for the Windows logo program.
Now add in the fact that Microsoft is almost certain to be quietly 'encouraging' motherboard makers to break this particular feature. Raise your hand if you don't think an OEM would instantly get into the double secret marketing co-op program and qualify for special pricing or marketing kickbacks for discouraging OS migration?
Ubuntu details its UEFI secure boot plans Posted Jul 5, 2012 21:05 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
This functionality is required to get the little sticker, and ACPI functionality is tested by Microsoft. The problem with ACPI is that it's only tested under Windows, and our implementation isn't identical to Windows. That's not a concern at this level of firmware. Plus, like I said, this is functionality that's already present in the firmware that OEMs get. They'd need to actively put work into removing it.
|
|||||||||||||