LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Ubuntu details its UEFI secure boot plans

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 2:56 UTC (Wed) by giraffedata (subscriber, #1954)
In reply to: Ubuntu details its UEFI secure boot plans by mjg59
Parent article: Ubuntu details its UEFI secure boot plans

You don't qualify for the Windows 8 sticker without the ability to rekey and disable secure boot.

I don't think that's so. From what I can tell from various reports on the web, Microsoft defines a "custom mode" in which the user has the ability to rekey and disable secure boot, but it is optional for Windows 8 certified computers. And for ARM systems, it isn't even an option -- custom mode is prohibited.

For those where it's optional, I predict manufacturers will provide it, and other commentators seem to agree, but there is still an objection to the Windows 8 certification program because it's not easy enough to enter custom mode - the computer is required to ship in "standard mode" (boots only Microsoft-approved things) by default and you have to go into a machine setup dialog to do it (obviously, standard mode doesn't let an installer program just switch out of standard mode programmatically).

(Log in to post comments)

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 3:07 UTC (Wed) by naptastic (subscriber, #60139) [Link]

All of this begs the question: Is anyone seeking an injunction against this behavior, which is clearly an antitrust violation?

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 3:30 UTC (Wed) by raven667 (subscriber, #5198) [Link]

Check out section System.Fundamentals.Firmware.UEFISecureBoot in document http://msdn.microsoft.com/en-us/library/windows/hardware/... especially paragraphs 17 and 18 which state that custom mode and enable/disable are mandatory on x86.

You might want to be more skeptical of some of the "various reports on the web", the sites you have been reading clearly aren't doing even the most basic of research and are probably not worth your time to read. Stick to LWN 8-)

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 3:32 UTC (Wed) by mjg59 (subscriber, #23239) [Link]

> I don't think that's so.

'MANDATORY. On non-ARM systems, the platform MUST implement the ability for a
physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:'

Followed by a requirement that it be possible to clear PK, which guarantees you the ability to enrol whatever set of keys you want.

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 4:08 UTC (Wed) by Fowl (subscriber, #65667) [Link]

"Custom mode" must be user (not programmatically) accessible in order to certify.

On the other hand, it only requires the ability to disable secure boot, not re-key it.

Ubuntu details its UEFI secure boot plans

Posted Jul 4, 2012 4:15 UTC (Wed) by mjg59 (subscriber, #23239) [Link]

Argh no really the entire point of custom mode is that it allows re-keying. It's distinct from being able to just disable secure boot.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds