User: Password:
|
|
Subscribe / Log in / New account

Details on Ubuntu's UEFI secure boot plan

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 0:19 UTC (Sat) by dlang (subscriber, #313)
In reply to: Details on Ubuntu's UEFI secure boot plan by jspaleta
Parent article: Details on Ubuntu's UEFI secure boot plan

the issue is the fear that trying to tell users how to disable this will make it too hard for them to install linux.

the linux distros aren't doing this because they are trying to lock the system down and make it safer, they are just trying to make it not noticably harder to install their distro on a new machine than it is today.


(Log in to post comments)

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 0:43 UTC (Sat) by jspaleta (subscriber, #50639) [Link]

I do not thing you can lump all distros and distro vendors together as to whether or not they see value in secureboot as a feature. There are recognized limitations of the specification that make it more painful than it should be, but some do see value in the secureboot goal. And I bet vendors who understand how to run a profitable software business will find customers who understand the security value and will produce a solution that exposes the value. Other vendors, who continue to do the least amount of effort possible, will continue to fail to attract paying customers and will continue to bleed money. To those vendors, this is just an engineer resources drain.. not an opportunity to upsell a security feature.

But more specifically....If Canonical is going to be using a MS signed bootloader... it seems to me what MS considers what secureboot enabled implies is going to matter a lot. So Canonical does this... MS revokes their key...and we are back to square one with Ubuntu users having to disable secureboot to work with Ubuntu. Except now its users with already installed dual-boot Ubuntu/Windows who find they can't load their Ubuntu bootloader because of a key revocation from MS.

Here's to hoping MS doesn't see Canonical cavalier attitude towards signed kernels as a security threat to windows installs. I really really hope that MS considers any dual boot situation as a non-starter for enforcement and ignores anything involving an alternative bootloader unless a request comes in from the entity who controls the bootloader's signature to revoke a key. Hope for the best... plan for the worst.

-jef

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 0:54 UTC (Sat) by dlang (subscriber, #313) [Link]

the two vendors who have spoken up so far (canonical and Fedora) both seem primarily worried about the difficulty in installing the distro on new hardware.

so I think it's fair to use those statements to say what the main concern seems to be.

There may be other distros in the future that try to use this for security, but that's not the situation right now.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 4:39 UTC (Sat) by bgilbert (✭ supporter ✭, #4738) [Link]

Dual-boot systems are not the problem. A worm targeting Windows-only systems could install the Ubuntu bootloader and use that to chainload itself at boot.

Details on Ubuntu's UEFI secure boot plan

Posted Jun 23, 2012 4:47 UTC (Sat) by mjg59 (subscriber, #23239) [Link]

Or use the Ubuntu bootloader to target non-Ubuntu Linuxes.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds