Main Area and Open Discussion > General Software Discussion

UEFI and Linux in 2013 - the list so far

<< < (3/3)

f0dder:
Also, Windows 8 cert requires that you can disable Secure Boot
-f0dder (January 12, 2013, 04:40 PM)
--- End quote ---
Where does it say that? I thought W8 cert required that SB had to be enabled by default and that it was up to individual OEMs whether they allow disabling SB.
-Carol Haynes (January 13, 2013, 12:02 PM)
--- End quote ---
Grab the "Windows 8 System Requirements" PDF, and jump to page 121. A few selective quotes:

17. Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:
--- End quote ---

18. Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv.
--- End quote ---

This is system requirements for Windows 8, though, and there's no guarantee the next Windows will have the same requirements - that's the slippery slope problem.

Yes, I am worried that SB might be used to lock down x86 hardware in the future, but claiming that's it's only point is FUD.
-f0dder (January 13, 2013, 11:53 AM)
--- End quote ---

James Bottomley, Parallels' CTO of server virtualization, well-known Linux kernel maintainer, and the man behind the Linux Foundation's efforts to create an easy way to install and boot Linux on Windows 8 PCs with UEFI (Unified Extensible Firmware Interface) Secure Boot enabled is sorry to report that "We’re still waiting for Microsoft to give the Linux Foundation a validly signed pre-bootloader."
--- End quote ---
-40hz (January 13, 2013, 12:05 PM)
--- End quote ---
-40hz (January 13, 2013, 12:05 PM)
--- End quote ---
Humm, are they still waiting? And if so, what makes them special compared to other people? There's already a signed shim that'll let you SecureBoot anything.

EDIT: also, for what it's worth, my ASUS P8Z77-V PRO motherboard supports Secure Boot, and has a crapload of key management features. But my box is obviously home-built, not Win8 certified.

40hz:
what makes them special compared to other people?
-f0dder (January 13, 2013, 12:37 PM)
--- End quote ---

The Linux Foundation is attempting to work with Microsoft and its implementation of SecureBoot rather than hack around it. The shim is a hack - and potentially open to misuse and mischief.

What makes the Linux Foundation different from many in the Linux community is that, rather than declare war, they have opted to take Microsoft up on its supposed offer to provide a path for peaceful coexistence when it comes to UEFI/SecureBoot. One in which all modern PC operating systems can take advantage of - and equally benefit from - the purported increases in security it provides.

Please remember that Linux got burned over the so-called ACPI "standard." Most distros chose to ignore the broken power management implementation Microsoft was championing since APM worked fine just as it was. Unfortunately, the gravity well created by Microsoft's share of the market had most hardware manufacturers migrate over to Microsoft's own implementation of "standard" ACPI and abandon APM thereby forcing Linux kernal maintainers to switch over to not only ACPI - but Microsoft's own take on it in order for it to work with most laptops. As was noted in The Linux Action show above, this is still a problem in the Linux world. And many there feel UEFI  threatens to become a similar issue down the road since Microsoft is effectively making all the calls in this particular game.

I think, in all fairness, that the UEFI/SecureBoot initiative has more to do with business strategy and less to do with enhancing security than is being admitted. At least so far as the way it is currently being administrated by Microsoft. Because if the real goal was to further enhance security, it would be in everyone's best interest if it be adopted and deployed as quickly as possible industry-wide.

The simple fact that Microsoft is inserting technical hurdles and gotchas into the mix smacks a little of the old strategy of making sure Lotus 1-2-3 got broken with each new version of DOS since Microsoft had a competing spreadsheet (Multiplan/Excel) they were trying to gain traction with.

And insisting on not allowing GPL licensing or its equivalents on a so-called "open" standard they're pioneering seems to be more than a little disingenuous. Especially since Microsoft has (to date) refused to go on record as saying exactly what their objections to that would be. Likely they don't want to because Microsoft's insinuation that the provisions of GPL could be used to force manufacturers and Microsoft to reveal signing keys is totally bogus. And they know it. Something which has been repeatedly addressed by The Linux Foundation itself, which has clearly explained why it would not.

Microsoft is in the same fix as Sun Microsystems is with Java. Both want to have something they can call an "open standard" but still have full control and the last word over.

Last I heard, "open" doesn't work that way.  :-\

Navigation

[0] Message Index

[*] Previous page