Re: UEFI, Secure Booting and the Windows 8 Logo requirements locking out GNU / Linux
Originally Posted by
Paqman
I'd be very surprised if OEMs didn't include the option to switch off secure boot. Some may not, but those that do will have a (small) competitive advantage against them.
On the face of it, I tend to agree that it would be a very bad business decision to omit this option; however, part of the reason this firestorm began is the claim by Matthew Garrett in his second blog post on the subject that "we've already been informed by hardware vendors that some hardware will not have this option" (that is, to disable secure boot). Matthew Garrett is a Red Hat employee, so I take his "we" to refer to communications between Red Hat and hardware vendors. The question is just what "some" means -- it could be one or two models from rinky-dink manufacturers or 99% of all PCs sold at retail.
So the likelihood of at least one OEM doing it is extremely high IMO, especially in those products catering to parts of the market likely to be building from scratch and installing their own OS (eg: car PCs, HTPCs, barebones servers, etc)
"At least one" doing the right thing is a ridiculously low bar for acceptability. If Linux is to remain competitive, particularly as an option in the home market, it must be able to be installed to the vast majority of PCs. How many people here tried Linux for the first time on a computer that was purchased explicitly to run Linux? Not many, I'd wager. If Joe User can't run Linux on a box originally purchased with Windows, with no original intent to ever run anything else, then Linux loses out big time.
Originally Posted by
MonolithImmortal
It seems like the solution is for every distro to use a bsd licensed bootloader, get it signed, and then have MS's boot loader chain load to it. WORST CASE SCENARIO.
You're glossing over the signing issue. In the worst-case scenario, there are two roads to getting software signed to work on Brand X computers:
- Get Microsoft to sign it.
- Get Brand X to sign it.
I'd be flabbergasted if Microsoft would be willing to sign a Linux boot loader, especially one that's capable of running any distribution's kernel.
That leaves the PC manufacturers themselves. Some of them might be willing to sign Linux boot loaders, but given the number of distributions and the security hurdles to be overcome to ensure that any given boot loader can't be used to load malware, this seems like a major obstacle. Note I'm not saying it's impossible on a case-by-case basis, but it's nowhere near the trivial task you seem to be suggesting. If I were a PC manufacturer being asked to sign a Linux distribution's boot loader, I'd be asking questions like "can the boot loader load a kernel you didn't create" and "can software run on Linux modify the boot options to run malware rather than the usual startup scripts in your distribution?" The answers to these questions with current Linux boot loaders are both "yes," and "yes" answers to these questions would make me, Mr. PC Vendor, very reluctant to sign the boot loader. In other words, to get Linux boot loaders signed, the Linux boot process must likely become much more restrictive than it is now.
Furthermore, there's the fact that there are many different PC brands, so a distribution vendor would have to go through the whole process with each and every PC brand. If there were a centralized authority for getting keys signed so that they ended up in every PC, this problem would become more manageable.
The bottom line is this: If a PC is locked down with secure boot and if the owner of the computer cannot override those settings, then the owner of the computer does not control the computer. The owner is at the mercy of those who control the signing keys to determine what software the computer runs. Only if the computers' owners can disable the feature or add keys themselves do the computers truly belong to the people who nominally own them.
If I've suggested a solution to a problem and you're not the original poster, do not try my solution! Problems can seem similar but be different, and a good solution to one problem can make another worse. Post a new thread with your problem details.
Bookmarks