Jump to content

UEFI boot: how does that actually work, then?

sunrat

By sunrat
in Bruno's All Things Linux

 Share

Recommended Posts

goretsky

goretsky

Posted
Posted

Hello,

 

Actually, I believe the certificate is issued by Verisign, not Microsoft.

 

No idea why other OS vendors haven't gone out and bought their own certificates, or set up their certificate authorities, etc.

 

From your average motherboard manufacturer's POV, I'm sure they'd love to boast their motherboards had more certs than their competitors' offerings.

 

Regards,

 

Aryeh Goretsky

  • Like 1
Link to comment
Share on other sites
abarbarian

abarbarian

Posted
Posted

http://www.elpauer.org/2011/10/the-secure-boot-controversy/

 

I think this taken from the comments of the above explain a freedom lovers point very well.

 

 

Wait a minute — you’re suggesting *Verisign* be the authority to certify organizations and to maintain a list of keys for UEFI? That’s crazy. Remember back in the “dark ages” of SSL where Verisign was the only game in town? Nobody wants to go back to those days — those were the days where signed SSL keys were prohibitively expensive, and so the “solution” was to create other CA’s, which then created problems of too many CA’s. Having any one authority be the gatekeeper also causes serious issues of TRUST AGILITY. See:

http://blog.thoughtcrime.org/ssl-and-the-future-of-authenticity

The only possible solution here is for UEFI to mandate that the owner of the computer have the “master key” to their own UEFI bootloader. Yes, this means that the machine will be vulnerable to User Error, but there’s NO other way to allow the computer owner to retain their freedom, and so not giving the user this freedom, one way or another, is another attempt at a power grab, and that /*IS*/ Microsoft’s fault for writing their Windows 8 sticker spec such that the user doesn’t get any override choice.

 

The two comments above this are well worth a read especially this one.

 

Fortunatly, matthew garrett presented an elgant solution to allow to add keys without hurdle or compromising security:

http://mjg59.dreamwidth.org/6503.html

I hope such a solution is implemented.

 

Microsoft will help this become a reality when **** freezes over at a push. :devil:

Link to comment
Share on other sites
raymac46

raymac46

Posted
Posted

I know Gigabyte does not turn on Secure Boot. In fact I couldn't find any mention of it in the EFI setup so I didn't need to worry about it at all. This is on a motherboard straight from Newegg and the system it's in has only Linux installed. It is using EFI and GPT for sure though.

  • Like 1
Link to comment
Share on other sites
raymac46

raymac46

Posted
Posted

Those of us who come from the antediluvian computer era remember when the BIOS was - well, a BIOS. It orchestrated all the hardware/userspace interactions. As time passed more and more of the BIOS functions got switched over to the O/S (through drivers for the hardware) and now we are at the point where the BIOS is a one trick pony it seems. BIOS means "Boot It or Stop" I guess.

Even doing this one thing the 1980s BIOS has its limitations and really in the long run will disappear. It's early days but UEFI is going to take over eventually.

I think this whole thing would be far less controversial if the Secure Boot issue hadn't got mixed in. Just my $0.02

  • Like 2
Link to comment
Share on other sites
sunrat

sunrat

Posted
  • Author
Posted

I think this whole thing would be far less controversial if the Secure Boot issue hadn't got mixed in. Just my $0.02

Secure Boot is a non-issue for Linux, it only affects Windows. Turn it off and forget about it. Sure it would be nice if it worked seamlessly but it doesn't, and focussing on it misses the point of the original article I posted.

  • Like 1
Link to comment
Share on other sites
raymac46

raymac46

Posted
Posted (edited)

In fact if you're building your own machine to run Linux (or even Windows 8,) your motherboard may not come with Secure Boot enabled at all. You can certainly install Win 8, Linux or dual boot in that case without any problems. The only people who will have to worry are those who have Windows 8 pre-installed on (say) a Dell x86 computer and want to dual boot Linux. In that case they will have to switch it off.

At this point in time you still have the option to go with legacy boot using BIOS and MBR, or if you wish UEFI and GPT. The choice is still there.

Edited by raymac46
  • Like 2
Link to comment
Share on other sites
goretsky

goretsky

Posted
Posted

Hello,

 

There are plenty of other certificate authorities out there besides VeriSign.

 

Comodo, GoDaddy and Thawte all come to mind, and there's plenty of others.

 

Regards,

 

Aryeh Goretsky

  • Like 1
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Secure Boot is a non-issue for Linux, it only affects Windows. Turn it off and forget about it. Sure it would be nice if it worked seamlessly but it doesn't, and focussing on it misses the point of the original article I posted.

 

That would depend on the computer/device. Not all devices have the ability to disable, even temporarily, SecureBoot:

 

  • If you have an ARM tablet running Windows RT (like the Surface RT or the Asus Vivo RT), then you will not be able to disable Secure Boot or install other OSes. Like many other ARM tablets, these devices will only run the OS they come with.
  • If you have a non-ARM computer running Windows 8 (like the Surface Pro or any of the myriad ultrabooks, desktops, and tablets with an x86-64 processor), then you can disable Secure Boot completely, or you can install your own keys and sign your own bootloader. Either way, you can install a third party OS like a Linux distro or FreeBSD or DOS or whatever pleases you.

 

From HowToGeek.com:

 

If I Buy a Computer with Windows 8 and Secure Boot Can I Still Install Linux?

 

How to Boot and Install Linux on a UEFI PC With Secure Boot

Link to comment
Share on other sites
securitybreach

securitybreach

Posted
Posted

Hello,

 

There are plenty of other certificate authorities out there besides VeriSign.

 

Comodo, GoDaddy and Thawte all come to mind, and there's plenty of others.

 

Regards,

 

Aryeh Goretsky

 

GoDaddy? Ha... I wouldn't let them sign a cast much less something security related.

Link to comment
Share on other sites
goretsky

goretsky

Posted
Posted

Hello,

 

I was just using Go Daddy as an example; it is not a company I would do business with, either. But, the point stands that there are a lot of CA's out there.

 

Frankly, given the existing companies out there, I really would like to see the open source community start up a reasonably transparent CA (not to mention domain registrars, etc.) that operated as a non-profit.

 

Regards,

 

Aryeh Goretsky

  • Like 2
Link to comment
Share on other sites
securitybreach

securitybreach

Posted
Posted

Politics . The company supported SOPA.

 

Yup, they outright supported SOPA and then changed their mind because of the backlash.

GoDaddy backed one of the most destructive laws ever to threaten the internet. It was only after 50,000 GoDaddy users left in protest that they changed course.

http://www.authormedia.com/6-reasons-authors-should-avoid-godaddy/

  • Like 1
Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

AH! OK, that answers that. Thanks, folks! I'll remember that in the future should I need a domain service or hosting service.

  • Like 2
Link to comment
Share on other sites
  • 4 months later...
Cluttermagnet

Cluttermagnet

Posted
Posted

Roger-

Thanks for a truly great link! It's going to take me a good while to digest all that. I'll work at it. That guy writes very well, quite polished IMO. As he notes, UEFI itself is a work in progress, and his own piece rapidly evolved as soon as he released it and started getting comments. BTW I was totally occupied with some electronics design and building back last winter (northern hemisphere), so this thread pretty much flew by me at the time. Great discussion, guys...

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...