dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1813
share rss forum feed


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

1 recommendation

reply to TuxRaiderPen

Re: Secure Boot Bootloader For Distributions Available Now

... and there he is.

TuxRaiderPen

join:2009-09-19

1 recommendation

reply to FF4m3
Heres a good review of the situation . . . . .

»distrowatch.com/weekly.php?issue ··· 21126#qa

quote:
Questions and Answers (by Jesse Smith)
Secure Boot has arrived

A few weeks ago one of my computers, a desktop machine, called it quits after many productive years of service. Following a respectful period of mourning, I decided to go out and get myself a new desktop computer. Nothing fancy, just a nice low-end box. I settled on HP's Pavilion P6-2310. The machine arrived in a timely manner, I hooked it up and realized that in my haste to get my shopping over with I had forgotten one important detail: Secure Boot.

Secure Boot, in case you missed all the excitement earlier, is a technology which is supposed to protect computer users from malware by insuring only trusted software can boot on the machine. How this works is, essentially, the computer comes with a security key (or keys) and any operating system or boot loader which we want to run on the machine needs to have a corresponding key. The idea is malware won't be able to sneak onto the computer and get loaded into memory before the operating system. A side effect, which many do not believe to be a coincidence, is operating systems other than Windows 8 are prevented from booting too. For some reason these details had slipped my mind when I was shopping on-line. When I hooked up the new computer and booted for the first time I was suddenly reminded in an unpleasant way.

The first symptom was that I could not boot from any device except the hard disk. I was thrown into the Windows 8 set up process. The manuals which came with the computer do not mention, in any fashion, accessing the BIOS/UEFI, changing boot order or disabling Secure Boot. Typically in the past computers have displayed hints, such as "Press F1 to edit settings" or "Press F9 to change boot device" when they power up. Not in this case, no hints are given and we're left to trial and error. F10, I found, would grant me access to the machine's start-up configuration, but getting my thumb drive to boot took a few steps beyond that.

First I tried to simply change the boot order and was told this was not possible while Secure Boot was enabled. Hunting through the menus I finally found the Secure Boot feature and, selecting it, I was informed (via a big, red warning box) that disabling Secure Boot was dangerous and not recommended. Then I had to disable Secure Boot and re-enabled "Legacy" boot options in the proper order and then, finally, I was able to enable specific devices from which I wanted to boot. After that I was able to boot from my thumb drive only if I knew to hold down F9 while the computer was starting up, we're not given that information.

In short, to get to the point where we can attempt to boot an alternative operating system we need to know our way through six steps:
Boot machine while pressing F10
Find Secure Boot in the menu tree, ignore warnings
Disable Secure Boot feature
Enable legacy boot options
Enable specific legacy devices, such as USB devices
Save and reboot while holding down F9
To the more technically minded, this might not seem so bad, but keep in mind these steps are performed without documentation, with no hints and with big warning pop-ups letting the user know what a bad idea disabling Secure Boot is. This is not something the average user is going to know how to do, nor will they likely want to follow through if they read the on-screen messages. This is a problem as much of the growth in the Linux community over the past decade has come from the ease of installing mainstream distributions. Distributions like Fedora and Ubuntu have made setting up a fresh install as simple as "Insert CD -> Click Next -> Next -> Next -> Enter a username and password->Next". Computers with Secure Boot remove that ease of use factor by throwing up hidden options, scary warnings and multiple menu items which must be accessed in a specific order before the user can even get to the "Insert CD" part of the installation process. Certainly, system administrators and more experienced users can work around these barriers, but there is a large portion of the public which is relatively inexperienced and willing to try Linux if it is easy to set up. Secure Boot means Linux is no longer simple to install, or even try, from detachable media.

Now, you might be thinking, as I was, that it was foolish of me to purchase a machine with Secure Boot in the first place. After all, I've been warning people about it for long enough I should have been more careful. That was what was going through my mind as I went through the long process of getting my thumb drive to be recognized as a boot device. But then, the next day, I went back to the merchant's website and discovered something. There is no mention of Secure Boot, UEFI or Windows 8 certification anywhere on the page. How is a consumer to know, even if they are aware of the feature, whether a machine is locked down or not? Software freedom requires vigilance and I fear that is more true now than it was a year ago. Be careful when shopping for new computers, it is easy to purchase more trouble than one bargained for.

This article outlines exactly what FUD ms is using to kill non ms OS install, and then silently and quieltly remove the rule ability to disable this... you think it won't happen, your dilluted. This is ms, it will happen... tops 2-3 years... tops...
--
1311393600 - Back to Black.....Black....Black....


No_Strings
Premium,MVM,Ex-Mod 2008-13
join:2001-11-22
The OC
kudos:6
said by TuxRaiderPen:

... you think it won't happen, your dilluted.

Defeating it will require a concentrated effort, to be sure.

OZO
Premium
join:2003-01-17
kudos:2

1 recommendation

reply to TuxRaiderPen
The article just gives one more example, showing that the actual purpose of the "Secure Boot" is to protect computer from the user, who may want to boot a different (from Windows) OS, and not to protect computer from a boot virus. It's the user (and not the boot virus), who now has difficulties to find out how to get into BIOS menu, find out where related menu settings are, change those settings despite the scary warnings tossed at him, etc...

It's not about protection from boot viruses (as its proponents try to convince public). It's about DRM protection of the OS (Windows, in particular), that, by their lucrative desire, should be booted exclusively. And by implementing this "security measure" developers of the OS want to take complete control over computers. Then they may do whatever they want with it - playing endless adds, that user can't avoid, turn computer into their leasing property with subscription service, control over aps, that user can install and use, etc.

If you want an analogy, here is example - a phone, locked by provider. The only idea behind it is - you can't use the locked phone with any another provider. It is secured to the provider. Do you, customer, need this "security" feature? Definitely, no. Do you ask for it? No, not at all. Provider is the only one, who benefits from locking phone to itself.

Similarly here - do you want/need a computer that is locked into Windows OS? If you do, use "secure boot". It will protect computer form your desire to boot any other OS's...
--
Keep it simple, it'll become complex by itself...


Selenia
Gentoo Convert
Premium
join:2006-09-22
Fort Smith, AR
kudos:2
reply to No_Strings
Are you guys for getting that Microsoft will have to convince hardware manufacturers to go along with disabling the switch that allows you to turn it off? Sure Microsoft can try and pay them off but there are many smaller manufacturers. This is the time for us to be responsible consumers and vote with our wallets. If manufacturers make more money selling to us techies than a Microsoft payoff, they will keep the feature to disable it. MS may pay off major players handsomely, but they won't pay off all the smaller ones.
--
A fool thinks they know everything.

A wise person knows enough to know they couldn't possibly know everything.

There are zealots for every OS, like every religion. They do not represent the majority of users for either.


No_Strings
Premium,MVM,Ex-Mod 2008-13
join:2001-11-22
The OC
kudos:6
I'm all for getting onto a new topic. This one has been beaten bloody. That's just me, though.


Lagz
Premium
join:2000-09-03
The Rock
reply to TuxRaiderPen
said by TuxRaiderPen:

This article outlines exactly what FUD ms is using to kill non ms OS install, and then silently and quieltly remove the rule ability to disable this... you think it won't happen, your dilluted. This is ms, it will happen... tops 2-3 years... tops...

About the time for their next OS release. The certification for their next OS may not have a stipulation to allow disabling of secure boot, once all this blows over of course.
--
When somebody tells you nothing is impossible, ask him to dribble a football.

TuxRaiderPen

join:2009-09-19
reply to FF4m3
Here is what ms wants... and why RT is locked down... its only a matter of time till this moves to x86...

»news.cnet.com/8301-10805_3-57561 ··· -makers/

And this will lock out Linux and any other non ms OS... which is the goal... even if most here just refuse to see or accept it.
--
1311393600 - Back to Black.....Black....Black....