dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4757
share rss forum feed


markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5
reply to dave

Re: Complaint Against MS 'Secure Boot' Filed By EU Linux Group

said by dave:

said by markofmayhem:

Why is this being ignored? The first OS to support Secure Boot was Ubuntu!

Because Microsoft could force compliant OEMs to implement something entirely different in 3 years time and then Ubuntu wouldn't boot!

At least, that's the impression I get.

And then we would have an anti-trust lawsuit, but until Microsoft colludes, we have a universally open specification that multiple OS's recognize, utilize, and contribute to.

Shouldn't we be spending our time in the great fight that Microsoft won't allow the mp3 codec on Linux after Vista is.... oh wait, that never happened either.
--
Show off that hardware: join Team Discovery and Team Helix


FiReSTaRT
Premium
join:2010-02-26
Canada
Reviews:
·Velcom
reply to markofmayhem
said by markofmayhem:

You just install Ubuntu, Secure Boot doesn't need turned off unless something is buggy with your motherboard's firmware implementation (which is happening and being fixed rather timely over the last 2 years). Tiano, Aptio, SecureCore, and InsydeH2O all work flawlessly, but ODM's implementation of the db and dbx tables are... iffy sometimes.

In fact, Ubuntu beat Windows 8 to support Secure Boot... little known tidbit on this forum, as it crushes the dreams that Secure Boot is evil and thus must be a Microsoft invention.

But, whatever, we shouldn't let truth stand in the way of a fun olde lynch mob.

»web.dodds.net/~vorlon/wiki/blog/···u_12.10/

My statement was more of a commentary on the technical abilities of your garden variety Ubuntu user - many of them don't even know that they run a GNU/Linux distribution - they think that Ubuntu is just a new operating system written from scratch. Of course, their technical abilities begin and end with popping in a DVD and clicking on "Next". That means that it's questionable whether they can get into the BIOS and more importantly, whether they should be messing with it in the first place. That creates a huge hurdle for a person with zero technical ability (on par with your typical Mac user) if he/she wants to try a new operating system, but has to deal with the secure boot crap.
--
If you have an apple and I have an apple and we exchange these apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas.
—George Bernard Shaw


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
said by FiReSTaRT:

said by markofmayhem:

You just install Ubuntu, Secure Boot doesn't need turned off unless something is buggy with your motherboard's firmware implementation (which is happening and being fixed rather timely over the last 2 years). Tiano, Aptio, SecureCore, and InsydeH2O all work flawlessly, but ODM's implementation of the db and dbx tables are... iffy sometimes.

In fact, Ubuntu beat Windows 8 to support Secure Boot... little known tidbit on this forum, as it crushes the dreams that Secure Boot is evil and thus must be a Microsoft invention.

But, whatever, we shouldn't let truth stand in the way of a fun olde lynch mob.

»web.dodds.net/~vorlon/wiki/blog/···u_12.10/

My statement was more of a commentary on the technical abilities of your garden variety Ubuntu user - many of them don't even know that they run a GNU/Linux distribution - they think that Ubuntu is just a new operating system written from scratch. Of course, their technical abilities begin and end with popping in a DVD and clicking on "Next". That means that it's questionable whether they can get into the BIOS and more importantly, whether they should be messing with it in the first place. That creates a huge hurdle for a person with zero technical ability (on par with your typical Mac user) if he/she wants to try a new operating system, but has to deal with the secure boot crap.

So, this is like someone who knows nothing about operating a nuclear reactor, but who might want to dabble in home fusion?

This argument gets more and more ridiculous every time I hear it.

"I have to be smart enough to boot into the bios and flip a switch before installing an operating system that didn't ship with my shrinkwrapped windows box. That's hard. I can't figure that out"

Um. Yeah. Well if you find that hard, you probably bought a shrinkwrapped PC with OS, which you will never ever change or update. Because, um, it's beyond you. That's why you bought one like this. You know, a computing appliance. Hell, no one is going to buy these anymore anyway, we all use iPads and Android tablets now.

Hell, you can run *nix in a free VM on that Windows box if you want to "try a new operating system" - it's a lot easier than slicking your box with a hardware install.

Clearly this is a case of a lawsuit for the sake of $. You know, like a patent troll lawsuit. Which we all hate.
--
My place : »www.schettino.us


intok

join:2012-03-15
reply to markofmayhem
said by markofmayhem:

Shouldn't we be spending our time in the great fight that Microsoft won't allow the mp3 codec on Linux after Vista is.... oh wait, that never happened either.

Restricted codecs are still not distributed by default by any major distros for fear of patent bullshit.

If you want to trust Microsoft to do the right thing go use their software. History shows that if they think they can further marginalize their competitors in the corporate space that much more they will do it.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 edit
reply to FF4m3
What people ought to be more concerned about is the incompetence of firmware programmers, but hey, it's not as much fun as railing at the Great Satan in Redmond.

(As far as I can tell, the Samsung balls-up was not related to Secure Boot).


OldGrayWolf

join:2007-10-06
reply to markofmayhem
said by markofmayhem:

Why is this being ignored? The first OS to support Secure Boot was Ubuntu!

Soft of...

On a dual boot with Windows 8 beside Fedora, SUSE, or Ubuntu, after installing and rebooting they do not go to the Grub 2 menu. You have to hit the Boot Select Hot Key at just the right time during boot to get a selection of OSs. Otherwise, it boots Windows 8. You have to do other modifications to get a dual boot OS selection menu that is convenient to use.


Lagz
Premium
join:2000-09-03
The Rock

1 edit
reply to FF4m3
Why do Linux installs not get to take advantage of secure boot? Why must it be disabled for Linux only? Why not let the consumer decide how to handle secure boot. Why doesn't the end user/ consumer have ultimate control. Is it that difficult to implement a secure boot system that the end user has total control over. When I am no longer able to use features of a newer bios, such as secure boot, on what ever hardware I bought new or used, then it smells of some form of DRM.
--
When somebody tells you nothing is impossible, ask him to dribble a football.

OZO
Premium
join:2003-01-17
kudos:2
It smells like DRM just because it is DRM, disguised as a genuine advantage to consumers...
--
Keep it simple, it'll become complex by itself...


No_Strings
Premium,MVM,Ex-Mod 2008-13
join:2001-11-22
The OC
kudos:6
reply to Lagz
Maybe I missed it, but I haven't seen a single post here defending Secure Boot. There have been multiple posts from people explaining how it works, attempts at debunking (sometimes wildly inaccurate) accusations and a few offering some explanations about how to work with or around it. Some of the latter suggest turning it off as an option.

One of the saner voices in the conversation is Matthew Garrett, whom I had the opportunity to hear at SCALE this year. Some of his thoughts on the matter are contained in the interview here: »www.socallinuxexpo.org/blog/inte···-garrett

While it doesn't do justice to his understated humor, the presentation is here: »www.socallinuxexpo.org/sites/def···2013.odp


Lagz
Premium
join:2000-09-03
The Rock
said by No_Strings:

Some of the latter suggest turning it off as an option.

If I buy a computer second hand that had been previously loaded with Windows 8, why then do I need to disable a feature of "my computer"?
--
When somebody tells you nothing is impossible, ask him to dribble a football.


No_Strings
Premium,MVM,Ex-Mod 2008-13
join:2001-11-22
The OC
kudos:6
You don't. In addition to the abundant scary boogie man stuff, there is a lot of fact-based information available you may find helpful..

»www.zdnet.com/how-i-installed-fe···0013464/

»www.linuxfoundation.org/sites/ma···orms.pdf

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to No_Strings
said by No_Strings:

Maybe I missed it, but I haven't seen a single post here defending Secure Boot.

Oh, all right. If you're the kind of computer user who thinks they need to run as root/admin "because it's my computer and I want to be in control", and you're the type of computer user who clicks "ok" after being told it's not a good idea, "because it's my computer and I want to be in control", then a little crypto protection that reassures you that, "yes, your kernel is now compromised" isn't such a bad idea.

Or, maybe, if you're an OS vendor with such a large customer base that, statistically speaking a large number will manage to shoot themselves in the foot without trying ("this neat registry hack let me define setSafety='off' which makes my 'puter run smoother"), then you might find it's worthwhile pursuing such a strategy.

All this is to say, it's not such a bad concept, though not one I particularly care for (I'm not fond of anything that makes a BIOS more complex, given that I define firmware as software written by hardware engineers).


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to No_Strings
said by No_Strings:

Maybe I missed it, but I haven't seen a single post here defending Secure Boot.

I have not been attacking secure boot. I also have not been defending it.

At present, I find it interesting, but I have not found a purpose for it.

Here's a hypothetical.

I have a linux laptop. Most of linux is inside an encrypted LVM. What's outside is what is needed for booting (the kernel, the "initrd" file, the grub2-efi configuration).

I am traveling overseas. When I return, the border agents seize my laptop, and hold it for two day before returning it.

If it still boots, using secure boot, can I be sure that it has not been tampered with?

And I think the answer is no. What's inside the encrypted LVM is likely safe, because I did not provide the border agents with the encryption key. But I don't see that I can be sure that everything in "/boot" and in the EFI booting partition, is safe. That is to say, I don't see that booting has been made secure.
--
AT&T Uverse; Buffalo WHR-300HP router (behind the 2wire gateway); openSuSE 12.3; firefox 20.0


Lagz
Premium
join:2000-09-03
The Rock

1 edit
reply to No_Strings
said by No_Strings:

You don't. In addition to the abundant scary boogie man stuff, there is a lot of fact-based information available you may find helpful..

»www.zdnet.com/how-i-installed-fe···0013464/

»www.linuxfoundation.org/sites/ma···orms.pdf

So a computer that was shipped with secure boot enable running Windows 8 will let me install a Linux distro of my choosing without disabling the secure boot feature?

This is news to me and most here that suggested disabling secure boot. WOOHOOO Linux users rejoice we no longer have to disable secure boot when installing our favorite distro after receiving a computer pre-installed with Windows 8. You're not pulling my leg are you? You got a link to that?
--
When somebody tells you nothing is impossible, ask him to dribble a football.


No_Strings
Premium,MVM,Ex-Mod 2008-13
join:2001-11-22
The OC
kudos:6

1 recommendation

You're obviously more interested in trolling and appearing smart than reading the information I linked to or that's been posted in previous threads and failing at both.

Enjoy.


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1
reply to nwrickert
Once physical access control of a machine has been lost/compromised, especially to a government agency, it is game over. That machine should no longer be considered trustworthy. Period.

But the hypothetical presented where physical access control of machine is lost/compromised is not what SecureBoot is really about.

--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation


markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5
said by NOYB:


Once physical access control of a machine has been lost/compromised, especially to a government agency, it is game over. That machine should no longer be considered trustworthy. Period.

But the hypothetical presented where physical access control of machine is lost/compromised is not what SecureBoot is really about.

In this hypothetical, Secure Boot can be used to lock down boot by using your own signing key that the border agents won't have. If they inject or change the files, so does the signing and checksum. If you believe a border agent has the intelligence to inject into the same program you have and result in the same checksum, then I have to suggest treatable medications available from a doctor.

Secure Boot can be used to only trust yourself, your own files, either through signing and compiling them yourself or adding their checksum to the DB tables (or both), including adding the generic Linux kernel and Windows bootloader to the DBX tables (excluding them). With encrypted file systems, you have the ability to chain trust from power on to user space, and can go one step further into chaining into the kernel, which chains onto modules if you so wish. The very scenario provided is showing the missing chain piece to all computers: boot space.

I have heard time and time again how Microsoft is a virus in this very forum, yet no one can connect the dots that Secure Boot can be used to shut-off and exclude Microsoft code from executing as well???
--
Show off that hardware: join Team Discovery and Team Helix


markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5
reply to OldGrayWolf
said by OldGrayWolf:

said by markofmayhem:

Why is this being ignored? The first OS to support Secure Boot was Ubuntu!

Soft of...

On a dual boot with Windows 8 beside Fedora, SUSE, or Ubuntu, after installing and rebooting they do not go to the Grub 2 menu. You have to hit the Boot Select Hot Key at just the right time during boot to get a selection of OSs. Otherwise, it boots Windows 8. You have to do other modifications to get a dual boot OS selection menu that is convenient to use.

You can setup either Grub 2 or the Windows Bootloader. This is no different than dual boots with any UEFI bootloading, regardless of Secure Boot.
--
Show off that hardware: join Team Discovery and Team Helix


intok

join:2012-03-15
reply to markofmayhem
The border guard doesn't have to, be smart enough to do this, they'll have a piece of kit made by someone with the skill to do this and they'll just plug your HDD into this kit and it'll do all the work for them.

They already do this for all your Android, Blackberry, Symbian, Windows Mobile and other devices no matter the security measures taken on them.

What makes you think they wouldn't do the same to your laptop?


markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5
said by intok:

The border guard doesn't have to, be smart enough to do this, they'll have a piece of kit made by someone with the skill to do this and they'll just plug your HDD into this kit and it'll do all the work for them.

They already do this for all your Android, Blackberry, Symbian, Windows Mobile and other devices no matter the security measures taken on them.

What makes you think they wouldn't do the same to your laptop?

Because the morphing encryption algorithm used on that hard drive will need reconstructed. The key changes every write, the access key's key changes every access, the passphrase to the key of the key's key is within 1,-billion zeros combination. They can copy the 1's and 0's and return the drive, with no injection on my laptop without my knowledge. But they are not able to inject any data, at all, without me knowing. To write to the drive would destroy the predicted pattern, violating the signature and checksum, not allowing me to boot the next time I hit the power button without accepting major changes (and can report what those changes are) all from chaining keys from MY signed bootloader through to the filesystem. Secure boot doesn't stop hard drive copying, that is what data encryption is for... two VERY different topics. I can chain signatures and checksums all the way back to the efivars, alerting me of state change in data every power-up, which is securing my boot process... MY boot process. If you change my data, my boot stops as the chain is destroyed; which is also part of the securing of a boot process.

This isn't new, secured mobile devices have employed varying levels of access and encryption for decades. It is now making it to the consumer desktop with dilution abound. Hardware is fast enough to do this during a post, now, where it used to take damn near 5 minutes for a remote access TPM like structure to do it just 10 years ago. Then again, local db and dbx tables are employed now, instead of big-boy security chroot init scripts dialing home to mama prior to allowing a boot sequence to begin (and also logging what device was booting, where, when, and why).

Your border guard can copy my hard drive and work on getting data off it for the next 100 trillion years of his life, but he isn't putting anything ON to that hard drive without me knowing. The tools and programs to add this to consumer Secure Boot will be around soon enough, just like LVM combined with dm-crypt is available for simple encryption tools for the masses.

The computer chick on Criminal Minds is not real...
--
Show off that hardware: join Team Discovery and Team Helix


intok

join:2012-03-15
And should they add a little something to a system ROM that runs along side the kernel at boot?


FF4m3

@rr.com
reply to FF4m3
Some clarification:

Windows 8 PC makers should tell users how to kill UEFI, Linux group demands - April 10, 2013:

According to the complaint seen by ZDNet, it has demanded a preliminary injunction that forces Microsoft to remove all wording that requires hardware makers to implement UEFI Secure Boot to gain 'Windows 8 Hardware Certification'. The group accuses Microsoft of using this certification to maintain its monopoly and stifling Linux.

Hispalinux wants Europe to impose a requirement on a list of 10 Windows 8 PC manufacturers, including HP, Lenovo and Dell, to spell out for consumers exactly how to deactivate UEFI and specify their rights. Other PC manufacturers on the list include Asus, Samsung, Toshiba, Acer, Sony, Packard Bell and Medion.

It also wants the vendors to determine how many certified Windows 8 devices it has sold within Europe and for them to define how Secure Boot has been implemented.



Lagz
Premium
join:2000-09-03
The Rock
reply to No_Strings
said by No_Strings:

You're obviously more interested in trolling and appearing smart than reading the information I linked to or that's been posted in previous threads and failing at both.

Enjoy.

Neither of those links nor any other "link" posted that I've read states that a user can simply install a linux OS with secure boot enable after having been previously installed with windows 8. Trolling, hardly. I read the two links you provided, as well as the other links, posted in this thread and have yet to see something you tout as being obvious! So the same question you failed to answer or anyone else remains unanswered. Why do linux users have to disable a "feature" of "their computer" to install linux that was pre-installed with windows 8?
--
When somebody tells you nothing is impossible, ask him to dribble a football.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
said by Lagz:

Why do linux users have to disable a "feature" of "their computer" to install linux that was pre-installed with windows 8?

Because the maker of the computer chose to include an MS key but not a Linux key. Because the PC vendor is just not that into you. You have no marketing clout.

If the PC vendor did not put the feaure in their BIOS at all, then you would be no worse off than you are after having disabled it. So your complaint seems to be "why does the device have a Windows-only feature?".

Likely the same reasoning that gives my Blu-Ray player the ability to stream from Netflix and nowhere else, or that gives my AV Receiver the ability to decode Apple lossless but not WMA lossless.

A no-cost feature that you don't use is the same as not having it. Your choice is to buy or not buy, right?


Lagz
Premium
join:2000-09-03
The Rock
said by dave:

said by Lagz:

Why do linux users have to disable a "feature" of "their computer" to install linux that was pre-installed with windows 8?

Because the maker of the computer chose to include an MS key but not a Linux key. Because the PC vendor is just not that into you. You have no marketing clout.

If the PC vendor did not put the feaure in their BIOS at all, then you would be no worse off than you are after having disabled it. So your complaint seems to be "why does the device have a Windows-only feature?".

Likely the same reasoning that gives my Blu-Ray player the ability to stream from Netflix and nowhere else, or that gives my AV Receiver the ability to decode Apple lossless but not WMA lossless.

A no-cost feature that you don't use is the same as not having it. Your choice is to buy or not buy, right?

So people who buy used computers are screwed unless they disable a feature of their computer. Sounds logical. That's like saying: "Hey Bob, you need to disable the cruise control feature of your car in order for your vehicle to operate properly."
--
When somebody tells you nothing is impossible, ask him to dribble a football.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
said by Lagz:

So people who buy used computers are screwed unless they disable a feature of their computer. Sounds logical. That's like saying: "Hey Bob, you need to disable the cruise control feature of your car in order for your vehicle to operate properly."

Hardly.

Rather, people who buy a used Windows computer with intent to use it for not-Windows will need to decide, before they buy it, whether they're going to get all pissy about a feature which wasn't designed for their OS, or they're going to disable it, or they're going to do whatever is necessary to enter a key appropriate to their OS distribution of choice.

It's hard for me to get upset about having to disable a feature I don't place any particular personal value on in the first place. And I don't think you really do, either. I think that if no-one had ever proposed a secure boot, you wouldn't be demanding one. But now that someone else has one, you claim to want it too.


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
said by dave:

It's hard for me to get upset about having to disable a feature I don't place any particular personal value on in the first place.

Yes, well said.

For me, the main importance of Microsoft insisting on secure boot, is that they have forced manufacturers to move to UEFI. And while some UEFI implementations seem buggy at the moment, this is a good change. The old BIOS/MBR way of doing things has been held together with chewing gum and baling wire for the last 15 years and has reached a breaking point by now.
--
AT&T Uverse; Buffalo WHR-300HP router (behind the 2wire gateway); openSuSE 12.3; firefox 20.0


intok

join:2012-03-15
said by nwrickert:

For me, the main importance of Microsoft insisting on secure boot, is that they have forced manufacturers to move to UEFI. And while some UEFI implementations seem buggy at the moment, this is a good change. The old BIOS/MBR way of doing things has been held together with chewing gum and baling wire for the last 15 years and has reached a breaking point by now.

I take it you never used any of the high end mobos with a BIOS with an incredibly good set of tools for overclocking and other features?


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
said by intok:

I take it you never used any of the high end mobos with a BIOS with an incredibly good set of tools for overclocking and other features?

Whatever does that have to do with having good standards for partitioning disks and booting operating systems?
--
AT&T Uverse; Buffalo WHR-300HP router (behind the 2wire gateway); openSuSE 12.3; firefox 20.0


intok

join:2012-03-15
said by nwrickert:

Whatever does that have to do with having good standards for partitioning disks and booting operating systems?

Booting the OS kernel shouldn't have gotten any more difficult over the last few years.

The boot loader or OS should be handling the partitions or RAID, depending on the hardware to do it is just asking for trouble down the road since no 2 models of RAID controller are ever compatible even if they are faster then a softRAID.