Secure boot issues - AVS Forum
Forum Jump: 
 
Thread Tools
post #1 of 8 Old 11-26-2012, 07:27 AM - Thread Starter
Rgb
AVS Special Member
 
Rgb's Avatar
 
Join Date: Apr 2000
Location: SE Michigan
Posts: 6,891
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 9 Post(s)
Liked: 18
The beginning of the end frown.gif

http://distrowatch.com/weekly.php?issue=20121126#qa
Quote:
In short, to get to the point where we can attempt to boot an alternative operating system we need to know our way through six steps:

Boot machine while pressing F10
Find Secure Boot in the menu tree, ignore warnings
Disable Secure Boot feature
Enable legacy boot options
Enable specific legacy devices, such as USB devices
Save and reboot while holding down F9

To the more technically minded, this might not seem so bad, but keep in mind these steps are performed without documentation, with no hints and with big warning pop-ups letting the user know what a bad idea disabling Secure Boot is. This is not something the average user is going to know how to do, nor will they likely want to follow through if they read the on-screen messages. This is a problem as much of the growth in the Linux community over the past decade has come from the ease of installing mainstream distributions. Distributions like Fedora and Ubuntu have made setting up a fresh install as simple as "Insert CD -> Click Next -> Next -> Next -> Enter a username and password->Next". Computers with Secure Boot remove that ease of use factor by throwing up hidden options, scary warnings and multiple menu items which must be accessed in a specific order before the user can even get to the "Insert CD" part of the installation process. Certainly, system administrators and more experienced users can work around these barriers, but there is a large portion of the public which is relatively inexperienced and willing to try Linux if it is easy to set up. Secure Boot means Linux is no longer simple to install, or even try, from detachable media.

Now, you might be thinking, as I was, that it was foolish of me to purchase a machine with Secure Boot in the first place. After all, I've been warning people about it for long enough I should have been more careful. That was what was going through my mind as I went through the long process of getting my thumb drive to be recognized as a boot device. But then, the next day, I went back to the merchant's website and discovered something. There is no mention of Secure Boot, UEFI or Windows 8 certification anywhere on the page. How is a consumer to know, even if they are aware of the feature, whether a machine is locked down or not? Software freedom requires vigilance and I fear that is more true now than it was a year ago. Be careful when shopping for new computers, it is easy to purchase more trouble than one bargained for.

No, not a big deal for us DIY'ers and typical forum members, and probably won't be an issue for DIY HTPC's built from parts, but most normal consumers will be seeing this.

It means that the 1000's of people who might have tried a linux distro by simply inserting a liveCD/DVD or live USB stick probably won't be saavy enough to figure this out and give up.

...which of course was the plan all along by MS and other big players.

I also question the reviewer's judgement re: buying *any* HP related product- I thought it was common knowledge for a few years now to avoid HP like the plague, *especially* among tech minded people who follow the industry and hardware. He should have his geek card revoked for not simply throwing together his own quad or 6/8 core box, or even going for a nice low cost quad core refurb from the geeks.com of the world.


To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
Rgb is offline  
Sponsored Links
Advertisement
 
post #2 of 8 Old 11-26-2012, 08:15 AM - Thread Starter
Rgb
AVS Special Member
 
Rgb's Avatar
 
Join Date: Apr 2000
Location: SE Michigan
Posts: 6,891
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 9 Post(s)
Liked: 18
Linux Foundation UEFI Secure Boot key for Windows 8 PCs delays explained

http://www.zdnet.com/linux-foundation-uefi-secure-boot-key-for-windows-8-pcs-delays-explained-7000007841/
Quote:
You don't have to take my word for it. Bottomley reports that, even after jumping through various legal hoops, you can't "just upload a UEFI binary and have it signed First of all you have to wrap the binary in a Microsoft Cabinet file. Fortunately, there is one open source project that can create cabinet files called lcab. Next you have to sign the cabinet file with your Verisign key. Again, there is one open source project that can do this: osslsigncode. For anyone else needing these tools, they’re now available in my openSUSE Build Service UEFI repository."

"The final problem is that the file upload requires silverlight. Unfortunately, moonlight [an open-source Silverlight implementation] doesn’t seem to cut it and even with the version 4 preview, the upload box shows up blank, so time to fire up windows 7 under kvm [Linux's built-in hypervisor]. When you get to this stage, you also have to certify that the binary “to be signed must not be licensed under GPLv3 or similar open source licenses” I assume the fear here is key disclosure but it’s not at all clear (or indeed what 'similar open source licences' actually are)."

Legally that's troublesome, but at least the technical problems seemed in hand. Alas, the trouble was only beginning.

First, creating the cabinet file failed. Eventually Bottomley generated a working UEFI Secure Boot Linux pre-loader but the signing process still indicated that there had been a failure. When he asked Microsoft what was going on, the company replied, "Don’t use that file that is incorrectly signed. I will get back to you." Bottomley speculates that the problem is that the working Secure Boot binary key "is signed with a generic Microsoft key instead of a specific (and revocable) key tied to the Linux Foundation."

So it is that the Linux Foundation is still waiting "for Microsoft to give the Linux Foundation a validly signed pre-bootloader." Until that happens, booting and installing Linux on Windows 8 PCs will remain an order of magnitude harder than it is on earlier model PCs.

Apparently all the worst fears have been realized-

http://blog.hansenpartnership.com/adventures-in-microsoft-uefi-signing/
Quote:
However, in order to get your EFI binary signed, you have to do it via Microsoft’s sysdev centre.
Quote:
jejb says:
20 November 2012 at 23:28
Matthew Garret has some blog posts on why we’re in this situation but the quick precis is that only Microsoft has the OEM relationships, the existing capability to run a CA and, at the end of the day, is mandating secure boot via the windows 8 hardware certification requirements.

Turning off secure boot isn’t that easy: In a secure boot environment, an unsigned loader on a CD/DVD will look like it’s just unbootable media. That’s a pretty high hurdle to today’s people who expect stuff to just work.

http://mjg59.dreamwidth.org/

http://www.zdnet.com/blog/open-source/shuttleworth-on-ubuntu-linux-fedora-and-the-uefi-problem/11270


To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
Rgb is offline  
post #3 of 8 Old 11-26-2012, 03:24 PM
AVS Special Member
 
waterhead's Avatar
 
Join Date: May 2007
Posts: 1,266
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 7 Post(s)
Liked: 12
I don't believe building your own PC will be an easy way around this. The secure boot is part of the BIOS, and as stated it is a requirement for Win 8. Any mobo manufacturer will want their boards to be Win 8 capable, so secure boot will most likely be on it.

As for HP, I got a refurbished HP desktop PC 14 months ago and I couldn't be happier with it. I checked how much it would cost to build one like it from scratch, and the HP was cheaper. And that was without counting the price of Win 7 that was installed on it (and which I almost never use).
waterhead is offline  
post #4 of 8 Old 11-27-2012, 04:14 AM
Advanced Member
 
bac522's Avatar
 
Join Date: Jan 2003
Posts: 901
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 47 Post(s)
Liked: 51
How did Princess Leia say it in Star Wars..."The more you tighten your grip, the more star systems will slip through your fingers"...M$ is losing control of the desktop. Yeah I know there are probably a gazzilion articles out there showing the strength of desktop PC's, but as more and more people move onto tablets and smart phones, you're going to see a crop of purpose built products starting to appear in our home theatre as well. We're seeing that already with the likes of Roku boxes, Android Sticks, the Raspberry PI, smart TV's, even home stereo receivers that are internet capable. As internet speeds increase to the home, the purpose of a HTPC diminishes further as cloud base video takes over with the likes of Netflix, Hulu, Amazon Instant Video, etc. So M$ can continue to tighten their grip, but it will only hurt them in the end!
bac522 is offline  
post #5 of 8 Old 03-03-2013, 03:23 PM
Senior Member
 
ikkuranus's Avatar
 
Join Date: Feb 2013
Posts: 201
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 15 Post(s)
Liked: 24
Quote:
Originally Posted by waterhead View Post

I don't believe building your own PC will be an easy way around this. The secure boot is part of the BIOS, and as stated it is a requirement for Win 8. Any mobo manufacturer will want their boards to be Win 8 capable, so secure boot will most likely be on it.

As for HP, I got a refurbished HP desktop PC 14 months ago and I couldn't be happier with it. I checked how much it would cost to build one like it from scratch, and the HP was cheaper. And that was without counting the price of Win 7 that was installed on it (and which I almost never use).

Secure boot is not a requirement for windows 8. You may run it on old fashion bios or even Gigabyte's hybrid efi which both don't have secure boot.

Comparing a refurb to a self built is just silly. Of course it is going to be cheaper as all the parts are slightly used. Also major brands like Hp, Dell etc are known for cheaping out on the psu and other parts and they most likely get a massive discount on windows since they order so many licenses. On top of that your machine comes preloaded with tons of crapware. Sure the crapware really don't matter if you are using linux but it does explain the cbeaper price.

Personally I doubt that any of the big name Diy motherboards will ever have secure boot permanently enabled or even turned on by default.

ikkuranus is offline  
post #6 of 8 Old 03-03-2013, 04:13 PM
 
quantumstate's Avatar
 
Join Date: Apr 2006
Posts: 1,694
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 17
...
quantumstate is offline  
post #7 of 8 Old 03-03-2013, 07:11 PM
AVS Special Member
 
waterhead's Avatar
 
Join Date: May 2007
Posts: 1,266
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 7 Post(s)
Liked: 12
Quote:
Originally Posted by ikkuranus View Post

Secure boot is not a requirement for windows 8. You may run it on old fashion bios or even Gigabyte's hybrid efi which both don't have secure boot.
That's not what I read:
Quote:
Microsoft faced criticism (particularly from free software supporters) for mandating that devices receiving its optional certification for Windows 8 have secure boot enabled by default using a key provided by Microsoft.

http://en.wikipedia.org/wiki/Windows_8#Secure_boot

And the "crapware" that you say it comes loaded with, in this section of AVS Forums, that would be anything Microsoft.
waterhead is offline  
post #8 of 8 Old 03-04-2013, 02:24 PM
Senior Member
 
ikkuranus's Avatar
 
Join Date: Feb 2013
Posts: 201
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 15 Post(s)
Liked: 24
Quote:
Originally Posted by waterhead View Post

That's not what I read:
http://en.wikipedia.org/wiki/Windows_8#Secure_boot

And the "crapware" that you say it comes loaded with, in this section of AVS Forums, that would be anything Microsoft.

Performing "load uefi defaults" on my Asrock Z77 Extreme 4 does in fact disable secure boot, proving that either Wikipedia is not right all the time or that Asrock don't follow the rules.

I have nothing against Linux or those who use it, but what you are saying only reinforces the idea that you should build your own.

Sure you might save some cash getting a refurbished prebuilt or even a new prebuilt, but indirectly you are still supporting Microsoft weather you use Windows or not. Even if Secure boot is enabled there is still a much better chance that you will be allowed to disable it on a DIY.

ikkuranus is offline  
Reply HTPC - Linux Chat

User Tag List

Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page


Forum Jump: 

Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off