Complacency over SecureBoot

Comments, suggestions and questions about Linux Format magazine and the coverdiscs

Moderators: ChrisThornett, LXF moderators

Complacency over SecureBoot

Postby Nuke » Sat Aug 18, 2012 3:52 pm

In LXF162, Mayank Sharma's article, the penultimate Q-A says "there is no standard way of disabling SecureBoot" but Microsoft has "allowed OEMs to implement customised mechanisms for disabling the feature" (jolly decent of them, although not in ARM machines).

So if someone wants to install Linux on the Windows PC they bought from Currys etc (like most of us start), they must first clear the hurdle of finding out how to do it. Enough to put many off curiously trying a live Linux CD - something MS hate people doing because they might like it.

But disabling it might not even be possible. The PC builder is allowed but not required to offer a way to disable it and I suspect that most will not bother to do so. Even if it is possible to disable SecureBoot they will probably not bother to document it. The days of getting decent documentation with PCs (or any gadget) these days have long gone, other than shedloads of safety warnings and green hectoring. As long as Windows runs, the PC maker will regard it as job done. The only exceptions will be PCs made to order, such as for server farms, and home-built.

Then in the final Q-A he says "no one is arguing against the SecureBoot mecahnism". Wrong. I am, and looking at internet debates I am not alone (despite my sig, LoL), because I realise that it can and will be abused by a monopolist like MS. In a nutshell, this is part of an ongoing effort to turn PCs into appliances anchored to shopping, social media and paid entertainment - through narrow and controlled channels.
Unsolved mysteries of the Universe, No 13 :-
How many remakes of Anna Karenina does the World need?
User avatar
Nuke
LXF regular
 
Posts: 217
Joined: Wed Feb 09, 2011 12:11 pm
Location: Chepstow, UK

Postby wyliecoyoteuk » Sat Aug 18, 2012 4:36 pm

Actually, the MS spec requires that it must be possible to disable it on x86 ( and a sceptic would probably say that is so that win7 or XP can be installed) but not possible on ARM.

Whether this will change with windows9 is another matter.
The sig between the asterisks is so cool that only REALLY COOL people can even see it!

*************** ************
User avatar
wyliecoyoteuk
LXF regular
 
Posts: 3465
Joined: Sun Apr 10, 2005 10:41 pm
Location: Birmingham, UK

Postby Nuke » Sat Aug 18, 2012 6:41 pm

wyliecoyoteuk wrote:Actually, the MS spec requires that it must be possible to disable it on x86

So why are Fedora and Ubuntu bothering with SecureBoot at all? Why don't they just tell the user to disable it? Sounds like at least with Ubuntu that the user will need to roll his sleeves up and do some tinkering anyway. It is not as if Linux has much of a malware problem. :?

I have been told the spec (ie what PC makers must do to get that "made for Windows 8" sticker from MS, even though it is the first thing I would peel off) is here :-

http://msdn.microsoft.com/en-us/library ... 48188.aspx

On Page 121 I found this :-

18. Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement
the ability to disable Secure Boot via firmware setup. A physically present user must be
allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows
Server may also disable Secure Boot remotely using a strongly authenticated (preferably
public-key based) out-of-band management connection, such as to a baseboard
management controller or service processor. Programmatic disabling of Secure Boot either
during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling
Secure Boot must not be possible on ARM systems.


But though they require that it is possible to disable SecureBoot, what will this involve? "Firmware setup" could be anything, from going into the BIOS (or whatever it is being replaced by) and clearing a flag (something that would deter 90% of the population), to having to solder a link into the motherboard (99%). It would not stop me, it but will deter many from trying out Linux IMHO.
Unsolved mysteries of the Universe, No 13 :-
How many remakes of Anna Karenina does the World need?
User avatar
Nuke
LXF regular
 
Posts: 217
Joined: Wed Feb 09, 2011 12:11 pm
Location: Chepstow, UK

Postby bobthebob1234 » Sat Aug 18, 2012 6:45 pm

I seem to remember MS got a **** over IE and other things not so long ago, so if you can't turn off secure booting I wouldn't be surprised if (in the EU at least) they had to come up with a thing on boot asking if you really want to use windows, or would you rather use a free alternative :D


Or maybe I am in the land of the fairies again... :roll:
For certain you have to be lost to find the places that can't be found. Elseways, everyone would know where it was
User avatar
bobthebob1234
LXF regular
 
Posts: 1373
Joined: Thu Jan 03, 2008 9:38 pm
Location: A hole in a field

Postby Dutch_Master » Sat Aug 18, 2012 8:05 pm

IMO M$ will have another battle with the EU regulators on their hands if they stick to preventing anyone with an ARM based device to install anything other then win-8... But it seems Redmond is taking their chances once again... :roll:
Dutch_Master
LXF regular
 
Posts: 2460
Joined: Tue Mar 27, 2007 1:49 am

Postby johnhudson » Sat Aug 18, 2012 9:39 pm

In principle secure boot is a good thing; the immediate problem is the way MS proposes to implement it.

But since the article was written both Fedora and now SUSE have come up with ways of dealing with it and Fedora agrees that the SUSE approach - which builds on Fedora's initial approach - is an elegant solution.

http://www.h-online.com/security/news/item/SUSE-details-its-Secure-Boot-plans-1664699.html

Since it is now clear that it is perfectly feasible to install a distro on a chromebook, the issue of needing to buy Windows computers to get cheap hardware may have gone away.
johnhudson
LXF regular
 
Posts: 883
Joined: Wed Aug 03, 2005 1:37 pm

Postby Nuke » Sat Aug 18, 2012 11:18 pm

johnhudson wrote:In principle secure boot is a good thing; the immediate problem is the way MS proposes to implement it.


I do not entirely blame MS for this. It seems that if for example I want to replace a video card, the BIOS/UEFI will not accept it at boot time if the video card's public key is not already in its database, which it probably will not be if the PC is two years old and the card is new. This is between the video card maker and the BIOS/UEFI chip maker - nothing to do with MS. Windows (or Linux) is just one of several things involved at boot time that will need validation. MS's requirement is that the SecureBoot is enabled by default - they were hardly likely not to require a new industry security standard to be implemented by default. I blame the standard rather than MS.

But since the article was written both Fedora and now SUSE have come up with ways of dealing with it and Fedora agrees that the SUSE approach - which builds on Fedora's initial approach - is an elegant solution.

http://www.h-online.com/security/news/item/SUSE-details-its-Secure-Boot-plans-1664699.html


So UEFI is scarcely out on the street and major players like SUSE are already having in effect to patch it. That shows that it is a very bad standard indeed.

That link is interesting. Now there will be a database of public keys on your HD to which you can add eg to install Linux or that new video card, and then run some software to hash these into the BIOS/UEFI. Great. But doesn't this depart from the SecureBoot principle in that this is beginning to sound hackable by malware? Would we be no worse off if we simply turn off SecureBoot?

Since it is now clear that it is perfectly feasible to install a distro on a chromebook, the issue of needing to buy Windows computers to get cheap hardware may have gone away.


You have lost me there. You are telling me that I might not be able to use a PC any more so I should be satisfied with a Chromebook? To that hot place opposite Heaven with that idea.
Unsolved mysteries of the Universe, No 13 :-
How many remakes of Anna Karenina does the World need?
User avatar
Nuke
LXF regular
 
Posts: 217
Joined: Wed Feb 09, 2011 12:11 pm
Location: Chepstow, UK

Postby wyliecoyoteuk » Sun Aug 19, 2012 10:05 am

It will get be fairly easy to disable it, a click in the UEFI BIOS screen.
No more difficult than enabling CD booting, which is also often required to install an alternative OS.
Otherwise it would be impossible to install earlier versions of windows, so self-serving for MS.One question is whether win8 will still boot with it disabled
They have no such reasons on ARM.
Apple do the same, but they manufacture the hardware, whereas MS will not be fairly(at least not most of it) .
It will be interesting to see if the anti-trust watchdogs allow it.
The sig between the asterisks is so cool that only REALLY COOL people can even see it!

*************** ************
User avatar
wyliecoyoteuk
LXF regular
 
Posts: 3465
Joined: Sun Apr 10, 2005 10:41 pm
Location: Birmingham, UK

The Messenger

Postby geekybodhi » Mon Aug 20, 2012 9:42 pm

I am the humble deliverer of the news. To paraphrase the wise Huggy: I just lay it out for y'all to play it out.
geekybodhi
 
Posts: 8
Joined: Thu Apr 19, 2012 12:40 pm

Postby Mr. Flibble » Sat Aug 25, 2012 1:17 am

Rather than arseing aroung trying to disable it, I will simply look for machines that dont have it...and the manufacturers with monopoly boot enabled will be told why.

Even if I have to import one.

It may be the case that OEMs sell UEFI enabled machines with windows but also offer machines without it, with Linux pre-installed (the lazy Ubuntu option, no doubt).

These may sell for less than the windows version which just may persuade people to go for the linux version..especially if they are told they can install other OSs on the free one rather than the locked one.
Mr. Flibble
 
Posts: 11
Joined: Fri Mar 26, 2010 8:41 pm
Location: Ireland

Postby wyliecoyoteuk » Sat Aug 25, 2012 8:45 pm

UEFI (and almost certainly secure boot) will eventually be available on all motherboards.
UEFI is the replacement for the antiquated BIOS system.
I would be surprised if any manufacturer continues to make BIOS motherboards for much longer.

I already have 2 UEFI PCs (without secure boot) Neither are particularly cutting edge. Both run Ubuntu.
At work we have several that run RedHat, FreeNAS and Ubuntu server.
The sig between the asterisks is so cool that only REALLY COOL people can even see it!

*************** ************
User avatar
wyliecoyoteuk
LXF regular
 
Posts: 3465
Joined: Sun Apr 10, 2005 10:41 pm
Location: Birmingham, UK

Postby Fíona » Fri Aug 31, 2012 2:03 pm

I too am concerned by attempts by M$ prevent me choosing which distro I choose to use on my hardware. I am also not holding my breath waiting to see if the EU will protect my right to choose, after all, secure boot only on ARM is already the case and I haven't heard much in the way of dissent from Brussels.
I wanted to buy a new laptop so decided to get one before the launch of win8 next month.
I live in the Netherlands and cannot afford to wait on linux loaded hardware, it never seems to be available here, M$ is perhaps too powerful here.
Fíona
 
Posts: 56
Joined: Sun Mar 09, 2008 5:29 pm
Location: Netherlands

Postby wyliecoyoteuk » Fri Aug 31, 2012 7:13 pm

ARM Win8, iOS, and Android are all designed to be run on a tailored OS for a particular device, which it is sold with.
They are all mobile OSes.
Did anyone ever try to replace Symbian or WinCE OSes on embedded devices? In fact many of them are ROM based.
There have been custom ROMS for mobile devices, Palm, iPaqs, Sharp PDAs, and now smart phones.
iOS and Android devices can be "rooted", so I expect that there will be a way to do so on Win8 ARM, but really, why bother, just buy an Android device.
x86 devices will have secure boot, but it is mandated that it can be disabled if the user wishes.
The sig between the asterisks is so cool that only REALLY COOL people can even see it!

*************** ************
User avatar
wyliecoyoteuk
LXF regular
 
Posts: 3465
Joined: Sun Apr 10, 2005 10:41 pm
Location: Birmingham, UK


Return to Magazine and coverdiscs

Who is online

Users browsing this forum: No registered users and 2 guests

cron