Linux Foundation releases Windows Secure Boot fix

[Golden]

At long last, the Linux Foundation fix to Windows 8 Secure Boot lock-in is out, but it's not ready for ordinary users yet and not all Linux desktop fans are happy about it.

Read more : Linux Foundation releases Windows Secure Boot fix | ZDNet

 

[LittleJay]

With all this hassle regarding uEFI and secure boot, I will definitely be building my next computer.

 

[Lee]

Who really cares. Regardless of how many use this app it will not give raise to the Linux OS. I been using Linux Suse for ten years now and still it has not improved to the level of OS X (whatever) or Windows 7. Until it does it will remain a geek OS (including me).

 

[King Arthur]

Feeling happy for Linux, ill thoughts for Microsoft and UEFI Secure Boot for restricting user rights under the guise of "security".

 

[theog]

Feeling happy for Linux, ill thoughts for Microsoft and UEFI Secure Boot for restricting user rights under the guise of "security".

Secure boot: technical types spreading half-baked information

Linux distributions are making slow progress on implementing measures to ensure that their images available for download are bootable on hardware that has secure boot turned on.


Secure boot is a feature of the UEFI, the Unified Extensible Firmware Interface, a replacement for the BIOS.

Microsoft has implemented this feature on hardware certified for Windows 8 in a way that requires the exchange of cryptographic keys; since the company controls the key-signing authority, anyone who wants to create a bootable medium has to necessarily obtain a key from Redmond.

Misinformation is rife about secure boot, simply because people confuse UEFI with secure boot and think that support for the former means support for the latter. Many so-called technical types are as guilty as others of spreading wrong information.

mjg59 | Secure Boot distribution support

“Microsoft's real aim is to kill the aftermarket in used computers that have Win 8 installed by not allowing you to install something other than Windows”

Microsoft could just have refused to sign UEFI bootloaders. They didn't. That doesn't really fit in with what you're claiming.

If I buy a computer with Windows 8 and Secure Boot, will I still be able to install Linux? - Super User

First of all, Secure Boot is not something that Microsoft came up with. They're the first to widely implement it, but they didn't invent it. It's part of the UEFI specification, which is basically a newer replacement for the old BIOS that you're probably used to. UEFI is basically the software that talks between the OS and the hardware. UEFI standards are created by a group called the "UEFI Forum", which is made up of computing industry representatives including Microsoft, Apple, Intel, AMD, and a handful of computer manufacturers.

 

[King Arthur]

I did say "UEFI Secure Boot", IE: I was referring to the Secure Boot part of UEFI specifically, and also said I harbor ill will towards both MS and UEFI Secure Boot for what's happening on most PCs now. Not sure what you were going for there unless you were trying to reinforce my point.

 

[theog]

I did say "UEFI Secure Boot", IE: I was referring to the Secure Boot part of UEFI specifically, and also said I harbor ill will towards both MS and UEFI Secure Boot for what's happening on most PCs now. Not sure what you were going for there unless you were trying to reinforce my point.

Feeling happy for Linux, ill thoughts for Microsoft and UEFI Secure Boot for restricting user rights under the guise of "security".

Q: What restricting of user rights.
A: NONE.

 

[sdowney717]

This is appropriate, a pattern of behavior exists with MS.

Embrace, extend and extinguish - Wikipedia, the free encyclopedia

"Embrace, extend, and extinguish",[1] also known as "Embrace, extend, and exterminate",[2] is a phrase that the U.S. Department of Justice found[3] was used internally by Microsoft[4] to describe its strategy for entering product categories involving widely used standards, extending those standards with proprietary capabilities, and then using those differences to disadvantage its competitors.

You must also be an expert Linux user to even try to get this to work at this point.

I dont see how any cant see and if they still cant see then its no use trying to make them see.

 

[King Arthur]

I did say "UEFI Secure Boot", IE: I was referring to the Secure Boot part of UEFI specifically, and also said I harbor ill will towards both MS and UEFI Secure Boot for what's happening on most PCs now. Not sure what you were going for there unless you were trying to reinforce my point.

Feeling happy for Linux, ill thoughts for Microsoft and UEFI Secure Boot for restricting user rights under the guise of "security".

Q: What restricting of user rights.
A: NONE.

When people need to grovel to Microsoft to get permission (aka: buying a UEFI Secure Boot security key from MS) to run the operating systems of their choice on their computers (disabling UEFI Secure Boot may or may not be an option), that is a clear restriction of what a user can do with hardware that they own and is an obvious ethical problem.

UEFI Secure Boot may have been conceived with computer security and user safety in mind, but in reality it's currently only being used to facilitate monopolization of the market and create artificial incompatibility between operating systems (including older MS operating systems like Windows XP and 7) and UEFI Secure Boot-enabled hardware. A user should always have the right to install whatever they wish on their computers, no hardware or software vendor should be in a position to dictate what a user can and cannot do.

 

[theog]

UEFI & Secure Boot are not Mircosoft.

Unified Extensible Firmware Interface - Wikipedia, the free encyclopedia

specification was developed by Intel.

The UEFI specification is managed by the Unified EFI Forum.

Feeling happy for Linux, ill thoughts for Microsoft and UEFI Secure Boot for restricting user rights under the guise of "security".

My test rig with UEFI & Secure Boot.

HDD1 = Windows 8 in uEFI mode
HDD2 = Windows 7 in uEFI mode
HDD3 = Ubuntu in uEFI mode

Q: What restricting of user rights.
A: NONE.

 

[lehnerus2000]

Samsung Users & Sam Varghese

Q: What restricting of user rights.
A: NONE.

What about these Samsung users?
http://www.sevenforums.com/news/276413-samsung-laptops-bricked-booting-linux-using-uefi.html
It seems that the dreaded nebulous HW/SW mismatch is responsible.

How about Sam Varghese?
From this link:
Secure boot: technical types spreading half-baked information

I tested out a recent Sabayon image yesterday and while it does offer a menu that leads one to believe that it will boot after a key is installed, none of the keys provided work.

Sabayon users can't use it.

Garrett mentioned that Ubuntu 64-bit will boot on secure boot-enabled devices;
...
I tested it out sometime back and verified it; I also pointed out that it would not install on the same disk as Windows 8. One had to use a second disk.

This restricts anyone who doesn't have 2xHDD or 2xSSD (or some combination).

Garrett also mentioned that the recent test builds of Fedora 18 would support secure boot; while this is correct, the distribution cannot yet be installed on such systems, no matter if one has a single disk or two.

Fedora users can't use it.

I tested out an openSUSE 12.3 Milestone 2 release a few days back. It does not support secure boot yet - no ifs, or buts or shoulds.

OpenSUSE users can't use it.

The latest Debian test releases cannot boot on secure boot-enabled hardware either.

Debian users can't use it.

The only party who might benefit from this mess is MS (the OEMs and Linux Distro producers don't).

 

[King Arthur]

UEFI & Secure Boot are not Mircosoft.

You're missing the entire point. Any piece of computer that is "certified" for use with Windows 8, as in any computer that gets to party with the Windows 8 sticker, is obliged by Microsoft's requirements to activate UEFI Secure Boot and as a consequence bars any OS that does not have a security key from Microsoft from booting up. Computers that are "certified" for use with Windows 8 are going to make up the majority of the consumer desktop/laptop market. You see where this is going?

Microsoft through their Windows 8 certification program and abuse of UEFI Secure Boot is dictating what operating system a user can run on their hardware, in this case specifically Windows 8 and nothing else, unless the other software vendors and developers in question decide to pay Microsoft for the right to boot up on UEFI Secure Boot-enabled Windows 8-certified PCs.

Microsoft to stop Linux, older Windows, from running on Windows 8 PCs | ZDNet
The link above sums up what Microsoft is doing with UEFI Secure Boot nicely, I believe.

In addition, Microsoft has proven themselves to be anything but expedient and cooperative in distributing security keys even when Linux put up the white flag and decided to buy one in lieu of a workaround around UEFI Secure Boot.

You can say that Microsoft isn't stepping on users' rights all you want, but the fact remains that Microsoft is abusing UEFI Secure Boot in such a way as to forcibly ensure a Windows 8 monopoly on the general consumer PC market.

 

[logicearth]

Please. Any PC that is certified for Windows 8, has mandatory requirement for non-ARM systems to have SecureBoot user configurable, i.e., can turn it off. You want to install something other then Windows 8, turn SecureBoot off. And be done with it. SecureBoot is a none issue.

http://msdn.microsoft.com/en-us/library/windows/hardware/jj128256.aspx
Under: System.Fundamentals.Firmware.UEFISecureBoot, Section 18

Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows Server may also disable Secure Boot remotely using a strongly authenticated (preferably public-key based) out-of-band management connection, such as to a baseboard management controller or service processor. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure Boot must not be possible on ARM systems.

For the majority of users who use computers (They don't dual-boot, or run some other system). SecureBoot is a damn good thing to have. For us, the minority users which is a very small minority, we can turn it off or configure it. So enough with this bullshit about it taking away user's rights.

 

[DavidE]

What about these Samsung users?
http://www.sevenforums.com/news/276413-samsung-laptops-bricked-booting-linux-using-uefi.html

As this link is to a post by me, here is a newer article with an update to this info...
AnandTech - Samsung Laptop UEFI Bugs: Not Just for Linux

I posted what I found in case anyone here runs into issues trying to help someone, and knowing this may help solve their problem...

 

[King Arthur]

Windows Hardware Certification Requirements for Client and Server Systems
Under: System.Fundamentals.Firmware.UEFISecureBoot, Section 18

I will admit I was unaware MS had changed its stance from leaving the ability to enable/disable UEFI Secure Boot to the discretion of hardware vendors to mandating that such a feature be present for certification. I stand corrected in that regard and support that mandate.

That said, I still remain skeptical of MS's willingness to act honorably especially when it is obvious MS wants to forcibly make Metro and its associated closed-ecosystem the next big thing. I honestly hate the direction general computing is going and MS's antics certainly aren't helping.