Re: UEFI SL 6x boot
On Tue, 24 Sep 2013, Yasha Karant wrote:
Let me see if I understand the current situation. This question was
prompted by the question of a colleague attempting to use OpenSuSE (not
SL nor TUV) on UEFI Secure Boot who was not able to get a reliably
booted running operating environment. The colleague wondered if SL
would fare better.
Depending upon the particular BIOS or BIOS equivalent, using MS Windows
8, it may be possible to disable Secure Boot and allow for SL to be
Using is not the "official status", it is "Windows 8 logo" use that
dictates secure boot. And if it is enabled then it is required to have a
way to disable it. Please give the vendors a chance with turning secure
boot off.
booted. Secure Boot, and many other technologies put forward by,
through, or under the auspices of the monopoly primarily exist to move
forward the market share, return on investment, and general economic
wealth of the monopoly (not a surprise in oligopolistic non-market
economics).
SL with Fermilab participation is participating in projects that will
allow SL to boot on UEFI Secure Boot hardware without the use of any
This is only planned for SL 7 as RHEL 7 is expected to have secure boot
ability.
monopoly operating environment software or applications -- Microsoft not
required. Presumably, TUV is participating as well as TUV
supported-for-fee environments must be able to reliably boot and run on
UEFI Secure Boot platforms without the use of monopoly software to
enable the booting process. Apple is not a matter for discussion
because Apple provides the entire hardware and software package, and
does not allow the use of MacOS on non-Apple hardware platforms.
Presumably VirtualBox and other means to allow MS Windows to run as a
guest environment has or will have some means to provide UEFI Secure
Boot to MS Windows guests requiring such.
Since the requirement is to be allowed to use the "windows 8 logo" not
sure that this would be a issue .
At present, there is no production Linux that will reliably run on all
hardware platforms that use UEFI Secure Boot
That is true if you include Windows ARM systems because of the inability
to disable "Secure Boot" . x86_64 systems are a work in progress.
Depends on your definition of "production Linux". Ubuntu 12.04.4 LTS
should work.
-Connie Sieh
but only MS Windows
envirnoments will do so on any hardware platform that proclaims
compliance with the monopoly ("certification").
Is the above substantially correct as of this instant?
Yasha Karant
On 09/24/2013 04:40 PM, Connie Sieh wrote:
On Tue, 24 Sep 2013, Nico Kadel-Garcia wrote:
--001a11c379ecc5abcb04e7297e9d
Content-Type: text/plain; charset="ISO-8859-1"
Down, boy.
Scientific Linux is behind the times on available tools, because our
favorite upstream vendor has not yet released tools. Tools to work with
have been tested, effectively, with Fedora, and I expect our favorite
upstream vendor will include tools with release 7.x, which is not yet in
alpha or beta release. Check out
http://docs.fedoraproject.org/en-US/Fedora/18/html-single/UEFI_Secure_Boot_Guide/index.htmlfor
a good breakdown of the issues and trade-offs.
UEFI is part of the old "Palladium" project from Microsoft, relabeled as
"Trusted Computing". It is aimed squarely at DRM and vendor lock-in, not
security, for reasons that I could spend a whole day discussing.In the
meantime, yes, you can disalbe it for SL booting if needed, and
reasonably
expect our favorite upstream vendor to have shims available when
version 7
is publishedL they're already working well with recent Fedora
releases. I'd
also *expect* those shims to be workable for SL 7, but someone may
have to
plunk down some cash to get some keys signed, and spend some extra effort
to maintain the security needed for the relevant shims to work well
with SL
kernels and environments.
Last week at LinuxCon North America the shim developers were still
developing.
I attended the UEFI Plugfest last week as part of Linux Con. Microsoft
gave a presentation on UEFI signing. The presentation will be posted to
uefi.org website.
We are working on this. Fermilab is a member of the UEFI forum .
-Connie Sieh
On Tue, Sep 24, 2013 at 11:53 AM, Yasha Karant wrote:
Secure boot is enabled. Evidently, the only means to disable secure
boot
requires that a secure boot loader/configuration program be running --
e.g., the MS proprietary boot loader (typically, supplied as part of MS
Windows 8) must be used to disable secure boat if the UEFI actually
permits
this to be disabled (I have heard of some UEFI implementations that
do not
permit secure boot truly to be disabled).
If Linux cannot handle this issue, then Linux is finished on all generic
(e.g., not Apple that supplies both the hardware and operating
environment
software under a restrictive proprietary for-profit intellectual
property
license) X86-64 hardware, as (almost?) all current such hardware is MS 8
(UEFI secure bo
Re: UEFI SL 6x boot
On Tue, 24 Sep 2013, Yasha Karant wrote: To be specific, my colleague is using the licensed-for-free binary download of current OpenSuSE that nominally supports UEFI Secure Boot -- and it does not work in fact on the hardware he has. He did experiment with a licensed copy of MS Win 8, and it would install on the same platform without this issue (but absolutely is not what he wants or is willing to use as a primary -- non-Virtual-Box running under -- OS. Did your colleague discuss these issues with the "hardware vendor" to make sure what he was doing was correct? Did he research/contact OpenSuSE about his secure boot issues? -connie sieh > On 09/24/2013 09:55 AM, Connie Sieh wrote: On Tue, 24 Sep 2013, Yasha Karant wrote: This thread started because my colleague is using SuSE and tried Ubuntu -- and both failed to secure boot properly from the generic hardware to which he upgraded. This failure prompted a question about SL (as a no-fee option for a TUV enterprise, commercial, supported, production Linux base). Evidently, the current answer for SL is that it is not UEFI Secure Boot enabled, and SL 6x cannot reliably be installed upon such systems -- depending upon the quirks (or proprietary generosity) of the actual BIOS supplier. OpenSuSE supports "secure boot" not SuSE as I stated earlier. I am sure it is only "recent" versions of OpenSuSE, Fedora and Ubuntu that support 'secure boot". See the following for more info. In particular pages 12 and 17. There are references to youtube videos on page 18 showing Windows 8 dual booting with Ubuntu 12.10 . http://events.linuxfoundation.org/sites/events/files/slides/LinuxConUEFIandLinuxBresniker.pdf It is efi compliant. If the bios vendor does not allow "secure boot" to be turned off then one should "converse" with said vendor. -connie sieh Yasha Karant On 09/24/2013 09:04 AM, Connie Sieh wrote: On Tue, 24 Sep 2013, Yasha Karant wrote: Secure boot is enabled. Evidently, the only means to disable secure boot requires that a secure boot loader/configuration program be running -- e.g., the MS proprietary boot loader (typically, supplied as part of MS Windows 8) must be used to disable secure boat if the UEFI actually permits this to be disabled (I have heard of some UEFI implementations that do not permit secure boot truly to be disabled). If the system is Windows 8 logo compatible and is x86_4 then a way to disable "secure boot" must be provided by the hardware vendor. This is commonly done via a option in the "bios". This requirement is part of the "microsoft windows 8 logo requirements". Note the method of disabling is not defined by the UEFI spec. So each vendor may do it differently. The only hardware that does not permit "secure boot" to be disabled is arm based Windows. The Windows logo requirements at at work here. > If Linux cannot handle this issue, then Linux is finished on all generic (e.g., not Apple that supplies both the hardware and operating environment software under a restrictive proprietary for-profit intellectual property license) X86-64 hardware, as (almost?) all current such hardware is MS 8 (UEFI secure boot) compliant. At the moment Fedora, SuSE , Ubuntu all can handle "secure boot". It is expected that RHEL 7 will also handle it. It is also possible to "sign" your own kernel and place your keys in the "bios". -connie Yasha Karant On 09/23/2013 10:29 PM, Connie Sieh wrote: On Mon, 23 Sep 2013, Yasha Karant wrote: A colleague who uses SuSE non-enterprise for his professional (enterprise) workstations has now attempted to load the latest SuSE on a machine with a new generic (aftermarket) "gamer" UEFI X86-64 motherboard. It does not properly boot. I do not have any UEFI motherboards, and thus no experience with SL6x on such motherboards. Is "secure boot" enabled in the UEFI ? Does anyone? Does SL6x boot correctly (and easily) on a UEFI motherboard? If so, he may switch to SL. Yes as long as "secure boot" is disabled . Yasha Karant -connie sieh
Re: UEFI SL 6x boot
I apologize for including the entire thread below to respond to just one
point.
quoting:
Ubuntu 12.04.4 LTS should work.
End quote,
As I have not kept current on the Ubuntu (or Debian) Linux efforts, I do
not know the status of the above release. Assuming that it is a
production release, supported for those who have an Ubuntu-compatible
support contract, then my colleague did try it, and found it would not
reliably work on the specific aftermarket generic motherboard he was
attempting to use. The specific board did work for MS Win 8 using UEFI
Secure Boot ("the vendor lock-in" from a different post not from me),
but not reliably with Ubuntu. I will attempt to find out the specifics
if there is interest; however, it was this effective failure that
prompted the question to me (as a user/proponent of EL, and specifically
SL as a professionally developed/deployed stable production environment
capable of supporting "modern" applications, such as VirtualBox, on both
servers and workstations including professional laptops).
The other issue is "waiting" for the vendors to "catch-up" and
distribute truly UEFI Secure Boot compliant hardware (e.g.,
motherboard). In the particular case of my colleague, he positively
needed to change out the motherboard now (no time to wait). No spare
new motherboard of the type he needed was in local inventory, and thus
he ordered a current production new motherboard from a major aftermarket
generic motherboard manufacturer/vendor. This new acquisition -- vital
to maintain the production machines used to support our research effort
-- was the reason for my first posting. Note that we are a
multi-distribution site even for research; although all of our research
servers are SL (we retired our last BSD server last year) -- we allow
any OS environment on a workstation supported by the researcher provided
the OS and applications do not require proprietary protocols (thus, we
require IETF, W3C, etc., operational compliance, using SMTP, IMAP, SSH
with X, etc., protocols). Almost all of the workstation systems are
either some type of Linux or MacOS X.
Again, my apologies for the length -- is a snip within a reply
appropriate for this list using the same subject line (same thread)?
Yasha Karant
On 09/25/2013 07:57 AM, Connie Sieh wrote:
On Tue, 24 Sep 2013, Yasha Karant wrote:
Let me see if I understand the current situation. This question was
prompted by the question of a colleague attempting to use OpenSuSE (not
SL nor TUV) on UEFI Secure Boot who was not able to get a reliably
booted running operating environment. The colleague wondered if SL
would fare better.
Depending upon the particular BIOS or BIOS equivalent, using MS Windows
8, it may be possible to disable Secure Boot and allow for SL to be
Using is not the "official status", it is "Windows 8 logo" use that
dictates secure boot. And if it is enabled then it is required to have
a way to disable it. Please give the vendors a chance with turning
secure boot off.
booted. Secure Boot, and many other technologies put forward by,
through, or under the auspices of the monopoly primarily exist to move
forward the market share, return on investment, and general economic
wealth of the monopoly (not a surprise in oligopolistic non-market
economics).
SL with Fermilab participation is participating in projects that will
allow SL to boot on UEFI Secure Boot hardware without the use of any
This is only planned for SL 7 as RHEL 7 is expected to have secure boot
ability.
monopoly operating environment software or applications -- Microsoft not
required. Presumably, TUV is participating as well as TUV
supported-for-fee environments must be able to reliably boot and run on
UEFI Secure Boot platforms without the use of monopoly software to
enable the booting process. Apple is not a matter for discussion
because Apple provides the entire hardware and software package, and
does not allow the use of MacOS on non-Apple hardware platforms.
Presumably VirtualBox and other means to allow MS Windows to run as a
guest environment has or will have some means to provide UEFI Secure
Boot to MS Windows guests requiring such.
Since the requirement is to be allowed to use the "windows 8 logo" not
sure that this would be a issue .
At present, there is no production Linux that will reliably run on all
hardware platforms that use UEFI Secure Boot
That is true if you include Windows ARM systems because of the inability
to disable "Secure Boot" . x86_64 systems are a work in progress.
Depends on your definition of "production Linux". Ubuntu 12.04.4 LTS
should work.
-Connie Sieh
but only MS Windows
envirnoments will do so on any hardware platform that proclaims
compliance with the monopoly ("certification").
Is the above substantially correct as of this instant?
Yasha Karant
On 09/24/2013 04:40 PM, Connie Sieh wrote:
On Tue, 24 Sep 2013, Nico Kadel-Garcia wrote:
--001a11c379ecc5abcb04e729
Re: UEFI SL 6x boot
On 25 September 2013 16:35, Yasha Karant wrote: > > > Again, my apologies for the length -- is a snip within a reply appropriate > for this list using the same subject line (same thread)? > Yes, most certainly. Alan.
Example of a successful non-EL Linux install on current UEFI secure boot motherboard
As it turns out, a colleague was able to install a different Linux distro on a UEFI secure boot motherboard, despite an initial failure, a distro that other respondents to the SL list did mention as supporting UEFI Secure Boot. There are certain peculiarities involved, including the use of a VFAT (MS format) partition. As it is likely that SL 7 will require the same mechanism(s) when it is released, I am presenting this information as probable preview of coming attractions (Linux base tends to be the same across many different distributions because of the difficulty of re-inventing the details of hardware support -- even if details of such things as anaconda versus other installers are quite different and incompatible). The below reference should be OpenSuSE 12.3 . From a colleague: Subject: suse 12.3 install Got it working on my UEFI system, required a re-install trick was - 1> ran their default disk allocation - gives you home partition, root partition, swap partition and (in my case) a 156 MB UEFI partition, which has to be formatted VFAT. When I tried to manually partition without knowing this, did not work - there was no way of forcing it to install a non-uefi bootloader on an uefi motherboard, or to do the uefi trick on a linux partition. 2> suse requires graphics to finish installation from the partly installed disk drive rather than the dvd - this is a problem because I have an NVIDIA card and the nouveau driver does not work on it. The work around is to select suse 12.3 safe mode on first boot into grub, this sets it into a default VESA mode which works on everything. I* have it defaulting to runlevel 3, so once i was able to get past the install, i was able to kill nouveau and install the nvida driver, it works fine. 3> my USB 3 works fine, but my USB 2 does not. this may be a "feature" of my Gigabyte GA-970A-UD3 motherborad, or it may be that i just haven't fount the right one out of the exponential number of combinations I can set in the bios. End quote. Yasha Karant
Re: Example of a successful non-EL Linux install on current UEFI secure boot motherboard
On Wed, Sep 25, 2013 at 1:16 PM, Yasha Karant wrote: > As it turns out, a colleague was able to install a different Linux distro on > a UEFI secure boot motherboard, despite an initial failure, a distro that > other respondents to the SL list did mention as supporting UEFI Secure Boot. > There are certain peculiarities involved, including the use of a VFAT (MS > format) partition. As it is likely that SL 7 will require the same > mechanism(s) when it is released, I am presenting this information as > probable preview of coming attractions (Linux base tends to be the same > across many different distributions because of the difficulty of > re-inventing the details of hardware support -- even if details of such > things as anaconda versus other installers are quite different and > incompatible). The below reference should be OpenSuSE 12.3 . > > From a colleague: > > Subject: suse 12.3 install > > Got it working on my UEFI system, required a re-install Could you confirm that Secure Boot was indeed enabled there? 'Secure Boot' is the part that is problematic. Akemi
