Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On 02/06/12 14:06, Nigel Verity wrote: Hi All If anybody can get a key from Verisign for $99 that makes a mockery of having secure boot in the first place. no, that isn't how it works at all. It is possible for some people to get a binary signed by Microsoft by paying $99 which goes to verisign. You don't get the key and it isn't clear who can do it and what binaries will get signed. We can take it as read that there are long term plans by Microsoft to tighten up the secure boot spec in the future in their favour. yup, on ARM. Devices running Windows 8 on ARM will be pre-bricked at the factory. To my mind, this first pass is just to establish the principle and getting all OEMs to adopt the spec. Making keys readily available will help MS to respond to legal challenges from non-tech savvy legislators. Possibly. I would imagine they are expecting and preparing for antitrust action. As a slightly pedantic point, legislators don't tend to make legal challenges. I suspect that the secure boot technology will be hacked pretty quickly enabling we enthusiasts to stay up and running. Having to apply a hack as a fundamental part of Linux installation will not exactly help with promoting wider adoption, though. disabling it on Intel isn't a hack, it would be a checkbox option in the place you currently call the BIOS. ARM would require a hack. Regards Nige -- Libertus Solutions http://libertus.co.uk -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/06/12 14:21, Alan Bell wrote: On 02/06/12 14:06, Nigel Verity wrote: Hi All If anybody can get a key from Verisign for $99 that makes a mockery of having secure boot in the first place. no, that isn't how it works at all. It is possible for some people to get a binary signed by Microsoft by paying $99 which goes to verisign. You don't get the key and it isn't clear who can do it and what binaries will get signed. We can take it as read that there are long term plans by Microsoft to tighten up the secure boot spec in the future in their favour. yup, on ARM. Devices running Windows 8 on ARM will be pre-bricked at the factory. To my mind, this first pass is just to establish the principle and getting all OEMs to adopt the spec. Making keys readily available will help MS to respond to legal challenges from non-tech savvy legislators. Possibly. I would imagine they are expecting and preparing for antitrust action. As a slightly pedantic point, legislators don't tend to make legal challenges. I suspect that the secure boot technology will be hacked pretty quickly enabling we enthusiasts to stay up and running. Having to apply a hack as a fundamental part of Linux installation will not exactly help with promoting wider adoption, though. disabling it on Intel isn't a hack, it would be a checkbox option in the place you currently call the BIOS. ARM would require a hack. Regards But only devices Running Windows, those running android linux etc by default would have the switch disabled which to my mind means that Microsoft will basically try and undercut everyone and then you are stuck with a device that can only ever have Windows on it. However I can see Microsoft actually losing out here, they are already the minority share in the phone market, they are worse off still in the tablet market and with the release of ICS and the Latest Ios offering will be further behind again. - -- You make it, I'll break it! I love my job :) http://www.ubuntu.com http://www.canonical.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/SAPIACgkQT5xqyT+h3OgFBgCfTab/Xkgz3Ol5ea5lW1b6xGoM mxMAoKFvUtPnnnNk+sXJrjuSSsRa8UdQ =3F37 -END PGP SIGNATURE- -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On 08/06/12 14:41, Dave Morley wrote: But only devices Running Windows, those running android linux etc by default would have the switch disabled they might do, or might have a Googley Android key. Come to that, there could be ARM devices with a Canonical key that can only ever run signed Ubuntu binaries. ARM could have lots of devices where the software and hardware are inseparable (bit like all the other embedded devices where the software is all on ROM, so not a massive change for the sector). Alan. -- I work at http://libertus.co.uk -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On 03/06/2012 23:00, Bruno Girin wrote: On 03/06/12 19:03, Andres Muniz wrote: thanks for the info guys! Got more than I need! I was a bit concernd that some servers were using arm as well. But clearly it will not be a problem. Well, until proved otherwise :-) Bruno So what is the future of Ubuntu now that Microsoft are doing this.it doesnt look too good.. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/06/12 08:17, scoundrel50a wrote: So what is the future of Ubuntu now that Microsoft are doing this.it doesnt look too good.. I'm sure we have the best minds on it :) Cheers, - -- Alan Pope Engineering Manager Canonical - Product Strategy +44 (0) 7973 620 164 alan.p...@canonical.com http://ubuntu.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPzdJ4AAoJEMx6UFtfvV4wdwwIAKzbOyTGqrNSsfcpGmFbpLMu tp5ozK1EWFWWP9s3lbCBmqnSg26umHODFTmpJQpYwY9u5lOICRZsN/LAPhKsSp9s dk/J/dfx+cRBm4UmJFZWmBsZh95N1kJnOE8650cuk63J0tyo50oDPZ3jo+YknOP5 x9g97Ugf4SeqijT3aXbjIh04HAYYzrxnpB8Oyvxazc0jmm/kVrehAztpOH+rwB+r LZQBa0h4cdtviaWSPgPLttH5PP8T/1bHh/tf/6UjdODjRiKy8BNjCR7UXmIft3Il Mmm1jfM4a1OulVC+lBWB0Xd9LpWnA6K+MGKYemxak+OSB0ZKWKB1HapBGWVvRLE= =FAjh -END PGP SIGNATURE- -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On 05/06/12 08:17, scoundrel50a wrote: On 03/06/2012 23:00, Bruno Girin wrote: On 03/06/12 19:03, Andres Muniz wrote: thanks for the info guys! Got more than I need! I was a bit concernd that some servers were using arm as well. But clearly it will not be a problem. Well, until proved otherwise :-) Bruno So what is the future of Ubuntu now that Microsoft are doing this.it doesnt look too good.. Keep calm, and carry on -- alan cocks -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On 02/06/12 15:56, Alan Bell wrote: Could linux foundation do the same for the servers? beause they can be cracked in a similar way? servers generally won't get the secure boot thing. Odd really because it kind of makes more sense to me in that context. Probably because the biggest market for servers is corporate customers who have their own IT department and who would very quickly go see another supplier if they had to fiddle with settings in order to install the operating system of their choice on their systems. For a typical large corporate that regularly installs dozens of servers, any change in installation procedure means: * Re-train the whole of IT, * Change all training and documentation material, * Update the process of how business units get servers commissioned, * Find a way to phase in the new process while phasing out the old one, * Getting confirmation from suppliers of what exact models will have UEFI so that they can have clear guidance: if model A, then do process 1 else do process 2, * Factor in additional costs and delays for the inevitable cock-ups that will happen. It's an interesting game that Microsoft are playing and I'm wondering whether their primary motivation is to lock competition out or to force the last refuseniks off XP and onto a more recent version of Windows. From an OEM perspective, what could happen is that you would see UEFI on consumer ranges first, where customers tend to just go with what's pre-installed, and then slowly see it appear on business ranges, where customers tend to wipe the pre-installed OS and replace it with their in-house image. The fact that this logic is completely at odds with the security benefits of UEFI secure booting only makes sense if you see it from an accounting point of view: secure boot is a technical tool to mitigate the risk of a server getting compromised. This is modelled as a risk with associated cost (cost of rebuilding a compromised server, checking if it's the only compromised one, potential reputation costs, etc). Most companies already mitigate that risk using firewalls, intrusion detection systems, etc. Mitigation is not perfect so there is a residual risk with associated cost. UEFI secure boot is then an opportunity to reduce this residual cost through additional mitigation. If the cost saving that results from migrating the estate to UEFI secure boot is lower than the cost of actually doing it, companies will just stay put with what they have, accept the risk and pay the price whenever the risk is realised. So the fact that servers won't get the secure boot option is simply a sign that nobody has yet managed to demonstrate that the cost of introducing secure boot in a corporate environment was lower than the potential cost of the risk it mitigates. Cheers, Bruno -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On Sun, 2012-06-03 at 12:39 +0100, Bruno Girin wrote: On 02/06/12 15:56, Alan Bell wrote: any change in installation procedure means: * Re-train the whole of IT, * Change all training and documentation material, * Update the process of how business units get servers commissioned, * Find a way to phase in the new process while phasing out the old one, * Getting confirmation from suppliers of what exact models will have UEFI so that they can have clear guidance: if model A, then do process 1 else do process 2, * Factor in additional costs and delays for the inevitable cock-ups that will happen. Cheers, Bruno You missed one important step in the process of change The time spent by It peeps running around like headless chickens going oh no, not again! -- Regards, Bill B. [SuperEngineer] -- -Registered Linux User 523667- -Registered Ubuntu User 32366- -Free as in Freedom-- -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
- Mensaje original - On 02/06/12 15:56, Alan Bell wrote: Could linux foundation do the same for the servers? beause they can be cracked in a similar way? servers generally won't get the secure boot thing. Odd really because it kind of makes more sense to me in that context. Probably because the biggest market for servers is corporate customers who have their own IT department and who would very quickly go see another supplier if they had to fiddle with settings in order to install the operating system of their choice on their systems. For a typical large corporate that regularly installs dozens of servers, any change in installation procedure means: * Re-train the whole of IT, * Change all training and documentation material, * Update the process of how business units get servers commissioned, * Find a way to phase in the new process while phasing out the old one, * Getting confirmation from suppliers of what exact models will have UEFI so that they can have clear guidance: if model A, then do process 1 else do process 2, * Factor in additional costs and delays for the inevitable cock-ups that will happen. It's an interesting game that Microsoft are playing and I'm wondering whether their primary motivation is to lock competition out or to force the last refuseniks off XP and onto a more recent version of Windows. From an OEM perspective, what could happen is that you would see UEFI on consumer ranges first, where customers tend to just go with what's pre-installed, and then slowly see it appear on business ranges, where customers tend to wipe the pre-installed OS and replace it with their in-house image. The fact that this logic is completely at odds with the security benefits of UEFI secure booting only makes sense if you see it from an accounting point of view: secure boot is a technical tool to mitigate the risk of a server getting compromised. This is modelled as a risk with associated cost (cost of rebuilding a compromised server, checking if it's the only compromised one, potential reputation costs, etc). Most companies already mitigate that risk using firewalls, intrusion detection systems, etc. Mitigation is not perfect so there is a residual risk with associated cost. UEFI secure boot is then an opportunity to reduce this residual cost through additional mitigation. If the cost saving that results from migrating the estate to UEFI secure boot is lower than the cost of actually doing it, companies will just stay put with what they have, accept the risk and pay the price whenever the risk is realised. So the fact that servers won't get the secure boot option is simply a sign that nobody has yet managed to demonstrate that the cost of introducing secure boot in a corporate environment was lower than the potential cost of the risk it mitigates. Cheers, Bruno thanks for the info guys! Got more than I need! I was a bit concernd that some servers were using arm as well. But clearly it will not be a problem. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On 03/06/12 19:03, Andres Muniz wrote: thanks for the info guys! Got more than I need! I was a bit concernd that some servers were using arm as well. But clearly it will not be a problem. Well, until proved otherwise :-) Bruno -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
Hi All If anybody can get a key from Verisign for $99 that makes a mockery of having secure boot in the first place. We can take it as read that there are long term plans by Microsoft to tighten up the secure boot spec in the future in their favour. To my mind, this first pass is just to establish the principle and getting all OEMs to adopt the spec. Making keys readily available will help MS to respond to legal challenges from non-tech savvy legislators. I suspect that the secure boot technology will be hacked pretty quickly enabling we enthusiasts to stay up and running. Having to apply a hack as a fundamental part of Linux installation will not exactly help with promoting wider adoption, though. Regards Nige -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
- Mensaje original - On 01/06/12 13:58, Matt Wheeler wrote: On 1 June 2012 08:02, alan caecl...@candt.waitrose.com wrote: Time has passed. The problem has now matured, and Fedora have accepted defeat and decided to pay to be allowed to use Microsoft restricted hardware. Implementing UEFI Secure Boot in Fedora Linux http://j.mp/KZykUS According to an update to that article, the money actually goes to verisign, and anyone can get a signing key from them for $99. So actually (without having looked into it any further) this looks like quite a reasonable solution to securing system booting in general. Anyone have any further insight? Only that Microsoft are the gatekeeper, and can change the rules whenever their brass neck allows them to, as they have just done. Rather clever, I think. Never trust the smile on a crocodile. Or its love of open source. On a day to day basis, if a machine has a mainboard which has a secure boot 'off' switch, then that is what I will use, because I do not want nor need Microsoft stuff. But if someone wants what we used to know as 'dual boot', then they will need to run day by day on the mainboard which is set FOR secure boot (for Windows 8), so the GNU/Linux OS will need to be suitably signed in that situation. For Ubuntu, WUBI comes to mind although I am aware that there are occasionally enough problems with some grub updates that I stopped recommending wubi a long time ago except for very short term trials. -- alan cocks I'm getting a bit confused now. Everybody seems Does the fedora payment of $99 to verisign mean that the computer that could or could not have windows preinstalled will alow to install fedora and windows but not fedora derivatives? Would fedora users then have the hability to easily turn it off? The ideal bit could be that fedora users could also avoid windows usrers in the grounds that it's probable source of malwar? Could linux foundation do the same for the servers? beause they can be cracked in a similar way? -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On 02/06/12 14:26, Andres Muniz wrote: I'm getting a bit confused now. http://mjg59.dreamwidth.org/12368.html Everybody seems Does the fedora payment of $99 to verisign mean that the computer that could or could not have windows preinstalled will alow to install fedora and windows but not fedora derivatives? derivatives would be able to pay their own $99 (one off payment per distro it would appear) they might have to prove they will use it responsibly or something, I don't know. Alternatively other distros could instruct users to turn off secure boot. Would fedora users then have the hability to easily turn it off? turn what off? The ideal bit could be that fedora users could also avoid windows usrers in the grounds that it's probable source of malwar? avoiding windows users is an interesting strategy, not sure that would be easy to implement. Could linux foundation do the same for the servers? beause they can be cracked in a similar way? servers generally won't get the secure boot thing. Odd really because it kind of makes more sense to me in that context. -- Libertus Solutions http://libertus.co.uk -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On 1 June 2012 08:02, alan c aecl...@candt.waitrose.com wrote: Time has passed. The problem has now matured, and Fedora have accepted defeat and decided to pay to be allowed to use Microsoft restricted hardware. Implementing UEFI Secure Boot in Fedora Linux http://j.mp/KZykUS According to an update to that article, the money actually goes to verisign, and anyone can get a signing key from them for $99. So actually (without having looked into it any further) this looks like quite a reasonable solution to securing system booting in general. Anyone have any further insight? -- Matt Wheeler m...@funkyhat.org -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On 01/06/12 13:58, Matt Wheeler wrote: On 1 June 2012 08:02, alan caecl...@candt.waitrose.com wrote: Time has passed. The problem has now matured, and Fedora have accepted defeat and decided to pay to be allowed to use Microsoft restricted hardware. Implementing UEFI Secure Boot in Fedora Linux http://j.mp/KZykUS According to an update to that article, the money actually goes to verisign, and anyone can get a signing key from them for $99. So actually (without having looked into it any further) this looks like quite a reasonable solution to securing system booting in general. Anyone have any further insight? Only that Microsoft are the gatekeeper, and can change the rules whenever their brass neck allows them to, as they have just done. Rather clever, I think. Never trust the smile on a crocodile. Or its love of open source. On a day to day basis, if a machine has a mainboard which has a secure boot 'off' switch, then that is what I will use, because I do not want nor need Microsoft stuff. But if someone wants what we used to know as 'dual boot', then they will need to run day by day on the mainboard which is set FOR secure boot (for Windows 8), so the GNU/Linux OS will need to be suitably signed in that situation. For Ubuntu, WUBI comes to mind although I am aware that there are occasionally enough problems with some grub updates that I stopped recommending wubi a long time ago except for very short term trials. -- alan cocks -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
Just to be clear here, isn't there some relevance to the secure boot. I mean even in Linux systems you wouldn't want malware to install itself onto the software which runs the firmware. Wouldn't such malware a danger to all systems, be they Windows or Linux? As such, as i understand it, the problem is not that MS are advocating for secure boot. Instead its that while they do so they are not insisting that the secure boot option be something that can be overridden, or switched off, if the user wishes to install a piece of software that they approve of. Instead MS are just insisting that it be switched on at sale of Windows 8 machines. So, while i agree that MS's approach to secure boot is anti-competitive behavior wrapped up in narrative of security, having secure boot systems that could easily - and i mean in a totally user friendly way (ideally through a GUI) - be switched off would be a good thing for all users. To my mind the issue then lies with manufacturers who are not bound to make secure boot unchangeable. MS aren't playing fair, but that's nothing to be surprised by. With this in mind shouldn't pressure be on making manufactrer's generate systems which allow the user both security and the ability to choose their operating system. My sense is this would be the best expenditure of our energies. Is this right or have i missed something? j On 1 November 2011 06:30, Michael Holmes holmesm...@gmail.com wrote: On 31 October 2011 09:58, Robert Flatters robert.flatt...@gmail.com wrote: This will be a growing problem, if there is no step processes in place to get UEFI turned off you HP Guy will have big problems in the coming months. I fear Microsoft is trying to lockout Linux from installing on new machine. UEFI isn't something you turn off. It's a new loader for PC systems that replaces the BIOS - and for good reason. The BIOS works in 16-bit real mode, is slow to boot, and cannot boot hard drives over 2TB - which is now an issue. It also has very limited facilities to interface with hardware, hence why BIOS screens look like TTYs for the most part. You're confusing UEFI with the proposed UEFI security standard that is Secure Boot. They're not the same. UEFI alone does not prevent you from booting into Linux. Imagine that you want to buy glasses, and that the frames are UEFI/BIOS/whatever, and the lenses are operating systems. BIOS is like the old pair of frames you have that are a bit bent and scuffed, and generally becoming unfit for use. UEFI is like a new, stylish and modern set of frames. These new frames might not fit the old lenses, because of the different shape, but soon new lenses will hit the market that fit it. You are *not* being actively prevented from changing out the lenses at will. Secure Boot is different - imagine these new frames had a lock on them, and you had to go to an authorised vendor to fit in new authorised lenses. That lock is the equivalent of the UEFI Secure Boot initiative. Your freedom to change the lenses has been taken away, most likely under the pretence that lenses not certified for use with these frames could cause damage to your eyesight. In both cases, anti-competitive actions are being disguised with good intentions. HTH, Mike -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/ -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
James Morrissey wrote: As such, as i understand it, the problem is not that MS are advocating for secure boot. Instead its that while they do so they are not insisting that the secure boot option be something that can be overridden, or switched off, if the user wishes to install a piece of software that they approve of. No. Why would they? Much as it'd be nice for MS to insist that the secure UEFI not get in anybody else's way, that's not really something to expect them to do. This is the job of industry regulation. So, while i agree that MS's approach to secure boot is anti-competitive behavior wrapped up in narrative of security, having secure boot systems that could easily - and i mean in a totally user friendly way (ideally through a GUI) - be switched off would be a good thing for all users. Well, it would add it to firewalls, adminsistrator access and IE's secutrity controls - another item in the list of things that helpdesks will insist you do to make sure their thing works before they offer to help you futher. If it's to do the job it's intended to do, it has to be hard to turn off. If it's easy to turn off, it might as well not be there. -- Avi -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
If it's to do the job it's intended to do, it has to be hard to turn off. If it's easy to turn off, it might as well not be there. Couldn't you just have some form of password protection where, i don't know, some sort of serial number is stuck the bottom of your machine and you need to enter this before secure boot will be turned off. Possibly that would scare people away. Well, it would add it to firewalls, adminsistrator access and IE's secutrity controls - another item in the list of things that helpdesks will insist you do to make sure their thing works before they offer to help you futher. Sure, there are all sorts of ways that this empowers MS. I am not suggesting that it's innocuous. This being said, am i wrong that all systems would be vulnerable to malware installing itself to the software that runs the firmware? j On 1 November 2011 16:54, Avi Greenbury li...@avi.co wrote: James Morrissey wrote: As such, as i understand it, the problem is not that MS are advocating for secure boot. Instead its that while they do so they are not insisting that the secure boot option be something that can be overridden, or switched off, if the user wishes to install a piece of software that they approve of. No. Why would they? Much as it'd be nice for MS to insist that the secure UEFI not get in anybody else's way, that's not really something to expect them to do. This is the job of industry regulation. So, while i agree that MS's approach to secure boot is anti-competitive behavior wrapped up in narrative of security, having secure boot systems that could easily - and i mean in a totally user friendly way (ideally through a GUI) - be switched off would be a good thing for all users. Well, it would add it to firewalls, adminsistrator access and IE's secutrity controls - another item in the list of things that helpdesks will insist you do to make sure their thing works before they offer to help you futher. If it's to do the job it's intended to do, it has to be hard to turn off. If it's easy to turn off, it might as well not be there. -- Avi -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/ -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On 31/10/11 09:58, Robert Flatters wrote: This will be a growing problem, if there is no step processes in place to get UEFI turned off no, there won't be a process to turn off UEFI, that makes no sense. UEFI is not a turnoffable thing. The Secure Boot feature that does not yet exist in the wild needs to have a facility to allow the user to manage the keys they want to trust. you HP Guy will have big problems in the coming months. I fear Microsoft is trying to lockout Linux from installing on new machine. yes, they are, but not yet. These current machines are fully working, the factory-bricked machines are not yet available, and won't be until they come shipped with Windows 8. If someone says they have a machine with Windows 7 on it that they can't install Ubuntu on then that is a bug in Ubuntu, not the impending secure boot problem. Alan -- Libertus Solutions http://libertus.co.uk -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On 31 October 2011 09:58, Robert Flatters robert.flatt...@gmail.com wrote: This will be a growing problem, if there is no step processes in place to get UEFI turned off you HP Guy will have big problems in the coming months. I fear Microsoft is trying to lockout Linux from installing on new machine. UEFI isn't something you turn off. It's a new loader for PC systems that replaces the BIOS - and for good reason. The BIOS works in 16-bit real mode, is slow to boot, and cannot boot hard drives over 2TB - which is now an issue. It also has very limited facilities to interface with hardware, hence why BIOS screens look like TTYs for the most part. You're confusing UEFI with the proposed UEFI security standard that is Secure Boot. They're not the same. UEFI alone does not prevent you from booting into Linux. Imagine that you want to buy glasses, and that the frames are UEFI/BIOS/whatever, and the lenses are operating systems. BIOS is like the old pair of frames you have that are a bit bent and scuffed, and generally becoming unfit for use. UEFI is like a new, stylish and modern set of frames. These new frames might not fit the old lenses, because of the different shape, but soon new lenses will hit the market that fit it. You are *not* being actively prevented from changing out the lenses at will. Secure Boot is different - imagine these new frames had a lock on them, and you had to go to an authorised vendor to fit in new authorised lenses. That lock is the equivalent of the UEFI Secure Boot initiative. Your freedom to change the lenses has been taken away, most likely under the pretence that lenses not certified for use with these frames could cause damage to your eyesight. In both cases, anti-competitive actions are being disguised with good intentions. HTH, Mike -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On 30 October 2011 15:19, alan c aecl...@candt.waitrose.com wrote: ... “My friend recently got an HP s5-1110 with Win 7 installed. UEFI has prevented the installation of GRUB on this machine. This is going to happen even if you don't have Secure Boot. UEFI and BIOS *do not* have compatible boot systems. You need a UEFI compatible bootloader like eLILO or a UEFI compatible version of GRUB - which as far as I know, doesn't ship with Ubuntu by default. Since there have been workarounds on most systems as of date that allow UEFI systems to run BIOS bootloaders, such as Boot Camp on Intel Macs or a BIOS Mode on most PC motherboards, it's generally not been necessary to include a UEFI bootloader with Ubuntu. This wiki page might help: https://help.ubuntu.com/community/UEFIBooting But what you need to know is that this probably isn't the Secure Boot lockout everyone has been worrying about. As far as I know the Windows 7 bootloader isn't signed for Secure Boot (but I could be wrong). -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
I would also think it unlikely to be UEFI that is causing the problem. I came across an occurrence some years ago, where I could not get an Ubuntu CD to boot up despite setting the BIOS. There turned out to be some weird configuration of key presses necessary when booting up at the BIOS stage. More recently I was trying to put Ubuntu on a modern Toshiba netbook. It didn't matter what I did, it just would not boot up from an image on a flash drive. I was on the verge of giving up but decided to try with a CD in a USB connected drive. That worked. Andy. On 30 October 2011 16:22, Michael Holmes holmesm...@gmail.com wrote: On 30 October 2011 15:19, alan c aecl...@candt.waitrose.com wrote: ... “My friend recently got an HP s5-1110 with Win 7 installed. UEFI has prevented the installation of GRUB on this machine. This is going to happen even if you don't have Secure Boot. UEFI and BIOS *do not* have compatible boot systems. You need a UEFI compatible bootloader like eLILO or a UEFI compatible version of GRUB - which as far as I know, doesn't ship with Ubuntu by default. Since there have been workarounds on most systems as of date that allow UEFI systems to run BIOS bootloaders, such as Boot Camp on Intel Macs or a BIOS Mode on most PC motherboards, it's generally not been necessary to include a UEFI bootloader with Ubuntu. This wiki page might help: https://help.ubuntu.com/community/UEFIBooting But what you need to know is that this probably isn't the Secure Boot lockout everyone has been worrying about. As far as I know the Windows 7 bootloader isn't signed for Secure Boot (but I could be wrong). -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/ -- Regards, Andy -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On Sun, Oct 30, 2011 at 04:22:05PM +, Michael Holmes wrote: On 30 October 2011 15:19, alan c aecl...@candt.waitrose.com wrote: ... “My friend recently got an HP s5-1110 with Win 7 installed. UEFI has prevented the installation of GRUB on this machine. This is going to happen even if you don't have Secure Boot. UEFI and BIOS *do not* have compatible boot systems. You need a UEFI compatible bootloader like eLILO or a UEFI compatible version of GRUB - which as far as I know, doesn't ship with Ubuntu by default. Actually it does (on 64-bit images), but of course that doesn't guarantee that it will work as it's generally less well-tested at the moment. I agree with Alan that this is unlikely to have anything to do with Secure Boot. I haven't heard of systems actually shipping yet with a new enough version of UEFI to be affected by that, and in any case I would be inclined to apply Occam's Razor. -- Colin Watson [cjwat...@ubuntu.com] -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On 30 October 2011 18:59, Colin Watson cjwat...@ubuntu.com wrote: Actually it does (on 64-bit images), but of course that doesn't guarantee that it will work as it's generally less well-tested at the moment. I have installed on my EFI enabled macbook pro from these images. I agree with Alan that this is unlikely to have anything to do with Secure Boot. I haven't heard of systems actually shipping yet with a new enough version of UEFI to be affected by that, and in any case I would be inclined to apply Occam's Razor. Unfortunately the blog post has been spammed around the place, and is now generating quite a buzz. Whilst we need to be aware of the issues relating to secure boot, I don't think a scare campaign is quite what's needed.. yet. Al. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] heads up - Secure Boot Problems for Linux Users Are Here Already
On 30 October 2011 18:59, Colin Watson cjwat...@ubuntu.com wrote: On Sun, Oct 30, 2011 at 04:22:05PM +, Michael Holmes wrote: On 30 October 2011 15:19, alan c aecl...@candt.waitrose.com wrote: ... “My friend recently got an HP s5-1110 with Win 7 installed. UEFI has prevented the installation of GRUB on this machine. This is going to happen even if you don't have Secure Boot. UEFI and BIOS *do not* have compatible boot systems. You need a UEFI compatible bootloader like eLILO or a UEFI compatible version of GRUB - which as far as I know, doesn't ship with Ubuntu by default. Actually it does (on 64-bit images), but of course that doesn't guarantee that it will work as it's generally less well-tested at the moment. Well, my apologies - guess I should do my research! Of course, it doesn't preclude the possibility that this person downloaded the i386 ISO, which doesn't include the UEFI-capable GRUB. Of course, this is still hardly specific vendor lock-out to Linux - OSes shipping with UEFI bootloaders can still boot, and Vista or the i386 edition of Windows 7 wouldn't be able to boot either. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
