+ Post New Thread
Page 1 of 4 1234 LastLast
Results 1 to 15 of 53
General Chat Thread, [News] UEFI and Secure Boot - The Linux users are not happy! in General; Looks like the Linux users are uprising against MS due to the fact that UEFI and Secure Boot is hard ...
  1. #1
    SovietRussia's Avatar
    Join Date
    Mar 2013
    Location
    Powys, Wales
    Posts
    615
    Thank Post
    69
    Thanked 132 Times in 103 Posts
    Rep Power
    43

    [News] UEFI and Secure Boot - The Linux users are not happy!

    Looks like the Linux users are uprising against MS due to the fact that UEFI and Secure Boot is hard to turn off.

    Discuss!

    BBC News - Microsoft faces European open software probe

  2. #2
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,202
    Thank Post
    137
    Thanked 342 Times in 289 Posts
    Rep Power
    86
    A few clicks in the UEFI settings on most PCs? what on earth are they on about!

  3. #3
    SovietRussia's Avatar
    Join Date
    Mar 2013
    Location
    Powys, Wales
    Posts
    615
    Thank Post
    69
    Thanked 132 Times in 103 Posts
    Rep Power
    43
    Quote Originally Posted by jamesfed View Post
    A few clicks in the UEFI settings on most PCs? what on earth are they on about!
    That's what we do when installing Win 7, turn UEFI to Legacy and turn off Secure Boot!

  4. Thanks to SovietRussia from:

    jamesfed (26th March 2013)

  5. #4

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    You have to admit though, the first time I came across this I did have a head scratching moment... so I would agree, it does make it more difficult to downgrade Windows 8 or install a new OS altogether. Just think from a customer point of view - they buy a computer with Win 8, decide they don't like it and wish to downgrade. If instructions were provided it wouldn't be so bad - it's just UEFI is being kept very secret.

    I'm not entirely sure how or why UEFI makes computer users more secure as it's supposed to replace any standard BIOS. Although some BIOSes have been hacked or modified, it's generally pretty rare as the code is relatively simple.

  6. #5
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,202
    Thank Post
    137
    Thanked 342 Times in 289 Posts
    Rep Power
    86
    Quote Originally Posted by Michael View Post
    You have to admit though, the first time I came across this I did have a head scratching moment... so I would agree, it does make it more difficult to downgrade Windows 8 or install a new OS altogether. Just think from a customer point of view - they buy a computer with Win 8, decide they don't like it and wish to downgrade. If instructions were provided it wouldn't be so bad - it's just UEFI is being kept very secret.

    I'm not entirely sure how or why UEFI makes computer users more secure as it's supposed to replace any standard BIOS. Although some BIOSes have been hacked or modified, it's generally pretty rare as the code is relatively simple.
    You might expect though that users who know how to downgrade their OS to something else would be tech savvy enough to turn off something that's pretty easy in UEFI.

    Secure boot makes things safer by making sure that no malware interferes with the boot process.

  7. #6

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,968
    Thank Post
    112
    Thanked 489 Times in 335 Posts
    Blog Entries
    2
    Rep Power
    283
    Let's see what Linus himself has to say...
    So here's what I would suggest, and it is based on REAL SECURITY and
    on PUTTING THE USER FIRST instead of your continual "let's please
    microsoft by doing idiotic crap" approach.

    So instead of pleasing microsoft, try to see how we can add real security:

    - a distro should sign its own modules AND NOTHING ELSE by default.
    And it damn well shouldn't allow any other modules to be loaded at all
    by default, because why the **** should it? And what the hell should a
    microsoft signature have to do with *anything*?

    ....
    'Re: [GIT PULL] Load keys from signed PE binaries' - MARC
    Last edited by jinnantonnixx; 26th March 2013 at 10:34 PM.

  8. #7

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Quote Originally Posted by jamesfed View Post
    You might expect though that users who know how to downgrade their OS to something else would be tech savvy enough to turn off something that's pretty easy in UEFI.

    Secure boot makes things safer by making sure that no malware interferes with the boot process.
    The thing is, virus or malware writers don't wish to destroy or shutdown your PC. They want to harness its power and gullibility of the end user to part with their cash to 'fix' the problem. UEFI is pointless in my opinion and I have to agree with Linus's quote - why is a generic piece of hardware being controlled by a Microsoft signature?

  9. #8
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,202
    Thank Post
    137
    Thanked 342 Times in 289 Posts
    Rep Power
    86
    Quote Originally Posted by Michael View Post
    The thing is, virus or malware writers don't wish to destroy or shutdown your PC. They want to harness its power and gullibility of the end user to part with their cash to 'fix' the problem. UEFI is pointless in my opinion and I have to agree with Linus's quote - why is a generic piece of hardware being controlled by a Microsoft signature?
    All the same its an attack vector...might as well close off as many of the vectors as possible, just because its the boot process it doesn't mean that it can't be a route to turn your PC into part of a botnet.

    Either way the argument is null and void - just turn off secure boot

  10. #9

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Yes but hardware manufacturers are incapable of writing a system bios that can't be bypassed like a Christmas tree because its full of holes. See Jailbroken iPhones, Chipped consoles, etc for example. The whole premise of secure boot is flawed and will not work as advertised.

  11. #10


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Case in point being Samsungs implementation: AnandTech | Samsung Laptops Bricked by Booting Linux Using UEFI
    and some manufacturers don't even allow UEFI to be turned off .

  12. #11

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,139
    Thank Post
    860
    Thanked 2,692 Times in 2,282 Posts
    Blog Entries
    9
    Rep Power
    771
    Quote Originally Posted by Michael View Post
    UEFI is pointless in my opinion and I have to agree with Linus's quote - why is a generic piece of hardware being controlled by a Microsoft signature?
    UEFI makes booting much quicker and more reliable (easier to diagnose faults) and secure boot does help prevent rootkits which are nasty and effect everything along with being stupidly difficult to detect and root out with virtualisation on. This is a step towards actually combating that and I would think that people would be happy with the faster boots and more secure end result.

    As to Linus, Wahhhh, waaahhhhhh, wahhhh. There is nothing stoping the individual distributions going to the motherbard vendors and getting certs and signing to implement this it is just that there are eleventymillion distributions and plenty of vendors so the overhead would be a nightmare. MS has offered (as the one pushing newer tech and better security to this hardware) to act as an intermediary so that linux can share in the benifits. For this they get wined at by the qunitisential angryman.

    If you don't like it don't use secureboot and be more vunrable to rootkits and add an extra few seconds to every boot. If the hardware does not support it (no secureboot off) then don't buy that hardware. Not every bit of hardware has to boot linux with full compatibility unless they are willing to do the work to make it work. Where is Linus's monologue on intel's new BGA chips, those are probably more of a threat to the universality of certain software, the new atom chips actually said something about not supporting linux too.

    EFI is better, it is not new either, Intel made it around a decade ago and apple has been using it for years. It has taken MS fully supporting it to push it into everything and get the vendors to move on.

    This is the same as SATA and all the wineing that went on about having to switch it off to use old stuff with the new tech without installing the propper drivers. If you want to use the new stuff work with a platform that can actually support it, If you have to jump through a few hoops to make it work that is because your platform of choice does not support it propperly. You choose the platform and so having to do the extra fighiting is your choice to degrade the technology.

  13. 2 Thanks to SYNACK:

    Arthur (27th March 2013), jamesfed (27th March 2013)

  14. #12


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    8,866
    Thank Post
    226
    Thanked 2,665 Times in 1,964 Posts
    Rep Power
    785
    Quote Originally Posted by SovietRussia View Post
    Looks like the Linux users are uprising against MS due to the fact that UEFI and Secure Boot is hard to turn off.
    Have they not heard of the Verified Boot feature on Chrome OS devices? Oh wait, it's okay because Google designed it and not Microsoft.



    Quote Originally Posted by Michael View Post
    UEFI is pointless in my opinion
    UEFI is not the same thing as Secure Boot. My Sandy-Bridge-based PC has a UEFI BIOS, but the motherboard lacks the Secure Boot feature. UEFI is definitely a good thing.

    Quote Originally Posted by Michael View Post
    I have to agree with Linus's quote - why is a generic piece of hardware being controlled by a Microsoft signature?
    I wonder what Linus has to say about locked down iPad's, iPhones and Android smartphones/tablets with locked bootloaders that can't be unlocked? Are these fine because 99% of users generally don't install different operating systems on them? Is Richard Stallman the only person who cares?

    Quote Originally Posted by Michael View Post
    The thing is, virus or malware writers don't wish to destroy or shutdown your PC.
    Have you heard of the TDL-4 (Alureon) bootkit? This creates its own hidden partition on your hard drive so that it persists across OS re-installs. Ordinary users wouldn't have a clue how to use GParted to remove it.

    Also, what would you do if you came across a PC that had a rootkit hidden inside the BIOS? Throw the computer in the bin?

    Quote Originally Posted by CyberNerd View Post
    Case in point being Samsungs implementation
    Samsung are awful at writing software. The Galaxy S3 bricks itself too.

  15. Thanks to Arthur from:

    Netman (27th March 2013)

  16. #13

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    You're right UEFI replaces the BIOS, but Secure Boot is a protocol so they're sort of one and the same working together. If it was just UEFI then that wouldn't be so bad, however it's only later versions that have introduced Secure Boot requiring a digital signature. As I say, I still think it's something that's not really needed as virus or malware writers want to use your system as a host. It's only in extreme cases where someone wants to take an organisation down by targetting its servers. Any decent server setup also has managed firewalls and/or proxies in front of it. Why don't these have Secure Boot also?

    Clearly the idea of Secure Boot needs re-thinking as users should be able to install any OS of their choosing. If the only method is to switch it off then I'm afraid it completely defeats the purpose of Secure Boot. You could also argue the fact that it can be switched off is also a potential entry for malware or virus writers.

  17. #14


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    UEFI faster?? ever tried to boot an HS22 in a hurry?

  18. #15


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    8,866
    Thank Post
    226
    Thanked 2,665 Times in 1,964 Posts
    Rep Power
    785
    Quote Originally Posted by Michael View Post
    I still think it's something that's not really needed as virus or malware writers want to use your system as a host.
    The following article is worth a read (it's on a RedHat developers blog)...

    Some things you may have heard about Secure Boot which aren't entirely true

    Quote Originally Posted by Michael View Post
    Clearly the idea of Secure Boot needs re-thinking as users should be able to install any OS of their choosing.
    You can already install Ubuntu with Secure Boot switched on. It's only a matter of time before others follow suit.

    Ubuntu 12.10 is the first Ubuntu release to support UEFI Secure Boot, a standard for controlling what software can be run on a computer. Supporting Secure Boot, a part of the Windows 8 certification requirements for client systems, ensures that Ubuntu will continue to provide an "it just works" experience on new hardware.

    Due to time pressures, only some flavors released with 12.10 will install and boot on Secure Boot hardware:

    • Ubuntu desktop
    • Ubuntu server
    • Edubuntu

    We expect to enable all other flavors in 13.04. (Source)

SHARE:
+ Post New Thread
Page 1 of 4 1234 LastLast

Similar Threads

  1. Replies: 3
    Last Post: 12th January 2011, 12:23 PM
  2. Replies: 39
    Last Post: 28th October 2009, 09:32 PM
  3. moodle - new users are not receiving confirmation email
    By amccanny in forum Virtual Learning Platforms
    Replies: 2
    Last Post: 29th September 2009, 09:42 PM
  4. Replies: 22
    Last Post: 15th May 2006, 10:50 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •