Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FreeBSD Team Begins Work On Booting On UEFI-Enabled Systems

timothy posted 1 year,23 days | from the is-a-shim-a-shame? dept.

Microsoft 248

An anonymous reader writes "The FreeBSD project has begun the process of making it possible for the operating system to run alongside Windows 8 on a computer which has secure boot enabled." Linux distros have taken to using a minimal loader, signed by Microsoft, to enable booting on UEFI systems with secure boot. "Indeed we will likely take the Linux shim loader, put our own key in it, and then ask Microsoft to sign it," says developer Marshall McKusick in the linked IT Wire article. "Since Microsoft will have already vetted the shim loader code, we hope that there will be little trouble getting them to sign our version for us."

cancel ×

248 comments

why bother? (-1, Troll)

Anonymous Coward | 1 year,23 days | (#44151277)

Surely both people who still run BSD on the desktop could just buy another machine

Re:why bother? (0)

Chrisq (894406) | 1 year,23 days | (#44151653)

Surely both people who still run BSD on the desktop could just buy another machine

They could in theory, but they can't agree on the definition of "open hardware" and are unlikely to resolve this in the near future.

HAPPY 4th OF JULY CANADA !! (-1)

Anonymous Coward | 1 year,23 days | (#44151279)

Welcome to the land of the free with PRISM glasses !! You are a part of this great thing !!

deepthroat (-1)

Anonymous Coward | 1 year,23 days | (#44151281)

stop deepthroating microsoft

Well I'll be... (3, Informative)

fustakrakich (1673220) | 1 year,23 days | (#44151299)

I did not know Microsoft won that battle.

Re:Well I'll be... (3, Funny)

kthreadd (1558445) | 1 year,23 days | (#44151309)

Won what battle? There is no battle. They just managed to get their key into the hardware manufacturers and happen to conveniently sell access to that. Nothing stops anyone else from doing the same.

Re:Well I'll be... (3, Insightful)

Anonymous Coward | 1 year,23 days | (#44151333)

Hahahahaha. The rich and poor are equally prohibited from sleeping under bridges... Free-market ideology induced brain damage at its best. Or was this sarcasm? Then I am sorry.

Re:Well I'll be... (1)

kthreadd (1558445) | 1 year,23 days | (#44151371)

Well that's how the CA business work; just that in this case it's about hardware manufacturers, not browser/OS vendors. I don't think it's a good idea from a security perspective since it trusts things by default, and can have really bad consequences when a CA is compromised. But that's how it work for now.

Re:Well I'll be... (-1, Offtopic)

Anonymous Coward | 1 year,23 days | (#44151401)

What are you? Regardless of your answer, I'll tell you what I am: I'm a Binger. In the past, I was skeptical of people who claimed that Bing is superior in every way to Google, but after I used Bing to search for the then-next week's winning lottery ticket numbers and emerged as a millionaire, I became a rabid Binger.

I think you'd become a Binger like me if you just gave Bing a try. Don't believe me? Bing it on! [bingiton.com]

Re:Well I'll be... (-1)

Anonymous Coward | 1 year,23 days | (#44151439)

Can I perhaps suggest you bods at /. write a script to automagically delete any crap comments with the word "bing" in it?

Re:Well I'll be... (-1)

Anonymous Coward | 1 year,23 days | (#44151611)

Of course you can suggest whatever you want. Just don't expect them to do something which is impossible to do (well, at least until strong AI is developed).

Re:Well I'll be... (0)

gigaherz (2653757) | 1 year,23 days | (#44151625)

I don't think you need strong AI to make a script that goes "if content contains "bing", mark for deletion", although it may have a few false positives.

Re:Well I'll be... (-1)

Anonymous Coward | 1 year,22 days | (#44151789)

I'm a banger, which is also not bad.

Re:Well I'll be... (0)

Anonymous Coward | 1 year,23 days | (#44151523)

Well that's how the CA business work; just that in this case it's about hardware manufacturers, not browser/OS vendors. I don't think it's a good idea from a security perspective since it trusts things by default, and can have really bad consequences when a CA is compromised. But that's how it work for now.

I wish everyone understood this point. It is very important.

If someone with physical access to the machine (you!) could (had to) set what signing keys it accepted in the TPM, this would be great tech.

Re:Well I'll be... (1)

mrbluejello (189775) | 1 year,23 days | (#44151339)

As soon as you can push through 10 million units of PC sales through an OEM with your OS pre-installed, you can stop having Microsoft sign your shim and deal directly with the OEM.

Re:Well I'll be... (-1)

Anonymous Coward | 1 year,23 days | (#44151411)

Which isn't going to happen because geeks don't give a shit...

Cheap ass bastards won't pay for hardware that works. They'll pay for crap that performs better and doesn't respect there freedom though.

Re:Well I'll be... (1)

smash (1351) | 1 year,22 days | (#44151953)

Geeks can just install their own keys.

Re:Well I'll be... (1)

gtirloni (1531285) | 1 year,22 days | (#44151837)

How much is M$ charging for access to that?

Re:Well I'll be... (1)

kthreadd (1558445) | 1 year,22 days | (#44152125)

$99

Re:Well I'll be... (1)

gl4ss (559668) | 1 year,23 days | (#44151311)

I did not know Microsoft won that battle.

well.. won and won.. they kind of lost if they had to start accepting shim loaders. kind of defeats the whole point.

Re:Well I'll be... (-1, Troll)

kthreadd (1558445) | 1 year,23 days | (#44151341)

No it defeats no point, and Microsoft is free to accept or deny just about anything. Properly implemented secure boot increases your security by letting you decide what the machine should boot and prevent it from booting unknown or potentially malware infected operating system. That is a good feature. It has nothing to do with preventing competition.

Re:Well I'll be... (4, Informative)

icebike (68054) | 1 year,23 days | (#44151383)

No it defeats no point, and Microsoft is free to accept or deny just about anything. Properly implemented secure boot increases your security by letting you decide what the machine should boot and prevent it from booting unknown or potentially malware infected operating system. That is a good feature. It has nothing to do with preventing competition.

Deciding that one, and only one company can sign shims, can't be considered anything but anticompetitive.

Then, forcing that company to sign boot shims from Linux and FreeBsd to avoid illegal restraint of trade charges, pretty well eliminates any benefit the plan might have had. Is Microsoft going to sign every backroom version of Linux and every clone of FreeBsd, ot did the just pare down the competition teo a few major distros?

Re:Well I'll be... (4, Insightful)

recoiledsnake (879048) | 1 year,23 days | (#44151403)

You could start a signing company now, and if people trust you, they will add your keys, and you may even get traction from the OEMs. Nothing in secure boot prevents that except that no one wants to create a signing organization because they don't want to be bothered. In face Secure Boot MS Spec requires OEMs to enable users to add their own keys or even remove Microsoft's if they don't trust it.

Re:Well I'll be... (3, Insightful)

Anonymous Coward | 1 year,23 days | (#44151463)

And whoops, you just lost your license to distribute OEM Windows copies. How unfortunate. But that would never ever happen, right?

Re:Well I'll be... (1)

gigaherz (2653757) | 1 year,23 days | (#44151643)

It's not about the license: if you don't trust Microsoft's key, then you can't possibly trust Windows 8. It doesn't matter if you buy OEM licenses, they won't boot!

Re:Well I'll be... (0)

Anonymous Coward | 1 year,23 days | (#44151655)

Windows 8 doesn't require secure boot.

Re:Well I'll be... (5, Insightful)

Rockoon (1252108) | 1 year,22 days | (#44151749)

you just lost your license to distribute OEM Windows copies.

No you didn't...

..you just lost Windows Certification.

Another way to lose Windows Certification is not allowing the end user to disable Secure Boot.

In other words, Windows Certification actually protects your rights.

Re:Well I'll be... (2)

nukenerd (172703) | 1 year,22 days | (#44151863)

[AC wrote] you just lost your license to distribute OEM Windows copies.

[Rockoon wrote] No you didn't... ..you just lost Windows Certification.

Amounts to the same thing. With the exception of a tiny niche market, OEMs cannot make a living by selling PCs without Windows at its bulk discounted price, nor without a Windows certification sticker on it. While it would not bother me, Joe Public just won't buy a PC unless they see "Designed for Windows" on it.. Withdrawing either of those priviledges are weapons Microsoft has to control the market.

Re:Well I'll be... (2)

Rockoon (1252108) | 1 year,22 days | (#44152119)

OEMs cannot make a living by selling PCs without Windows at its bulk discounted price, nor without a Windows certification sticker on it.

The only consumers that care about Windows Certification are enterprise customers...

Seriously.. do you think your grandmother makes sure that the laptop has Windows Certification before she buys it?

Translation: You really havent thought about this at all, but have just jumped at a shallow poorly considered excuse to hate at Microsoft again.

Re:Well I'll be... (1)

nukenerd (172703) | 1 year,22 days | (#44152185)

OEMs cannot make a living by selling PCs without Windows at its bulk discounted price, nor without a Windows certification sticker on it.

The only consumers that care about Windows Certification are enterprise customers... Seriously.. do you think your grandmother makes sure that the laptop has Windows Certification before she buys it?

Yes. Possible scene in PCWorld :-

Grandmother/JoePublic : "Nice colour, but does it run Windows?"

Salesman : "Of course it does madam/sir, they all do!"

GM/JP : "So why doesnt it have that 'Designed for Windows' sticker on it like those others do?"

Salesman : "Just a detail madam/sir, Microsoft are very strict, just one minor thing, nothing to worry ..."

GM/JP : "Not sure about that then"

Salesman : "You mentioned those others, that's a nice one over there ...."

Re:Well I'll be... (2)

devent (1627873) | 1 year,22 days | (#44152097)

> In other words, Windows Certification actually protects your rights.

Only because it's currently in Microsoft's interests.
And that come from the anri-competition fines from the EU.

So you should thank the European Commission.
http://en.wikipedia.org/wiki/European_Union_Microsoft_competition_case [wikipedia.org]

Re:Well I'll be... (1)

kthreadd (1558445) | 1 year,23 days | (#44151405)

It is completely up to the hardware manufacturers which keys they want to preinstall. My preference would be none, and let the user install it. Here Microsoft acts as a CA, just like any other CA do. Anyone else can sign, but Microsoft was one of the few with the operation in place to go out and deal with many of the vendors.

pardon me but the shim.. (1)

gl4ss (559668) | 1 year,22 days | (#44151933)

pardon me but, can't you pretty much boot anything with the shim? thus defeating the purpose.

from what I can see freebsd could just use the linux shim as well. which is what makes i a shim, that there is no necessity to sign with microsoft everything you boot.

http://mjg59.dreamwidth.org/20303.html [dreamwidth.org]

Re:Well I'll be... (0)

Anonymous Coward | 1 year,23 days | (#44151505)

In that respect, secure boot does not provide any more security than turning off booting from external devices and setting a BIOS password. But boot virii/malware are not very common anyway. For everything else: An exploitable OS/browser/mail client is still exploitable even when signed by somebody. This bullshit is all about control and has not much to do with security.

Re:Well I'll be... (1)

kthreadd (1558445) | 1 year,23 days | (#44151517)

Well it works more or less the same as the https thing in the web browser. Everything is exploitable, but properly managed can at least minimize the risk.

Re:Well I'll be... (1, Troll)

ldobehardcore (1738858) | 1 year,22 days | (#44151813)

Too bad the user can't manage his own hardware now. We're at the mercy of the mobo manufacturers, as they decide who's keys are trusted by default (ie microsoft ONLY). If I have to go to microsoft in order to be allowed to boot BSD on my own motherboard, then my property rights are being violated. I'm not leasing or borrowing my mobo, I've bought it. That means nobody else has a right to tell me I can't do whatever I want with it (within legal limits).
The only feature of UEFI so far is to wrest control from the actual owner of the hardware. This is just as bad as DRM. Nobody woke up this morning and said to themselves "I wish I could buy a desktop computer that let me do less with it than my current machine." Nobody goes to iTunes thinking "I wish I could buy a song that plays on fewer devices than what I have" and nobody thinks "I wish I could buy a movie that plays on my cellphone, but I sure would be pissed if it could play on my TV, Kindle and laptop too"

UEFI so far is only a bad thing. I currently own a motherboard that claims to have "dual uefi" whatever that means, and I still can't disable secureboot even with a manual. That's simply not an option. The manufacturers, in collusion with microsoft, have figured out a way of forcing me to use windows 8. I don't want to use windows 8. And my only alternative is counting my current mobo as a loss of $120, and buying either a used mobo (who knows how damaged it is), or a mobo that's been sitting in a warehouse a few years (better than the former, but still iffy. Why are they there in the first place? Why haven't they been sold yet?)

Re:Well I'll be... (2)

aaaaaaargh! (1150173) | 1 year,22 days | (#44151835)

Properly implemented secure boot increases your security by letting you decide what the machine should boot

Exactly. Secure boot is not properly implemented. A proper implementation would allow you to install anything you like after flipping a manual switch.

Re:Well I'll be... (2)

Rockoon (1252108) | 1 year,22 days | (#44152131)

Exactly. Secure boot is not properly implemented.

Its properly implemented. you are just putting an undue amount of weight to the hand wavers that don't really have an argument:

Te get windows certification, the end user must be able to:

a) disable secure boot
b) install their own keys

What extra implementation restriction did you have in mind?

Re:Well I'll be... (1)

Anonymous Coward | 1 year,22 days | (#44152199)

b) install their own keys

Sooo.... Why do the different Linux distributions need to get MS to accept those shims again ? I mean, they do not go that troublesome way for nothing.

Maybe something else further down the road that does not want to cooperate when the MS key is not at its "rightful" place -- and thus making a mockery of that above rule ?

Re:Well I'll be... (1)

gl4ss (559668) | 1 year,22 days | (#44151941)

can ms revoke the signing on the shim that you can use to boot arbitrary code you want?

this is what I was referring as defeating the whole point.

Re:Well I'll be... (1)

Rockoon (1252108) | 1 year,22 days | (#44152141)

You seem to be under the impression that the keys are tested vs a remote certificate authority during bootup.

In other words, you do not seem to actually understand very much. The certificate authority is UEFI, not some server on the internet.

Re:Well I'll be... (2)

SuricouRaven (1897204) | 1 year,23 days | (#44151539)

For now.

They dont 'have' to accept shim loaders. They are doing so for now, to minimise the backlash. There's no assurance they'll continue to do so in future, or (more likely) that they won't start imposing onerous requirements in the name of 'security' like mandating that any qualifying bootloader be incapable of loading an OS that allows unsigned drivers.

Re:Well I'll be... (0)

Anonymous Coward | 1 year,23 days | (#44151375)

What "battle"? PC x86 motherboards are designed to Microsoft's specification to run Windows and have been since IBM lost control of the PC standard. Free OSes just piggybacked on cheap x86 motherboards to take off. Ancient history.

If MS wants to change their standards and the OEMs agree, nobody else has any say in the matter. (Ooh, let's watch the libertarians here break out in hives.)

Re:Well I'll be... (1)

AK Marc (707885) | 1 year,23 days | (#44151453)

If MS wants to change their standards and the OEMs agree, nobody else has any say in the matter. (Ooh, let's watch the libertarians here break out in hives.)

I thought companies bullying the consumer with anti-competitive behavior was "freedom" and supported by the Slashdot libertarians.

Why not promote motherboard manufacturers (1, Interesting)

future assassin (639396) | 1 year,23 days | (#44151305)

who dont have or build motherboards that can disable EUFI. Seems to me like there's a great market for non EUFI mother boards that can target Linux/Unix users.

Re:Why not promote motherboard manufacturers (1)

kthreadd (1558445) | 1 year,23 days | (#44151321)

Well you can just turn the feature off, if your board has it and it happens to be turned on.

Re:Why not promote motherboard manufacturers (1)

rmdashrf (1338183) | 1 year,23 days | (#44151509)

For now, anyway.

Re:Why not promote motherboard manufacturers (1)

Anonymous Coward | 1 year,22 days | (#44151795)

You're not the first one to make that claim. However, none of those making the claim have ever explained how to do so.

I've tried google. It tells me I need to enter UEFI setup. They don't, however, explain how to do that. I tried F1, F2, ESC, DEL, but no.

I then tried to google how to enter UEFI setup. Guess what. Everybody explaining how to do that assume that you want to run Windows 8. In Windows 8, it's hidden under shutdown settings in control panel, or something like that.

So, theoretically you might be able to turn off secure boot, if you've already bought Windows 8, but then why would you want to turn it off?

Re:Why not promote motherboard manufacturers (-1)

Anonymous Coward | 1 year,22 days | (#44151845)

1.1m results should help you here: https://www.google.ru/search?q=how+to+turn+off+UEFI [google.ru]

Re:Why not promote motherboard manufacturers (1, Informative)

ldobehardcore (1738858) | 1 year,22 days | (#44151857)

Try all the F# Keys. It might take a while, as they might have set the pause for FKeys to be something braindead stupid like 1/3rd of a second or some bullshit like that. so try all of them: F1 Through F12. If none of them work, and neither Delete nor Escape, nor the Space Bar works, then I gotta say you've wasted your money.

Although, there might be a jumper on the mobo (literally a couple of prongs bridged with a piece of plastic holding some foil) that you can break and refit that can reset your bios so it'll tell you what buttons to push.

Also, try unplugging your HDD and see what the error screen says. It may tell you what to hit on startup in order to get to your UEFI/BIOS.

Re:Why not promote motherboard manufacturers (1)

Tyr07 (2300912) | 1 year,23 days | (#44151377)

Linux is often blessed with security when properly setup. Continuing on that path involves being part of UEFI. The reason they want it to be signed is so they can operate on secure systems that do not allow access to the bios to simply disable UEFI and boot any OS on that system.

Conceptually would be for secure locations that normal PC access is restricted, and do not want uncontrolled software booted to bypass their existing OS security, gaining access to the network and so fourth.
It's more obvious if someone tried to sneak in a PC versus a bootable USB key. (Yes I know there's some very small ones, but please, stick with the conceptualized idea)

Re:Why not promote motherboard manufacturers (5, Insightful)

Anonymous Coward | 1 year,23 days | (#44151473)

Conceptually, if the user has access physical access to the computer and the ability to plug shit in, your security is already gone.

Conceptually, 99.99% of computer users don't even need this kind of security in the first place, so why is it being forced on 100% of the new computers?

Conceptually UEFI won't stop a single virus which 100% of computer users face daily, and that IS a problem.

UEFI serves one and only one purpose. It makes it 'easier' to just continue using Windows and more difficult to use any other system.

Linux doesn't need UEFI. Nobody needs UEFI.

Stopped shilling lipstick on a pig.

Re:Why not promote motherboard manufacturers (1)

UltraZelda64 (2309504) | 1 year,23 days | (#44151689)

Replace "UEFI" with "Secure Boot" (there is a difference... EFI alone is not a major problem) and I agree 100% with you. While I'm not so sure UEFI is much better than the BIOS aside from a few limits lifted, the real problem is Microsoft's Secure Boot, which is an optional part of UEFI and being forced onto all ARM machines (thanks dicks, I mean Microsoft). Eventually, it will probably make its way to anything else Windows touches with no way to turn it off (x86?).

Re:Why not promote motherboard manufacturers (0)

Anonymous Coward | 1 year,22 days | (#44151849)

the real problem is Microsoft's Secure Boot, which is an optional part of UEFI and being forced onto all ARM machines

I didn't know Microsoft had that much control over how Apple and Samsung build their devices!
Seriously, most ARM based devices have locked bootloaders.
The only reason Linux supporters have got their knickers in a twist is because they thought Windows on ARM meant they were going to get a number of devices that Linux could be installed on in the same way that it can on PCs.

Re:Why not promote motherboard manufacturers (0)

Anonymous Coward | 1 year,22 days | (#44152189)

except these imaginary mistaken purchases never happened. only the vendetta lives on until paid in MS blood!

Re:Why not promote motherboard manufacturers (2)

KingMotley (944240) | 1 year,22 days | (#44152177)

Nobody needs UEFI

That's bullshit. I need UEFI. BIOS only allows a very limited set of space (384K) for hardware device BIOSes. I've hit that limit, as does most server admins because high performance devices use that space up very quickly. There is numerous other advantages to UEFI, but you'd need to take off your tin foil hat and actually learn about it for you to understand it. That or build a server. Then you'll be crying about why stuff doesn't work and how stupid BIOS really is and why there isn't something better out there.

Re:Why not promote motherboard manufacturers (1)

aaaaaaargh! (1150173) | 1 year,22 days | (#44151855)

Conceptually would be for secure locations that normal PC access is restricted, and do not want uncontrolled software booted to bypass their existing OS security, gaining access to the network and so fourth.

Well, good luck with your rescue CD if it doesn't boot!

Conceptually, the purpose of secure boot is to keep unwanted operating system software secure from the user (rather than keeping the user safe from malicious software) and preserve a quasi-monopoly for Microsoft. Hopfeully, there will be EU rulings that prohibit current practise.

Re:Why not promote motherboard manufacturers (5, Interesting)

Arker (91948) | 1 year,23 days | (#44151397)

It's UEFI, the Unified Extensible Firmware interface. EUFI is ExtraUterine Fetal Incubation. Very different things.

The motherboards they are shipping now have a simple disable. So there is no immediate fear of being unable to run Linux on the things. BUT you have to go in and disable it in BIOS which is just completely over the head of most computer users these days. You dont have to make it impossible to deter most people from using it, just a tiny hurdle will divert the herd.

Right now they are signing the certificates without a problem. But what will they do in a year or five or a decade? Building a business that relies on getting certs signed by MS doesnt seem wise long term. Of course no one thinks long term anymore... a small change in the law here, an easily fabricated incident using a signed bootloader to compromise a business there, and they could easily revoke these keys.

The other problem is that UEFI is actually really cool tech, we dont want to get rid of it. We want to be able to use it. I should be able to install my own key on my own motherboard so it will only load code that I sign personally. Rather than simply trusting MicroSoft or turning off a great security component that I already paid for and theoretically own.

Re:Why not promote motherboard manufacturers (1)

Anonymous Coward | 1 year,23 days | (#44151479)

UEFI is actually really cool tech, we dont want to get rid of it.

Yes, yes we do. And once it's gone we want to get rid of all the idiots who thought it was really cool tech so it doesn't happen again.

Re:Why not promote motherboard manufacturers (1)

lister king of smeg (2481612) | 1 year,23 days | (#44151585)

no we want to get ridnof secure boot. uefi lets you boot to a harddrive over 3 Tb in size. I wish coreboot was more developed.

Re:Why not promote motherboard manufacturers (1)

gigaherz (2653757) | 1 year,23 days | (#44151681)

Let me rewrite that for you:

No, we want to Secure Boot to be strictly opt-in. UEFI on its own brings many good advantages over the ancient 16-bit BIOS boot process, that we DO want to keep. Just because someone put a lock in it and didn't give you the key doesn't make the existing technology bad.

Re:Why not promote motherboard manufacturers (1)

smash (1351) | 1 year,22 days | (#44151961)

No, i'd like to be able to determine what gets to boot on my machine, thanks. i.e., i want secure boot and i want to have the facility to securely install my own keys.

Re:Why not promote motherboard manufacturers (1)

devent (1627873) | 1 year,22 days | (#44152109)

I do. I am not find UEFI a "cool tech". I find UEFI the same as the old BIOS: totally useless.
When a computer starts it should just bring up the very basic stuff and then handle the boot process to the Operating System. Nothing more. The computer should stay in a state of the BIOS for about 500ms (the quicker the better) after that the Kernel of the System takes over.

Please tell me what I get with UEFI what the current Linux Kernel does not offer.

Re:Why not promote motherboard manufacturers (4, Informative)

SuricouRaven (1897204) | 1 year,22 days | (#44151939)

Just to clarify: UEFI is not the problem. It's just a replacement for the old BIOS system which addresses the decades of accumulated legacy bodging that is the PC. Secure Boot is a feature that UEFI enables. You can have UEFI without Secure Boot.

Re:Why not promote motherboard manufacturers (1)

devent (1627873) | 1 year,22 days | (#44152127)

Or you can have a BIOS that addresses the decades of accumulated legacy bodging that is the PC, without UEFI.
Just put a BIOS that removes all the old cruft of the old BIOS, adds some new features, but is totally minimalistic.

Because in 10 or 20 years UEFI will be like the old BIOS. It will do totally old stuff that nobody wants, and it will not allow new stuff, because of the same reasons of the that the old BIOS have.

The only remedy is to have a totally minimalistic BIOS that puts control as fast as possible to the System kernel.
We had "Secure Boot" stuff for Linux for a long time before Secure Boot.
See:
https://fedoraproject.org/wiki/Tboot [fedoraproject.org]
http://sourceforge.net/projects/tboot/ [sourceforge.net]

haven't (1)

marienf (140573) | 1 year,23 days | (#44151331)

What we need is boards that are user-rekeyable. That way we can insure that our boards will never run Windows again.

Re:haven't (1)

kthreadd (1558445) | 1 year,23 days | (#44151351)

Absolutely and that's how secure boot is supposed to work all along. Anything else is a bug.

Re:haven't (0)

Anonymous Coward | 1 year,23 days | (#44151429)

Something tells me that Apple won't ship machines locked to Microsoft. This could be a serious uprise for them in the GNU/Linux market.

Re:haven't (1)

SuricouRaven (1897204) | 1 year,23 days | (#44151561)

No, they'll just ship machines carrying both the Microsoft and their own key. Apple are no fans of linux - just look at all the hoops you have to jump through to get it running on the new retina macbook pro. They've never officially supported it, and there's no reason they would.

In the PC area, Apple are dependant upon OSX to be their identity and differentiator. Without OSX, they are just another maker of high-end PCs - and it'd be very hard to sell Apple PCs if they were interchangeable with the one-third-the-price offerings from Dell.

okay, never again run Windows *or* OSX (1)

marienf (140573) | 1 year,22 days | (#44151703)

Don't know where you got the impression that I was somehow favouring Apple hardware, but I stand corrected nevertheless: I should have written "never run any non-free OS, or any code made by someone not truly supporting freedom, in the end".

Re:haven't (5, Insightful)

aaaaaaargh! (1150173) | 1 year,22 days | (#44151957)

Absolutely. Both Apple and Microsoft have long recognized that free operating systems are the biggest threat to their business models. Operating systems do not offer enough ways to stay ahead of competition by innovation, once the basic needs are fulfilled new features become mere gimmicks that might be nice to have but are not essential (see history of OS X).

Both Apple and Microsoft have a well-recorded history of anti-competitive business behavior and have in the past tried by all means to keep the application barrier up. In the 90s Java and Web-browsers were the biggest threats and they successfully averted these by tricky anti-competitive behavior. SCO tried to sue free operating systems out of existence and failed (so far, bogus patent law can change that and new law suits are in the drawer), now GNU/Linux has matured so well that it has become intolerable to Microsoft and Apple. Bear in mind that you can run many Windows programs in Wine already and that GNU/Linux has reached a certain usability threshold putting it roughly on a par with Windows XP in terms of software that end-consumers actually need (and GNU/Linux is much more stable).

The sole and only purpose of the current secure boot specification is to be the entry ticket to completely locked-down machines with completely locked-down whitelisted software that is only runnable and distributable by obtaining a key from Microsoft or Apple respectively and only with their blessings. That's the long-term goal.

The current, more modest goal is to make it hard for end-users to install another OS and hard to set up dual boot systems. Microsoft will then urge (=blackmail) hardware makers to produce more consumer boards that can run only Windows, and Apple will start to make their manufacturers produce OSX-only boards, while at the meantime urging manufacturers to sell more expensive motherboards that are not locked down so they can still claim they allow competition. For Microsoft, this is particularly important, because they need to make money with Windows and the "windows tax" is annoying more and more people. So they want to make sure that a board that runs GNU/Linux or BSD systems is more expensive (a 'pro feature', so to say) than a consumer board that only runs Windows plus the OEM fee for Windows. Microsoft is very desperate to keep their huge share of the dwindling desktop market, because they have already lost the mobile market.

This might all sound exaggerated to you now, but the fact is that these companies plan far more ahead than some people might think.

Re:haven't (1)

DrSkwid (118965) | 1 year,23 days | (#44151541)

I can sell you such insurance if you like.

Hmm... (2)

Mirar (264502) | 1 year,23 days | (#44151391)

...what is the point of secure boot again? Do we still have problems with MBR viruses?

Re:Hmm... (0)

Anonymous Coward | 1 year,23 days | (#44151427)

Yes, there are even a few botnets components out there that patch BIOS level calls nowadays.

Re:Hmm... (5, Informative)

rmdashrf (1338183) | 1 year,23 days | (#44151521)

And that attack vector can completely be negated by having the BIOS read-only by default, while only enabling updates when the user toggles a physical switch when the BIOS needs an update.

Re:Hmm... (1)

Rockoon (1252108) | 1 year,22 days | (#44152175)

And that attack vector can completely be negated by having the BIOS read-only by default, while only enabling updates when the user toggles a physical switch when the BIOS needs an update.

...but isnt the only current valid argument against Secure Boot that "its hard for the average user to either disable it or change keys in a bios setup screen, so its a barrier against them installing Linux/BSD/etc"

..the upshot of this is that the same excuse can be used to undermine the completely logical argument that you have just made, that not only should there be a Secure Boot, but also that nothing shouldnt be able to alter its settings without the user throwing a physical switch...

At the end of the day it IS a barrier to entry into alternative OS's for the casual user, but the validity of this argument doesnt actually negate the benefits of Secure Boot, nor does it address the current reality that more and more often the casual user is buying completely locked down devices that can't ever run Windows....

Re:Hmm... (1)

KingMotley (944240) | 1 year,22 days | (#44152187)

The BIOS calls are intercepted by a little program that gets run off your media device (USB, Hard Disk, CD-ROM, whatever). Setting the BIOS to read only doesn't defeat that.

Re:Hmm... (1)

SuricouRaven (1897204) | 1 year,23 days | (#44151567)

It's supposed to be a protection against bootloader-infecting rootkits. No-one questions that it can do this, but bootloader-infecting rootkits are incredibly rare things to encounter, and given Microsoft's long history of anticompetative business tactics it isn't hard to imagine their ulterior motive for pushing the technology.

Re:Hmm... (1)

Anonymous Coward | 1 year,22 days | (#44152111)

It wont protect it against SIGNED and AUTHORISED root kits.

Windows has been using BSD code for over a decade. (1)

Sadsfae (242195) | 1 year,23 days | (#44151419)

Signing their key is the least Microsoft can do for using large parts of the FeeBSD TCP/IP stack in Windows.
https://lwn.net/Articles/245805/ [lwn.net]

Re:Windows has been using BSD code for over a deca (5, Insightful)

gavron (1300111) | 1 year,23 days | (#44151551)

MS has the LICENSE to use BSD code.

They don't owe BSD anything.

Next time you're thinking of whether to license YOUR code using GPL or using something
that allows MS to use your stuff and give nothing back in return... remember this.

Ehud

Re:Windows has been using BSD code for over a deca (0)

Anonymous Coward | 1 year,23 days | (#44151559)

Why would they give back? You can't fix something that is already perfect.

Re:Windows has been using BSD code for over a deca (0)

Anonymous Coward | 1 year,22 days | (#44151827)

I think OP was talking about an ethical or moral choice.
You're talking about legal dept.
Huge difference.

Re:Windows has been using BSD code for over a deca (1)

SuricouRaven (1897204) | 1 year,22 days | (#44151959)

Social conventions like owed favors do not exist in the world of business. When billions of dollars are at stake, there is no room to be 'nice.' That's why contracts were invented.

Re:Windows has been using BSD code for over a deca (1)

KingMotley (944240) | 1 year,22 days | (#44152195)

Windows doesn't use any of the FreeBSD TCP/IP stack anymore. It did at one time pre-Windows XP, but it was completely rewritten from the ground up prior to Windows XP, but many of the settings (registry settings) remained the same for compatibility.

Loophole (4, Interesting)

Todd Knarr (15451) | 1 year,23 days | (#44151457)

My bet would be that Microsoft refuses to sign the loader, saying that they can only sign if the loader's coded to only load binaries signed by a trusted authority (ie. Microsoft) and that allowing a loader that can load untrusted (ie. unsigned or not signed by Microsoft) binaries compromises the security of the boot process.

Re:Loophole (1)

Anonymous Coward | 1 year,23 days | (#44151501)

They're going to do most signings in the start.

They don't start revoking and closing down their system until everyone uses it. If they refuse FreeBSD now, a lot of people won't go along with this secure boot thing..

Re:Loophole (1)

Anonymous Coward | 1 year,23 days | (#44151537)

This is what they originally intended, but it does look like such actions would be deemed anti-competitive for very good reasons.

Re:Loophole (0)

Anonymous Coward | 1 year,22 days | (#44151799)

Yeah, cuz Microsoft has a history of avoiding anti-competitive behaviour, right?

They have basically tricked the world into giving them an on/ off switch for every computer in the world - they won't use it yet, they will be patient. They have to wait until UEFI motherboards are the norm and most of the older hardware is out of the marketplace. But then they will have the entire planet by the gonads. We're talking James Bond Villain level shit, you really think the threat of a few lawsuits will stop them? They own judges and politicians. OK sure, maybe they'll have to pay a fine or something, but in their view that's more than worth it for (a) a complete OS monopoly on practically all hardware and (b) the power to ransom anybody's PC and data at any time.

Seriously, fuck Microsoft.

Why bother re-signing? (1)

Meneth (872868) | 1 year,23 days | (#44151477)

Can't they just use the already-signed blob?

Re:Why bother re-signing? (1)

SuricouRaven (1897204) | 1 year,23 days | (#44151581)

Microsoft won't sign a blob that can simply load any kernal, because doing so would defeat the purpose of Secure Boot: An attacker could simply load the linux signed loader with their malicious rootkit and use that.

it already does (-1, Flamebait)

ewanm89 (1052822) | 1 year,23 days | (#44151511)

FreeBSD already runs fine on UEFI, just ask Apple who use a modified version of FreeBSD in OSX and all Intel based Macs are UEFI now let's start calling this UEFI secure boot, an optional feature in the UEFI specification.

Re:it already does (2)

kthreadd (1558445) | 1 year,23 days | (#44151533)

Apple uses parts of the FreeBSD user land in OS X, and actual parts that works with the hardware and UEFI is not related to it.

needs a new installer..still (2)

ThorGod (456163) | 1 year,23 days | (#44151557)

I've tried both the newest PC-BSD and bsdinstall installers...and they leave a lot to be desired. :/

Re:needs a new installer..still (1)

Anonymous Coward | 1 year,22 days | (#44151737)

No. Just no.

The installers are fine.

They work on practically every system out there. They install the system. What more do you want? If you need more flexibility then they provide, it's trivial to write your own install script. Unlike most other modern day operating systems, BSD is structured enough that you can wrap your head around the distribution layout in an afternoon.

We do not need some gigantic multi-lingual monster that only works under X.org off a live CD. You can leave that shit to the Linux folks, and if you want to know how that's working out for them just ask all the people who had to deal with the installer Fedora is now shipping with (because some idiots said "Hey, our current installer works just fine, let's replace it!").

Re:needs a new installer..still (-1)

Anonymous Coward | 1 year,22 days | (#44152081)

What more do you want?

I want the FOSS community to GTFU.

Useless EFI (0)

Anonymous Coward | 1 year,22 days | (#44151745)

I don't see much of a problem - it only affects people who wants to dual boot and that is totally last century. Boot Linux and run Windows in a VM.

Re:Useless EFI (4, Insightful)

nukenerd (172703) | 1 year,22 days | (#44151905)

I don't see much of a problem - it only affects people who wants to dual boot and that is totally last century. Boot Linux and run Windows in a VM.

It is not to do with dual boot, it is to do with booting anything at all. This is a motherboard chip feature. Booting from a live CD will be impossible, and even if you wipe your HD, trying to install anything else will be impossible - if Secure Boot is enabled.

You can disable Secure Boot (FTTB, but I suspect MS will hope to clobber even that in the not too distant future), and I will myself. But it will deter people from trying out Linux tentatively and perhaps liking it. That's how I started, and MS hate people doing that.

Microsoft Linux (0)

Anonymous Coward | 1 year,22 days | (#44152101)

Microsoft Linux is the new name for their Xenix OS.

Linux lost the battle.

Roll over doggie.

Thats nice... (-1)

Anonymous Coward | 1 year,22 days | (#44152151)

I agree with u too...
www.vipfuar.com

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...