UEFI Secure Booting - No User-Built Kernels after Win8

[dch24]

This is just hitting news sites, but I want to know if I need to be careful (in a year or so) which boards I buy.

http://mjg59.dreamwidth.org/5552.html

Microsoft requires machines [with] the Windows 8 logo ship with secure boot ... Windows signed with a Microsoft key, and the public part of that key included with all systems.

A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.

Grub 2 is released under the GPLv3, which explicitly requires the signing keys. ... Making it impossible for users or developers to build their own kernels is not practical.

If anyone has additional info from board manufacturers one way or the other, please reply. I'm on the market for a new motherboard.

[GenProm]

Hi

I just bought myself a ASRock 970 Extreme4 AM3+. This will support also the next generation of cpus (AM3+), so im pretty set for the next few years i guess.

This will have UEFI instead of a bios, which seems to trouble me a bit, cause i cant find a genuine howto how to install gentoo on it by hand. Also nobody seems so to have tried one of the new boards here on the forum with uefi. Anyhow, my backup plan is to install Ubuntu 11.10 and just override it with gentoo. I think this could work.

I find the news also very troubling cause it will mean windows will dominate the pc market and you cant replace it with *NIX. I guess Apple will sign their products, but as Linux is not in that position it could get pretty bad. But i hope for intel, they use a lot Linux and help developing it, so i guess they are interested to get it working again with the new uefi.

If everything fails, i guess coreboot will get a massive boost, so we can override the oem uefi with coreboot and boot our free OS. This would be not so bad, but it would mean waiting for hardware support pretty long...

so long....

[depontius]

Please keep us posted on your experiences with the new board and UEFI.

[Jaglover]

If everything fails, i guess coreboot will get a massive boost, so we can override the oem uefi with coreboot and boot our free OS.

Don't count on it. Boards that come with Trusted Computing Module enabled cannot be used to boot anything but OEM OS. It is integral part of motherboard and cannot be removed.

http://en.wikipedia.org/wiki/Trusted_Computing

Our only hope is boards for system builders come with this feature disabled.

[dch24]

Don't count on it. Boards that come with Trusted Computing Module enabled cannot be used to boot anything but OEM OS. It is integral part of motherboard and cannot be removed.

I'm hopeful that devices like the Wii, PS3, and XBox show the possibilities of replacing the TC/TPM BIOS.

However, I plan to vote with my dollars. If anyone has contacts at the motherboard manufacturers (especially Asus and Intel) and can post positive confirmation that they will *not* have UEFI "secure boot," or that they will sell the board in an open mode (encryption off by default), you'll get my dollars.

Edit: found an LWN.net article on the subject

[geki]

This will have UEFI instead of a bios, which seems to trouble me a bit, cause i cant find a genuine howto how to install gentoo on it by hand. Also nobody seems so to have tried one of the new boards here on the forum with uefi

jfyi, latest grub2 in gentoo repository supports efi platform. format your disk with gptfdisk and it should work. I bought my new hardware two months too early. still with bios emulation here . see:
http://znurt.org/sys-boot/grub-1.99-r2/useflags
https://wiki.archlinux.org/index.php/So ... DED_METHOD

[GenProm]

Hi

What do you mean with, you bought your hardware too early ? If it has UEFI you could use it to boot. And if it has bios emulation it is even better i think.... I dont get what you try to say. Also the USE flag link is not USEful...

[geki]

old way
back in july, gentoo grub2 could not be built with native efi support. that's it.
that grub2 version could not install to a gpt formatted hdd. so, I did format the hdd with fdisk again and installed a mbr.
just as good ol' way before efi; ignoring I had an efi system.


just look for grub at znurt.org.
( /me being annoyed that znurt.org links are invalid outside of session )


new way
now, afaict, you just do USE="grub_platforms_efi-64" emerge grub (version: 1.99-r2, as of now), partition your harddisk with gptfdisk, run grub-install <hdd>, and be a happy clean efi system user.
the only problem left is a live cd/dvd with gptfdisk. I did a rather ugly hack copying gptfdisk from my old system to an usb stick; that again to the booted live cd (cached in ram).


why to early?
because I have an efi system and I am not a happy clean efi system user.
if I had got my system now, I would have been ...

[Veldrin]

the only problem left is a live cd/dvd with gptfdisk.

or just use gparted/parted as provided by sysresccd.

[disi]

the only problem left is a live cd/dvd with gptfdisk.

or just use gparted/parted as provided by sysresccd.

the SystemRescueCD has gdisk btw.

[Veldrin]

what every you prefer...

[depontius]

I last bought a board around the beginning of the year, and it was "traditional BIOS", to coin an odd phrase. How prevalent have EFI boards become? Does this new feared UEFI stuff mean you really can't boot anything unsigned, or that it's simply more cumbersome, or involves turning some switch off? How the heck does the system handle a rescue disk, or does it require that you build the rescue disk from a "signed rescue disk image"?

[dch24]

Official confirmation from Microsoft: http://blogs.msdn.com/b/b8/archive/2011 ... -uefi.aspx

unfortunately these seemed to synthesize scenarios that are not the case

Sounds like they are "denying" without directly addressing the issue.

The concern raised by Matthew Garrett is pretty clear:

It's almost certainly the case that some systems will ship with the option of disabling this. Equally, it's almost certainly the case that some systems won't.

Edit: Update by Matthew Garrett: http://mjg59.dreamwidth.org/6054.html

Edit: UEFI secure booting (Part 2) by Matthew Garrett: http://mjg59.dreamwidth.org/5850.html

[geki]

the SystemRescueCD has gdisk btw.

great, so I am prepared for the next reinstall. jfyi, gdisk == gptfdisk.

[olger901]

I don't think they're denying the issue. They've shown that it's up to the OEM to choose whether they want to have an option for enable / disabling secure boot. If an OEM chooses not to provide you with an option, then just buy a motherboard or laptop from a manufacturer who does give you the option to disable Secure Boot. That's what freedom of choice is about. Both for the manufacturers and for the end customers

Oh and if all manufacturers really do not include the option to disable secure boot (which seems highly unlikely to me, especially manufacturers who ship DIY motherboards; ASUS, GigaByte, MSI etc.), then just buy a certificate, which you can use to sign your own kernel with

[dch24]

I'll quote from your post the part I disagree with most:

just buy a certificate, which you can use to sign your own kernel with

I disagree for technical and philosophical reasons:

1. Technical reason: manufacturers will not -- they are not required to -- provide a "buy a certificate" option for creating signed kernels. Malware authors would quickly pay the required fee to exploit high-value systems. Even if I ignore the part of your post about "buy a certificate," the only realistic configuration is to deny the end-user the ability to boot their own kernels: there is no way to distinguish "end user" from "malware author."

2. Philosophical reason: whoever first bought the system cannot be assumed to make the correct choice and get a system that allows gentoo kernels; the need for a gentoo kernel -- and I'm strictly speaking in the context of business IT here -- will be tasked to the IT department, who will have to use whatever systems are already in place. Now is the only chance for Business IT to insist that Secure Boot is unacceptable.

On a personal note: (here's my ad-hominem) I do think they're denying it -- without actually having the courage to flat-out deny it -- when they weasel around with these words, quoting directly from the Microsoft blog: "unfortunately these seemed to synthesize scenarios that are not the case." I think I've just shown that, again, in this post, and it bugs me that you're not talking to that point. It is my main point, after all. Don't annoy me with their same smoke-blowing about OEMs, because that is all you are doing: blowing smoke in my face.

Leave UEFI alone, without Secure Boot. Don't stick Secure Boot between me and the hardware I own. Don't force me to circumvent "security" just to run gentoo. This fight will get ugly sooner or later -- I choose to take a stand now.

[Hu]

I tend to look at the Microsoft blog post as a "non-denial denial", as it is often called in politics. Rather than explicitly refute the allegations that this breaks Linux, they make a statement to the effect of "How could you think such a thing?" in the hope that people will interpret that as a denial, thereby ending the discussion. However, it is not an actual denial, and when they later do break Linux, they can truthfully state that they never claimed Linux would be allowed by Secure Boot.

[dch24]

I've been in touch with at least one motherboard manufacturer I know personally. They were "unable to comment."

I'm assigning one full-time employee to coreboot.org.

[cach0rr0]

I look at it this way; they're not killing Linux as a server platform any time soon. For what little market shere it has on the desktop, in the server market it's the complete inverse. Server mobos will not be a concern.

...though if this causes something like coreboot to take off, all the better.