Although a number of comments on and off the SL list have opined that
any discussion of UEFI is off-limits to this list, below is a popular
press article concerning a view from Red Hat (the beloved TUV of this
list) that presumably is on-limits. Again -- is there a workaround were
efforts to prevent the MS version of UEFI fail?
Please note from the article below that UEFI as contrived may not only
prevent Linux from booting, but also prevent field hardware upgrades.
(Please see the section beginning: "Microsoft claims that the customer).
Please do not "flame" me, or try to start a socio-political discussion;
the practical issue entirely is one of engineering and workarounds if
this cannot be stopped (so that the end-user/system administrator can
install new keys, not just MS keys, or disable keys for the use of
older, pre-UEFI board-level hardware components).
http://www.theregister.co.uk/2011/09/26/uefi_linux_lock_out_row_latest/
Red Hat engineer renews attack on Windows 8-certified secure boot
Linux lock-out row rumbles on
By John Leyden
Posted in Developer, 26th September 2011 11:06 GMT
A senior Red Hat engineer has lashed back at Microsoft's attempt to
downplay concerns that upcoming secure boot features will make it
impossible to install Linux on Windows 8 certified systems.
Unified Extensible Firmware Interface (UEFI) specifications are designed
to offer faster boot times and improved security over current BIOS ROM
systems. The secure boot feature of the specification is designed so
that only digitally signed OS loaders will load, a security feature that
would prevent the installation of generic copies of Linux or FreeBSD as
well as preventing rootkits and other boot-time malware from running.
A digitally signed build of Linux would work, but that would mean
persuading OEMs to include the keys. Disabling the feature would allow
unsigned code to run. However, it is unclear how many OEMs and firmware
vendors will follow this route, which isn't required for Windows 8
certification.
The forthcoming secure boot feature has created a huge row with computer
scientists, such as Ross Anderson of Cambridge University (here), and
open-source developers who accuse Microsoft of pushing lock-in and
decreasing consumer choice. Microsoft responded by saying consumers
would continue to control their PC and cited the example of one OEM,
Samsung, which is including a "disable secure boot" feature on prototype
versions of its tablet PC.
Power play
This response has failed to satisfy critics of the technology. Matthew
Garrett, power management and mobile Linux developer at Red Hat, who was
among the first to flag up concerns over the technology, said that
Microsoft's response fails to address his central point that "Windows 8
certified systems will make it either more difficult or impossible to
install alternative operating systems".
Red Hat, he explains, has been working with Linux suppliers, hardware
manufacturers and BIOS developers since becoming aware of the issue in
early August.
Garrett said that Windows 8 certification requires that hardware ship
with UEFI secure boot enabled. A feature allowing secure boot to be
disabled – necessary to run Linux and FreeBSD on certified systems – is
not required for certification. "We've already been informed by hardware
vendors that some hardware will not have this option," Garrett writes in
a flow-up blog post to his original critique of the technology.
In addition, Windows 8 certification does not require that the system
ship with any keys other than Microsoft's. Such systems will only
securely boot Microsoft operating systems.
A system that ships with Microsoft's signing keys and no others will be
unable to perform secure boot of any operating system other than
Microsoft's," Garrett writes. "No other vendor has the same position of
power over the hardware vendors. Red Hat is unable to ensure that every
OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD
or any other PC component manufacturer."
Neither of the two options – the first being to get OEMs to include keys
for a digitally signed copy of a particular build of Linux and the
second being allowing users to disable secure boot – look likely in most
circumstances. The upshot of this, as things stand, is that Linux fans
will only be able to run the alternative operating system on a small
minority of Windows 8-certified hardware.
Control
But the issue goes beyond operating system choices and also affects
other modification a user might choose to make to their PC, Garrett
argues. He reckons Microsoft is pushing control of what can or can't be
done on a PC away from consumers towards hardware manufacturers.
"Microsoft claims that the customer is in control of their PC," he
writes. "That's true, if by 'customer' they mean 'hardware
manufacturer'. The end user is not guaranteed the ability to install
extra signing keys in order to securely boot the operating system of
their choice. The end user is not guaranteed the ability to disable this
functionality. The end user is not guaranteed that their system will
include the signing keys that would be required for them to swap their
graphics card for one from another vendor, or replace their network card
and still be able to netboot, or install a newer SATA controller and
have it recognise their hard drive in the firmware. The end user is no
longer in control of their PC."
Garrett isn't opposed to secure boot or UEFI as such but the way
Microsoft is "misusing" the technology to "gain tighter control" over
the desktop operating system market it already dominates.
"Microsoft's rebuttal is entirely factually accurate," Garrett writes.
"But it's also misleading. The truth is that Microsoft's move removes
control from the end user and places it in the hands of Microsoft and
the hardware vendors. The truth is that it makes it more difficult to
run anything other than Windows. The truth is that UEFI secure boot is a
valuable and worthwhile feature that Microsoft are misusing to gain
tighter control over the market. And the truth is that Microsoft haven't
even attempted to argue otherwise," he concludes.
Boot(ing-up) Note
Red Hat has done some testing work with the UEFI Forum, an industry
group that is overseeing the development and introduction of the
next-generation start-up specification. However this testing work
happened before the implications of the secure boot feature became
clear, Garrett told El Reg.
We're contributing members of the UEFI forum, which means we have access
to the specification drafts and contribute towards the language in
them," Garrett told El Reg. "We also typically attend some of the UEFI
testing events. While the UEFI specification for secure boot has been
public for some time, Microsoft's plans for it only became known very
recently. We're still at the point of working out how some of the fine
details are going to work. So, yes, while we do some testing with the
forum, the last testing event was from before Microsoft let us know they
were going to do this."
|