I apologize for including the entire thread below to respond to just one
point.
quoting:
Ubuntu 12.04.4 LTS should work.
End quote,
As I have not kept current on the Ubuntu (or Debian) Linux efforts, I do
not know the status of the above release. Assuming that it is a
production release, supported for those who have an Ubuntu-compatible
support contract, then my colleague did try it, and found it would not
reliably work on the specific aftermarket generic motherboard he was
attempting to use. The specific board did work for MS Win 8 using UEFI
Secure Boot ("the vendor lock-in" from a different post not from me),
but not reliably with Ubuntu. I will attempt to find out the specifics
if there is interest; however, it was this effective failure that
prompted the question to me (as a user/proponent of EL, and specifically
SL as a professionally developed/deployed stable production environment
capable of supporting "modern" applications, such as VirtualBox, on both
servers and workstations including professional laptops).
The other issue is "waiting" for the vendors to "catch-up" and
distribute truly UEFI Secure Boot compliant hardware (e.g.,
motherboard). In the particular case of my colleague, he positively
needed to change out the motherboard now (no time to wait). No spare
new motherboard of the type he needed was in local inventory, and thus
he ordered a current production new motherboard from a major aftermarket
generic motherboard manufacturer/vendor. This new acquisition -- vital
to maintain the production machines used to support our research effort
-- was the reason for my first posting. Note that we are a
multi-distribution site even for research; although all of our research
servers are SL (we retired our last BSD server last year) -- we allow
any OS environment on a workstation supported by the researcher provided
the OS and applications do not require proprietary protocols (thus, we
require IETF, W3C, etc., operational compliance, using SMTP, IMAP, SSH
with X, etc., protocols). Almost all of the workstation systems are
either some type of Linux or MacOS X.
Again, my apologies for the length -- is a snip within a reply
appropriate for this list using the same subject line (same thread)?
Yasha Karant
On 09/25/2013 07:57 AM, Connie Sieh wrote:
> On Tue, 24 Sep 2013, Yasha Karant wrote:
>
>> Let me see if I understand the current situation. This question was
>> prompted by the question of a colleague attempting to use OpenSuSE (not
>> SL nor TUV) on UEFI Secure Boot who was not able to get a reliably
>> booted running operating environment. The colleague wondered if SL
>> would fare better.
>>
>> Depending upon the particular BIOS or BIOS equivalent, using MS Windows
>> 8, it may be possible to disable Secure Boot and allow for SL to be
>
> Using is not the "official status", it is "Windows 8 logo" use that
> dictates secure boot. And if it is enabled then it is required to have
> a way to disable it. Please give the vendors a chance with turning
> secure boot off.
>
>> booted. Secure Boot, and many other technologies put forward by,
>> through, or under the auspices of the monopoly primarily exist to move
>> forward the market share, return on investment, and general economic
>> wealth of the monopoly (not a surprise in oligopolistic non-market
>> economics).
>>
>> SL with Fermilab participation is participating in projects that will
>> allow SL to boot on UEFI Secure Boot hardware without the use of any
>
> This is only planned for SL 7 as RHEL 7 is expected to have secure boot
> ability.
>
>> monopoly operating environment software or applications -- Microsoft not
>> required. Presumably, TUV is participating as well as TUV
>> supported-for-fee environments must be able to reliably boot and run on
>> UEFI Secure Boot platforms without the use of monopoly software to
>> enable the booting process. Apple is not a matter for discussion
>> because Apple provides the entire hardware and software package, and
>> does not allow the use of MacOS on non-Apple hardware platforms.
>> Presumably VirtualBox and other means to allow MS Windows to run as a
>> guest environment has or will have some means to provide UEFI Secure
>> Boot to MS Windows guests requiring such.
>
> Since the requirement is to be allowed to use the "windows 8 logo" not
> sure that this would be a issue .
>
>>
>> At present, there is no production Linux that will reliably run on all
>> hardware platforms that use UEFI Secure Boot
>
> That is true if you include Windows ARM systems because of the inability
> to disable "Secure Boot" . x86_64 systems are a work in progress.
> Depends on your definition of "production Linux". Ubuntu 12.04.4 LTS
> should work.
>
>
> -Connie Sieh
>
>> but only MS Windows
>> envirnoments will do so on any hardware platform that proclaims
>> compliance with the monopoly ("certification").
>>
>> Is the above substantially correct as of this instant?
>>
>> Yasha Karant
>>
>> On 09/24/2013 04:40 PM, Connie Sieh wrote:
>>> On Tue, 24 Sep 2013, Nico Kadel-Garcia wrote:
>>>
>>>> --001a11c379ecc5abcb04e7297e9d
>>>> Content-Type: text/plain; charset="ISO-8859-1"
>>>>
>>>> Down, boy.
>>>>
>>>> Scientific Linux is behind the times on available tools, because our
>>>> favorite upstream vendor has not yet released tools. Tools to work with
>>>> have been tested, effectively, with Fedora, and I expect our favorite
>>>> upstream vendor will include tools with release 7.x, which is not
>>>> yet in
>>>> alpha or beta release. Check out
>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html-single/UEFI_Secure_Boot_Guide/index.htmlfor
>>>>
>>>>
>>>> a good breakdown of the issues and trade-offs.
>>>>
>>>> UEFI is part of the old "Palladium" project from Microsoft,
>>>> relabeled as
>>>> "Trusted Computing". It is aimed squarely at DRM and vendor lock-in,
>>>> not
>>>> security, for reasons that I could spend a whole day discussing.In the
>>>> meantime, yes, you can disalbe it for SL booting if needed, and
>>>> reasonably
>>>> expect our favorite upstream vendor to have shims available when
>>>> version 7
>>>> is publishedL they're already working well with recent Fedora
>>>> releases. I'd
>>>> also *expect* those shims to be workable for SL 7, but someone may
>>>> have to
>>>> plunk down some cash to get some keys signed, and spend some extra
>>>> effort
>>>> to maintain the security needed for the relevant shims to work well
>>>> with SL
>>>> kernels and environments.
>>>
>>> Last week at LinuxCon North America the shim developers were still
>>> developing.
>>>
>>> I attended the UEFI Plugfest last week as part of Linux Con. Microsoft
>>> gave a presentation on UEFI signing. The presentation will be posted to
>>> uefi.org website.
>>>
>>> We are working on this. Fermilab is a member of the UEFI forum .
>>>
>>> -Connie Sieh
>>>
>>>>
>>>>
>>>> On Tue, Sep 24, 2013 at 11:53 AM, Yasha Karant <[log in to unmask]>
>>>> wrote:
>>>>
>>>>> Secure boot is enabled. Evidently, the only means to disable secure
>>>>> boot
>>>>> requires that a secure boot loader/configuration program be running --
>>>>> e.g., the MS proprietary boot loader (typically, supplied as part
>>>>> of MS
>>>>> Windows 8) must be used to disable secure boat if the UEFI actually
>>>>> permits
>>>>> this to be disabled (I have heard of some UEFI implementations that
>>>>> do not
>>>>> permit secure boot truly to be disabled).
>>>>>
>>>>> If Linux cannot handle this issue, then Linux is finished on all
>>>>> generic
>>>>> (e.g., not Apple that supplies both the hardware and operating
>>>>> environment
>>>>> software under a restrictive proprietary for-profit intellectual
>>>>> property
>>>>> license) X86-64 hardware, as (almost?) all current such hardware is
>>>>> MS 8
>>>>> (UEFI secure boot) compliant.
>>>>>
>>>>> Yasha Karant
>>>>>
>>>>> On 09/23/2013 10:29 PM, Connie Sieh wrote:
>>>>>
>>>>>> On Mon, 23 Sep 2013, Yasha Karant wrote:
>>>>>>
>>>>>> A colleague who uses SuSE non-enterprise for his professional
>>>>>>> (enterprise) workstations has now attempted to load the latest SuSE
>>>>>>> on a
>>>>>>> machine with a new generic (aftermarket) "gamer" UEFI X86-64
>>>>>>> motherboard. It does not properly boot. I do not have any UEFI
>>>>>>> motherboards, and thus no experience with SL6x on such motherboards.
>>>>>>>
>>>>>>
>>>>>> Is "secure boot" enabled in the UEFI ?
>>>>>>
>>>>>>
>>>>>>> Does anyone? Does SL6x boot correctly (and easily) on a UEFI
>>>>>>> motherboard? If so, he may switch to SL.
>>>>>>>
>>>>>>
>>>>>> Yes as long as "secure boot" is disabled .
>>>>>>
>>>>>>
>>>>>>> Yasha Karant
>>>>>>>
>>>>>>>
>>>>>> -connie sieh
>>>>>>
>>>>>
>>>>
>>>> --001a11c379ecc5abcb04e7297e9d
>>>> Content-Type: text/html; charset="ISO-8859-1"
>>>> Content-Transfer-Encoding: quoted-printable
>>>>
>>>> <div dir=3D"ltr"><div><div><div>Down, boy.<br><br></div>Scientific
>>>> Linux is=
>>>> behind the times on available tools, because our favorite upstream
>>>> vendor =
>>>> has not yet released tools. Tools to work with have been tested,
>>>> effectivel=
>>>> y, with Fedora, and I expect our favorite upstream vendor will include
>>>> tool=
>>>> s with release 7.x, which is not yet in alpha or beta release. Check
>>>> out <a=
>>>> href=3D"http://docs.fedoraproject.org/en-US/Fedora/18/html-single/UEFI_Sec=
>>>>
>>>>
>>>> ure_Boot_Guide/index.html">http://docs.fedoraproject.org/en-US/Fedora/18/ht=
>>>>
>>>>
>>>> ml-single/UEFI_Secure_Boot_Guide/index.html</a> for a good breakdown
>>>> of the=
>>>> issues and trade-offs.<br>
>>>> <br></div>UEFI is part of the old "Palladium" project from
>>>> Micros=
>>>> oft, relabeled as "Trusted Computing". It is aimed squarely
>>>> at DR=
>>>> M and vendor lock-in, not security, for reasons that I could spend a
>>>> whole =
>>>> day discussing.In the meantime, yes, you can disalbe it for SL booting
>>>> if n=
>>>> eeded, and reasonably expect our favorite upstream vendor to have
>>>> shims ava=
>>>> ilable when version 7 is publishedL they're already working well
>>>> with r=
>>>> ecent Fedora releases. I'd also *expect* those shims to be
>>>> workable for=
>>>> SL 7, but someone may have to plunk down some cash to get some keys
>>>> signed=
>>>> , and spend some extra effort to maintain the security needed for the
>>>> relev=
>>>> ant shims to work well with SL kernels and environments.<br>
>>>> </div></div><div class=3D"gmail_extra"><br><br><div
>>>> class=3D"gmail_quote">O=
>>>> n Tue, Sep 24, 2013 at 11:53 AM, Yasha Karant <span dir=3D"ltr"><<a
>>>> href=
>>>> =3D"mailto:[log in to unmask]"
>>>> target=3D"_blank">[log in to unmask]</a>></=
>>>> span> wrote:<br>
>>>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>>>> .8ex;border-left:1p=
>>>> x #ccc solid;padding-left:1ex">Secure boot is enabled. =A0Evidently,
>>>> the on=
>>>> ly means to disable secure boot requires that a secure boot
>>>> loader/configur=
>>>> ation program be running -- e.g., the MS proprietary boot loader
>>>> (typically=
>>>> , supplied as part of MS Windows 8) must be used to disable secure
>>>> boat if =
>>>> the UEFI actually permits this to be disabled (I have heard of some
>>>> UEFI im=
>>>> plementations that do not permit secure boot truly to be disabled).<br>
>>>>
>>>> <br>
>>>> If Linux cannot handle this issue, then Linux is finished on all
>>>> generic (e=
>>>> .g., not Apple that supplies both the hardware and operating
>>>> environment so=
>>>> ftware under a restrictive proprietary for-profit intellectual
>>>> property lic=
>>>> ense) X86-64 hardware, as (almost?) all current such hardware is MS 8
>>>> (UEFI=
>>>> secure boot) compliant.<br>
>>>>
>>>> <br>
>>>> Yasha Karant<br>
>>>> <br>
>>>> On 09/23/2013 10:29 PM, Connie Sieh wrote:<br>
>>>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>>>> .8ex;border-left:1p=
>>>> x #ccc solid;padding-left:1ex">
>>>> On Mon, 23 Sep 2013, Yasha Karant wrote:<br>
>>>> <br>
>>>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>>>> .8ex;border-left:1p=
>>>> x #ccc solid;padding-left:1ex">
>>>> A colleague who uses SuSE non-enterprise for his professional<br>
>>>> (enterprise) workstations has now attempted to load the latest SuSE on
>>>> a<br=
>>>>>
>>>> machine with a new generic (aftermarket) "gamer" UEFI
>>>> =A0X86-64<b=
>>>> r>
>>>> motherboard. =A0It does not properly boot. =A0I do not have any
>>>> UEFI<br>
>>>> motherboards, and thus no experience with SL6x on such
>>>> motherboards.<br>
>>>> </blockquote>
>>>> <br>
>>>> Is "secure boot" enabled in the UEFI ?<br>
>>>> <br>
>>>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>>>> .8ex;border-left:1p=
>>>> x #ccc solid;padding-left:1ex">
>>>> <br>
>>>> Does anyone? =A0Does SL6x boot correctly (and easily) on a UEFI<br>
>>>> motherboard? =A0If so, he may switch to SL.<br>
>>>> </blockquote>
>>>> <br>
>>>> Yes as long as "secure boot" is disabled .<br>
>>>> <br>
>>>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>>>> .8ex;border-left:1p=
>>>> x #ccc solid;padding-left:1ex">
>>>> <br>
>>>> Yasha Karant<br>
>>>> <br>
>>>> </blockquote>
>>>> <br>
>>>> -connie sieh<br>
>>>> </blockquote>
>>>> </blockquote></div><br></div>
>>>>
>>>> --001a11c379ecc5abcb04e7297e9d--
>>>>
>>
|
