Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Microsoft Open Source Windows Hardware Linux

Spanish Open Source Group Files Complaint Over Microsoft Use of UEFI Secure Boot 154

sl4shd0rk writes "Hispalinux, which represents Spanish Open Source developers and users, has filed a complaint against Microsoft with the European Commission. 14 pages of grief cited Windows 8 as an 'obstruction mechanism' calling UEFI Secure Boot a 'de facto technological jail for computer booting systems... making Microsoft's Windows platform less neutral than ever.' On March 6 of 2012 the Commission fined Microsoft 561 million Euros for failing to offer users a choice of web browser, and there was also a 2004 ruling which found the company had abused its market position by tying Windows Media Player to Windows itself. Relations appear to remain more tense towards Windows in Europe, so there may be some hope of making UEFI more Linux-friendly. UEFI has been implicated in the death of Samsung laptops running Linux."
This discussion has been archived. No new comments can be posted.

Spanish Open Source Group Files Complaint Over Microsoft Use of UEFI Secure Boot

Comments Filter:
  • by Anonymous Coward on Tuesday March 26, 2013 @05:37PM (#43286301)

    ... and that is, to keep secure boot around, but ban the practice of not allowing users to enter their own BIOS keys, or disable it in the BIOS.

    I like secure boot from a security perspective, and we actually use it to lock down some embedded Linux products I've worked on. As long as savvy users can disable/override/change keys, we get the best of both worlds.

    • by aaaaaaargh! ( 1150173 ) on Tuesday March 26, 2013 @06:12PM (#43286619)

      What is most important is that the user must perform the same steps for activating secure boot of an operating system regardless of which operating system is being installed. No extra fiddling in the UEFI for non-Microsoft operating systems and no dependence of other OS makers on Microsoft for anything in this process.

      • Re: (Score:2, Insightful)

        by vux984 ( 928602 )

        That's just absurd. If I buy a computer with an operating system pre-installed then I expect any relevant UEFI configuration done when I get it.

        If I want to install something else, then disabling UEFI secure boot or installing approriate keys for my alternate choice should be on me.

        And if I buy a boxed motherboard at retail, the selection of preinstalled keys should just be another differentiating factor between models and vendors. I am fully prepared for a real world where everything ships with the microso

        • by Teun ( 17872 ) on Tuesday March 26, 2013 @07:20PM (#43287113)
          So then, what is absurd?

          Off course a pre-installed computer should come with UEFI secure boot enabled.

          But it should not be a hindrance like we see now to later or right away install the OS of choice.
          Even when keys are a necessity they should still be available to the rightful owner of the hardware, not some outsider like Microsoft.
          You bought a computer with secure boot, disabling it is the wrong option.

          • Re: (Score:3, Interesting)

            by vux984 ( 928602 )

            Off course a pre-installed computer should come with UEFI secure boot enabled.

            Right. So if it comes pre-installed with windows, then UEFI secure boot will be enabled and the signing key for windows will be loaded.

            If I want to reinstall windows, uefi isn't going to interfere or be a factor at all.

            If I want to install any other operating system, then its going to be extra effort, im going to have to load a signing key for the OS I want to install, and that means "extra fiddling".

            It is absurd to suggest otherw

          • So then, what is absurd?

            Off course a pre-installed computer should come with UEFI secure boot enabled.

            But it should not be a hindrance like we see now to later or right away install the OS of choice.

            Even when keys are a necessity they should still be available to the rightful owner of the hardware, not some outsider like Microsoft.

            You bought a computer with secure boot, disabling it is the wrong option.

            ===
            should the hardware vendor provide a second level external software bios that the secure boot bios loads? This latter bios would contain the user managed security keys to allow the starting of any operating system. This bios, once its signature is validated would take over from the rom/eprom bios.

            That would solve the problem of permitting any user operating system to boot. The risk, if there is one, is that your selected operating system may contaminate another operating system.

          • Wait until Windows Updates re-enable disabled UEFI setups

        • by sjames ( 1099 )

          So configure it with secure boot OFF. If the user wants to secure the boot, he/she can go through a procedure to generate a key and sign the bootloader (or sign the OS vender's key and add it as a secondary key).

          Secure boot is a feature that might act to better secure a system for a security conscious user who also takes the other necessary steps in OS and applicatoion configuration. Otherwise, it's just a roadblock to installing another OS and provides no benefit to the owner of the device.

          • by vux984 ( 928602 )

            So configure it with secure boot OFF.

            That's like shipping it with antivirus disabled and relying on the average user to do something quite complicated to turn it on.

            If the user wants to secure the boot, he/she can go through a procedure to generate a key and sign the bootloader (or sign the OS vender's key and add it as a secondary key).

            Gee, that sounds like work, average user will just press skip and run without it. Just like they don't do windows updates or anything else unless they are done automaticall

            • by sjames ( 1099 )

              If those assumptions are true, then secureboot won't help them anyway since they'll run as admin at all times and set no password. If they are somehow talked into at least setting a password, they'll dutifully enter it whenever the nice people in wherethefuckisthatistan (or Sony) say they need to.

              All secureboot could possibly do for them is lock them out one day.

              • by vux984 ( 928602 )

                If those assumptions are true, then secureboot won't help them anyway since they'll run as admin at all times and set no password.

                Which starting with Vista is a regular user account unless they escalate.

                If they are somehow talked into at least setting a password, they'll dutifully enter it whenever the nice people in wherethefuckisthatistan (or Sony) say they need to.

                These are the people who don't update flash or acrobat or Windows. Why would they enter it for some random popup they know even less about?

                Al

                • by sjames ( 1099 )

                  I am stating flat out that secure boot contains no magic unicorn dust. People routinely OK everything and authenticate anything and everything in windows. If they won't set secure boot on their new machine, they won't take any of the other necessary steps to maintain a secure system anyway. With or without secureboot, they will be hacked and infected sooner or later.

                  If it makes you feel better, how about just making sure the root key in the system is a system specific key that then signs the MS key IF the u

                  • by vux984 ( 928602 )

                    People routinely OK everything and authenticate anything and everything in windows.

                    Yes, that applies to some people.

                    And many more are reasonably good about not opening random things from the web, and don't visit the darker parts of the web and they don't click "I agree" to UAC to view naked pictures of a celebrity or whatever.

                    When they do get infected its usually some sort of drive-by exploit on some legitimate site via a malicious ad.

                    Between default secureboot, default automatic windows updates, default au

        • by jhol13 ( 1087781 ) on Tuesday March 26, 2013 @10:56PM (#43288159)

          The problem is that there is no advantage to anyone to have "secure boot".

          The "secure boot" does not prevent viruses from writing to the (pre)bootloader, it just notices if it has happened. Then the "notification" or "failure mode" is DoS, your computer won't boot. I'd rather boot with a virus than not boot.

          How about a better solution, something that *prevents* viruses from writing over the prebootloader? Something which will not brick your computer at an important meeting?

          Solution: There is an unclearable security bit in the disk controller which prevents writing to sector 0. The (pre)bootloader would set the bit in the boot, unless the boot is from USB (or a key was pressed), thus allowing OS installers to write the sector 0. All the advantages of "secure boot" and none of the disadvantages.

          • The problem is that there is no advantage to anyone to have "secure boot".

            How about being able to reliably boot up to a specific version of an operating system? (Known boot whatever loads signed whatever, which loads signed whatever, etc.) Not that I'm an expert here, but it looks to me like it would be much easier to detect rootkits with secure boot.

    • by 0123456 ( 636235 ) on Tuesday March 26, 2013 @06:13PM (#43286635)

      As long as savvy users can disable/override/change keys, we get the best of both worlds.

      What about 'unsavvy' users, who can currently put a CD in their drive and install the OS, but in the glorious 'secure' future will have to fiddling in the BIOS instead, if the hardware even allows it?

      • 'Unsavvy' users can re-install the OS that came with the computer just as easily (or not) as they can right now. And, almost by definition, people who are installing their own alternate OSs are not unsavvy.

    • also need to ban app store lock in / MS may make that push soon as well.

      NO desktop may come as soon as windows blue / 9.

      • No, it won't. Don't be paranoid retarded.
        • Really?? You believe this? Have you tried to install software on a Surface RT from someplace other than the MS app store?

          It will take them time to boil the frog on the x86 front, but dollars to doughnuts, they're going to do everything they can to get as close as possible to Apple's 30% cut of all software installed. They may not get completely there on x86, because of customer-generated and enterprise software that requires complex installation - but I'll bet you any amt of money they gaze longingly in
          • Really?? You believe this?

            No, I don't. I know it. How do I know it? Because I am not retarded.

            Have you tried to install software on a Surface RT from someplace other than the MS app store?

            You do realize there is a huge difference between Win8 and Win 8 RT right? Let me throw you a tiny hint. Legacy software. RT has none. That was a clue to un-retard your brain.

            they're going to do everything they can to get as close as possible to Apple's 30% cut of all software installed

            They may wish to do so, they'll probably even sell desktop shrink-wrap software in the MS Store. They are never abandoning the desktop market though. Ever. How do I know this? I am still not retarded. Unlike the retarded journalist who actually (professes to) believe t

    • by Anonymous Coward

      If savvy users can disable/override/change keys then so can savvy crackers intent on bypassing your security perspective.

      Security isn't about adding 'another hoop' to someone's day. And giving MS the keys to your security is just asking for it.

      Hmmm... crackers....

      • by c0lo ( 1497653 )

        Security isn't about adding 'another hoop' to someone's day. And giving MS the keys to your security is just asking for it.

        Yes, it is! security is a matter of trade off: between the value of the protected resources and the cost of protection. And this trade off need to be considered twice, from the PoV of attacked and attacker:
        1. value for you (what do you have to lose if resource is "stolen" or damaged) vs the cost required for you to protect it
        2. value for the attacker (what the attacker stands to gain by stealing/damaging the resource) vs the cost required to do it

    • by Anonymous Coward on Tuesday March 26, 2013 @06:26PM (#43286723)

      Linux installation had gotten to the point that it is even easy for not so computer savvy people. In fact, installing Mint was a lot easier and
      trouble free than installing windows. Until Windows 8 and UEFI. Yes, you can turn of secure boot, but it took knowing that it should be possible
      and much searching to find out how: The option was not (visible) unless you set an UEFI administrator password. Even with secure boot turned off, it did
      not boot from CDROM. It did boot from USB key, but did not read data from it, ...
      Of course much of this is laptop specific; this is precisely the problem. There is no easy generic recipe, and the not so savvy users are going to give up, and think this Linux thing is too difficult.
      It is not acceptable that one (monopoly) os vendor has the keys to ypur hardware. Secure boot should at least be turned off or in setup mode by default, and it should be easy to install extra/your own keys.

      • by mathew7 ( 863867 )

        My experice comes from Lenovo with Win8 consumer preview.
        Used win7 (from lenovo) and debian, both through UEFI.
        Installed win8 CP over win7. 1st problem: i could no longer change the boot order. I could boot both OSes, but I could not boot linux without boot menu.
        So I used the UEFI tool from debian to change the order.....debian booted by default...but win8 refused to boot.
        No option to disable secure boot.

        So my opinion, MS is to blame only for forcing secure-boot, leading to OEM delivering incomplete impleme

        • Update your EFI.

          All Lenovo EFI versions I've seen (and that's quite a few of them since I own the process of certifying hardware for my employer) have the ability to disable EFI Secure Boot under the "Security" section.

          • by mathew7 ( 863867 )

            Will do, but it's pointless now as I converted to MBR BIOS emulation booting. In the process I learned that Win7 links UEFI booting to GPT and BIOS emulation to MBR. Linux can do any of the 4 combinations (if you know how to set it up).

    • "I like secure boot from a security perspective, and we actually use it to lock down some embedded Linux products I've worked on. As long as savvy users can disable/override/change keys, we get the best of both worlds."

      How does it work without using the MS-signed UEFI key [engadget.com]
      • by sofar ( 317980 )

        You remove it (or never have it to begin with if you are a hardware vendor) and put your own platform key on it. For examples on how to do so, please google James Bottomley's blog.

    • Now if we get that on any platform including ARM I'll agree with you.

    • by jhol13 ( 1087781 ) on Tuesday March 26, 2013 @10:45PM (#43288115)

      There is NO security in "secure boot"

      1. What does it secure against? Viruses in (pre)bootloader, nothing else.
      2. How does it secure? By DoS (disabling the boot).

      1. Hugely better way would be the disk controller to disable writing to the first sector of any drive.
      2. That would prevent viruses from writing into the disk in the first place.

      This would work as follows: the (pre)bootloader would set an uncleareble security bit in the disk controller which prevents writing to the sector 0. If the boot is from USB (or a key was pressed, etc.) then it would not set the bit, thus allowing OS installers to write the sector 0.

      • by mathew7 ( 863867 ) on Wednesday March 27, 2013 @03:32AM (#43289153)

        That kind of virus protection was present in older BIOS implementations, while win9x/ME was still present. With Win2K/XP, no such protections work (for MBR booting) because other drivers are accessing the HW directly (and you cannot enforce on HW because that would prevent repartitioning).
        For UEFI-booting, the UEFI firmware has a complete path to a partition+file. There is no way to protect a single file with a compromised OS.

        • by jhol13 ( 1087781 )

          The firmware does not access a "file" as it does not undestand the file system you use. So you do not need to protect "a file", you can protect whatever the firmware loads, no matter if it is MBC, MBR, GPT, secondary GPT also, or even a list of (thousands of) LBAs - if you really want.

          Are you still claiming this cannot be done? Why not?

          • by mathew7 ( 863867 )

            That's just it: fat32 is known & used. Haven't you seen those 100-500mb boot partitions that win vista & newer create? Those are because of uefi.

            • by mathew7 ( 863867 )

              As a completion, BitLocker may be another reason for the small boot partition.
              But the concept of UEFI booting is not to use the 1st LBA to load the OS. That still remains but it's called BIOS-emulation.
              You know the old "installed OS menu" concept where one OS has to know about another (like dual/triple-booting)? With UEFI that is gone, as each OS will add it's own booting instructions (description + bootloader file + UEFI parameters) without erasing/changing the others (well, it can, but it's against the UE

      • Yeah, that's great for old school MBR-style disks, but when you move into GPT / uEFI, it's a completely different ball game.

        • by jhol13 ( 1087781 )

          Er ... why? Why cannot you write protect the MBR in GPT/UEFI disks?

          • Well, for one thing, the MBR is only a "protective MBR" and doesn't describe anything about the layout of the disk, and serves no purpose other than making sure disk utilities that don't know how to work with GPT don't blast your partition table to nothingness. Secondly, GPT has a backup table in it's standard layout, so if something does screw with the primary partition table, you can restore from the backup table. Third, if you're using uEFI, and your OS is EFI-boot native, it's not doing the "player pi

            • by jhol13 ( 1087781 )

              You seem to forget how secure boot works: it checks the signature of the boot image (OS loaders & drivers). I propose protecting the boot image and how it is found, by listing the important LBAs or partitions (i.e. the places where the OS loaders and drivers reside and how they are read during boot).

              Besides, the EFI is overly complicated.

    • by Anonymous Coward

      It's worse than that actually.

      If thing is on by default, many users will be:
      a) afraid to disable it.
      b) Wont know how.

      And this will be big enough barrier for them to try out Linux.
      So, unless option is on by default, it's already bad.

    • The issue is that they pulled a page out of the "Halloween Documents" in that the spec is "open" but OEMs only have to MATCH Microsoft's implementation as a minimum to boot Windows... There was never any "QA" to follow the other parts of the spec.... ... Oops! Imagine that happening?

      The goal is not to "lock out" everybody... But to make 5% of customers that want to use the freature have to beg and hassle manufactures for every. single. model... Individual apathy at each manufacturer will keep it relativel

  • Radical (Score:3, Interesting)

    by Anonymous Coward on Tuesday March 26, 2013 @05:41PM (#43286333)

    I would like to see something radical happen which promotes actual technological innovation and hinders all this IP bullshit. If you want to make money you will actually need to produce good products, not create all these ugly "services" and lock-in mechanisms. The only purpose of them is to NOT have to innovate but make money anyway.

    • Re:Radical (Score:5, Insightful)

      by ackthpt ( 218170 ) on Tuesday March 26, 2013 @05:52PM (#43286429) Homepage Journal

      I would like to see something radical happen which promotes actual technological innovation and hinders all this IP bullshit. If you want to make money you will actually need to produce good products, not create all these ugly "services" and lock-in mechanisms. The only purpose of them is to NOT have to innovate but make money anyway.

      The problem is Microsoft does make good products. They don't make great products, though. To prevent you from having freedom to choose and companies to offer better technology applications/plug-ins they still cling tenaciously to their strategy to lock you into their technology or kill competitors with bundling.

      Imagine only being able to buy the petrol for your automobile at specified stations, where the mixture won't result in a burned out engine. There were businesses once who considered or undertook such business models. (some still do, but not to that extent) Microsoft continues to flirt with this strategy -- once in their kingdom you can only get your water from their well.

      • Re:Radical (Score:4, Insightful)

        by whoever57 ( 658626 ) on Tuesday March 26, 2013 @06:35PM (#43286783) Journal

        The problem is Microsoft does make good products. They don't make great products, though.

        I don't think that is accurate. For the most part, Microsoft makes products that are barely good enough, combined with the fact that Microsoft's monopoly position made it such that most buyers of computers were simply unaware of what was possible. For example, BSODs are rare now, but Microsft was able to convince a generation of buyers that random BSODs were acceptable when competing products did not suffer the same problems.

        The fact is that we don't know how far the industry would have progressed without the illegal anti-trust violations which resulted in the supression of competition.

        • by Anonymous Coward

          I would write a fully reasoned and explained response, but you strike me as the kind of person who has his or her mind completely made up; the kind of person who would refuse to accept any kind of argument; in short, the kind of person who would simply attack anything I write with his or her ignorance.

          In lieu of that, then, I will ask: how often have you encountered a BSOD that wasn't caused by an incompetent third party, or some kind of hardware failure? Microsoft maintains an extremely complex operating s

          • by Arker ( 91948 )

            In lieu of that, then, I will ask: how often have you encountered a BSOD that wasn't caused by an incompetent third party, or some kind of hardware failure? Microsoft maintains an extremely complex operating system that provides decades of backwards compatibility (of note, a lot of their most idiotic design choices stem from this). Neither the Linux community nor Apple provide the same.

            First case - plenty of times. MS seems to have some issues with race conditions and has for many years. Most BSODs today do

          • Microsoft, incredibly late to the party, has now realized that instead of maintaining all that backwards compatibility in the core OS to be able to run 20+ year old apps in the same space as something published 6 minutes ago, have turned to application layer virtualization.

            Unfortunately, you only get the license to use this if you buy the ridiculously expensive versions of Windows, or are a company giving Microsoft a ton of cash for Software Assurance. But, you can actually run multiple versions of applica

        • The fact is that we don't know how far the industry would have progressed without the illegal anti-trust violations which resulted in the supression of competition.

          I think we have a pretty good idea how far the industry would have progressed. Just look at the non MS world around you.
          As far as Microsoft Products they are far superior to the majority of the products out there. Are they perfect? No, but then neither is anything else.

        • Re:Radical (Score:4, Insightful)

          by symbolset ( 646467 ) * on Tuesday March 26, 2013 @10:26PM (#43288029) Journal
          Take a look at mobile for a clue how that would turn out. Without Microsoft's - and their partners' "leadership" the pace of progress has been... astounding.
      • They don't make great products, though

        Visual Studio is a great product and has been for a while now.

    • Re:Radical (Score:5, Insightful)

      by girlintraining ( 1395911 ) on Tuesday March 26, 2013 @07:30PM (#43287167)

      I would like to see something radical happen which promotes actual technological innovation and hinders all this IP bullshit.

      Many moons ago, now long-forgotten to most of the younger crowd that's moving into spaces like this, there was an informal ideology known as the hacker ethic. One of them, was that knowledge is power, and so it should be shared freely. The right to learn, and the duty to teach, went hand in hand in our community. It didn't matter what laws they passed telling us we couldn't speak, we couldn't teach, couldn't learn -- which is what intellectual property is fundamentally about. We did it anyway. And they called us criminals, they passed laws, they tried to delete us from the network we built, and loved, and replace it with paid shills, corporations, and tons and tons of advertising. And none of that gave a damn about learning, or teaching -- it was about consumption.

      And today, kids these days, they think that consuming their content, their pre-processed and devoid of flavor "knowledge", is what learning is today. And us, those who were here first... it's painful to watch. Sometimes so much so, we have to turn away from our hobbies for awhile, get up, go outside, because the saddest words ever said are "What might have been!" We failed you. The next generation. But we tried. Oh damn, we tried... We thought it would be enough. Nobody could control the internet!

      We never thought that every government in the world, even traditional enemies, would ally themselves with one goal: Destroy this new vessel of human freedom.

      We never thought it would become the tool of your oppression.

      • by epyT-R ( 613989 )

        sums up my thoughts exactly. It's really too bad. Computing in the 80s-90s was about indvidual empowerment.. Now it's about intellectual enslavement.

        • It's really too bad. Computing in the 80s-90s was about indvidual empowerment..

          Right, as long as somebody else paid to run all the infrastructure so you could have a playground to be free and rail against the people paying the tab. Classic.

      • Any particular reason you had to be so dramatic? It's not necessary to make your point. It's fairly straightfoward really: the bad guys always win; it's a fact of life. They have more money and power than good, honest, moral people will ever have, The best you can do is hold them off as much as possible, but eventually, anything that can be locked down, will be. Anything that can be done to ensure people are kept dumb and mindless consumers, will happen. I know this, because it's happening to me too despite

      • I am with you sis' but among my community only the mostr idealist of us were thinking this "We never thought that every government in the world, even traditional enemies, would ally themselves with one goal: Destroy this new vessel of human freedom." The msot realist (and I was among them) were more like "enjoy it while it last because very soon all gov & corp of the world will fall onto this new medium like a ton of brick".
      • As far as I can see, that informal ideology is still out there, and I'm not sure it was ever as pure as you imply. It's changed somewhat to cover Free and Open Source software (much of which is ideology-driven) rather than all software.

        It's also a whole lot less prominent because, while the hacker frog didn't grow much, the pond did. If it's harder to find hackers on the web, it's because there's so much else out there, not because they aren't there. Nobody's trying to wipe them out. Nobody cares tha

    • I would like to see something radical happen which promotes actual technological innovation and hinders all this IP bullshit.

      It's called mobile. Their crap doesn't play well over here. Come on in. The water's fine.

  • by girlintraining ( 1395911 ) on Tuesday March 26, 2013 @05:42PM (#43286337)

    "UEFI has been implicated in the death of Samsung laptops running Linux."

    Yes, it was seen shortly after the murder skipping down the road giggling, its hands covered in blood, counting the money Microsoft had given it to silence the rival gang members.

  • by volkerdi ( 9854 ) on Tuesday March 26, 2013 @05:50PM (#43286409)

    "so there may be some hope of making UEFI more Linux-friendly"

    The only hope is to make Linux distributions more UEFI friendly. UEFI and Secure Boot is certainly here to stay.

    • I agree. Also, I'm tired of hearing the lock in complaint with secure boot - Microsoft requires x86 machines to be unlockable, only ARM is locked down. Where's their EU complaint regarding locked bootloaders for competing tablets?
      • The issues here is one of PR and perception by non-technical users

        Microsoft requires x86 machines to be unlockable

        But it's not called "Locked boot", is it?
        It's called "Secure boot"
        and disabling "secure boot" is surely, by definition, insecure.

        Asking new users to disable secure boot is not what distros want to do.

      • by sjames ( 1099 )

        That would be a separate complaint since it will require action against different vendors.

        Beyond that, as a three time loser, MS is subject to extra scrutiny and very little trust.

      • by rastos1 ( 601318 )

        only ARM is locked down

        "ARM? What's that? Never heard of that. It is certainly unimportant. Who cares if it is locked down. ..." is that what you are saying?

        That word "only" does not mean it is insignificant.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      'Secure Boot' is designed to prevent alternate OSs from running on that hardware. That's its fundamental purpose.

      The hardware has to be made more Linux-friendly, not the other way around.

      • Re: (Score:2, Flamebait)

        by KingMotley ( 944240 )

        Negative.

        Linux can either sign their bootloaders with either:
        1) Their own key and provide the necessary key and have users install it into the UEFI, or have the motherboard/bios manufacturers preload it, OR
        2) Use Microsoft's key and sign it their boot loaders with that since it is likely already installed into most (non-apply) UEFI systems OR
        3) Instruct users to disable secure boot and you can live your live in blissful ignorance never knowing if malware has taken over your entire linux machine, logging eve

        • Fine piece of invective, but your third point is FUD itself. Secure Boot only verifies the boot process, not if malware is running on a system. As long as malware doesn't alter the boot-sequence and manages to hide from malware detectors, then then all of your horrid scenario still takes place (on Windows, Linux, Mac OS X, *BSD, the type of OS doesn't matter), while Secure Boot will never tell you that anything is amiss.

          Secure Boot is just one tiny security measure in a whole arsenal and it isn't even th
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I would LOVE to see a distribution which signed the kernel, bootloader and all of its packages and required the user to import a key into the UEFI BIOS to make everything work. That would be progress!

      • That wouldn't be progress. How many people would bother to figure out how to take the time to do that? No, it has to be so simple to do that it can be done trivially by almost anybody but still require physical access to the machine.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      All it needs to do is require the ability to add MY keys to load MY kernel on MY hardware... and allow me to remove keys I don't trust.

      What is so hard about that?

      Of course MS won't allow it...

      • by Anonymous Coward

        Yeah, it basically needs to become what MS say it is (a security feature) rather than what it really is (a way to relegate alternate OS's to "non-secure" status).

      • What is so hard about that?

        Nothing hard about it at all, and that is exactly what it is. Oh, you mean you didn't read anything, nor bother to try and understand what you are talking about before spouting random BS as an anonymous coward? Yeah, that is what I thought.

    • The only hope is to make Linux distributions more UEFI friendly. UEFI and Secure Boot is certainly here to stay.

      The geek frets over UEFI because he is dependent on cheap commodity hardware built for the Windows eco-system --- and because almost no one buys a PC with Linux installed. The best he can hope for realistically is that a curious user can be persuaded to dual boot.

      That isn't going to happen if he has to disable system-level security.

      Not that he hasn't made it perfectly clear that dislikes and distrusts changing system level defaults for any reason whatsoever.

  • Samsung laptops (Score:5, Informative)

    by iYk6 ( 1425255 ) on Tuesday March 26, 2013 @05:58PM (#43286497)

    UEFI has been implicated in the death of Samsung laptops running Linux.

    That had nothing to do with Linux, and UEFI had no fault in that. The problem is that Samsung wrote a serious bug into their UEFI implementation that causes the laptop to brick if the user does X, Y, and Z under any operating system.

    • by Kaenneth ( 82978 )

      A while back I was doing testing on a DEC Alpha machine that had a BIOS based boot menu.

      I needed to install multiple OS's (Windows NT english, german, japanese...) when I added the 5th or so OS, the machine died since the boot options overflowed into other data, corrupting the bios settings, requiring re-flash of the settings to factory defaults. (I vaguely recall having to set a jumper, but it was a long time ago)

      • by yuhong ( 1378501 )

        I think the firmware was called ARC or later AlphaBIOS.

      • You cleared the BIOS with a jumper. You had two interfaces on that BIOS. One was a GUI for Windows NT users. The other was much like grub2. You had to be in one or the other to install a Windows OS or a Unix OS. IMHO, installing a version of NT for each language wouldn't be considered installing multiple OS's.

  • UEFI has been implicated in the death of Samsung laptops running Linux.

    Boy, the things allowed to pass as journalism.

    1. It has most definitely been the cause of the Samsung bricks, but it also bricks running Windows. It's an implementation-of-the-spec
    issue, but more importantly, it proves that UEFI is still Alpha stage, and a bad idea all around. Let's face it, Windows is frustrating
    enough to run, now this added to the consumers' woes, and we're talking serious

    • by tlhIngan ( 30335 )

      1. It has most definitely been the cause of the Samsung bricks, but it also bricks running Windows. It's an implementation-of-the-spec
      issue, but more importantly, it proves that UEFI is still Alpha stage, and a bad idea all around. Let's face it, Windows is frustrating
      enough to run, now this added to the consumers' woes, and we're talking serious hurt here. I can't wait to see some update/virus

  • The linux kernel had a minor snafu that causes those samsungs to brick. it's fixed now, and has been for a couple of months.

    i wish people would stop it with FUD, no matter what side it comes on. researching claims you make would be a good start, otherwise this shit perpetuates.

    • by lpq ( 583377 )

      It wasn't a bug in the kernel, it was a bug in Samsung's UEFI Bios.

      The UEFI BIOS has a place for persistent variable storage. On the Samsung, it had code that checked if *anything* had stored info such that there was 50% space in the variable section. If that happened, the unit self-bricked.

      You can point the finger at Linux and say it pushed the computer over the edge, but the problem was in designing a computer that effectively self-bricks when it's internal HD gets over 50% space. Of course, if you in

  • At first, I thought that it sounded a bit "whiny" to go to EU to complain (just like I thought about the browser ballot thing), but after reading some more I do think they have one important point: Microsoft has the master key and everyone that wants a signed trusted boot need to get it from them. This does rub me the wrong way. If Microsoft had started an independent entity responsible for Secure Boot signing, this thing would not smell as bad. Hispalinux has some good arguments also regarding the laws of

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...