back to article Open-sourcers suggest Linux secure boot block workarounds

The Linux Foundation has published a how-to guide for PC makers on implementing UEFI's Secure Boot functionality without preventing the post-sale installation of Linux on Windows 8 machines. UEFI (the Unified Extensible Firmware Interface) secure boot specs currently under discussion would mean PCs would only boot from a …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    why not a printed key?

    Given that a number of infections occur in the supply chain, witness for instance the number of blank USB keys with malware, I can see why "leaving the wound exposed" until it gets to customer is a bit of a no-no. This is even worse, expecting the end customer to "close" without risk of infection or error.

    Why it cannot have the relevant key, or a link to the relevant key, printed on pretty holographic paper, so that Linux or whatever would be able to sign itself against a permitted key (i.e. held, but not used by windows). The link aspect would allow the PC-maker to know that the seal has been broken, and it is no longer expected to guarantee its secure boot mechanism, or more importantly, that expectation IS there for the "regular" customers.

  2. Ceiling Cat

    An easier solution . . .

    would be for the hardware manufacturers to refuse to support "secure boot", as it only benefits Micro$haft.

    I, for one, am goingto have to consider my options carefully - I will not pay out hundreds or thousands of dollars for a computer, only to be told what I am allowed to run on it. After all, if I wanted to be treated like a numpty f**ktard who doesn't know how to use a computer, I'd buy a mac.

    Micro$haft need to either admit that this is a cash grab, or improve the overall security of their OS, and preferably not by preventing the end user from installing OSes which aren's Micro$haft products.

    "Oi! Keep yer filthy hands off my PC" (with apologies to R. Waters)

    1. midcapwarrior

      "hundreds or thousands of dollars for a computer". What the heck are you buying.

      1. Ben 42

        That's an OR. Still quite easy to spend a couple grand on a new PC if you so choose.

  3. Smudge@mcr

    History teaches us...

    You can't trust Microsoft.


    1. Chemist

      Trust and Microsoft - two words that you don't see together without Don't in front

      Who on earth downvoted this ?

      1. eulampios

        or rather anti-trust

        >>Trust and Microsoft - two words that you don't see together without Don't in front

        With the exception of the prefix "anti", like, antitrust cases "M$ vs US", "MS vs EU" etc. :)

  4. Anonymous Coward
    Anonymous Coward

    Spot on, except.

    The part about <strike>giving someone a license to print money</strike> setting up a vendor neutral CA. Vendor neutral CAs do not work, one only needs to look at the current mess which is https certificates for proof of this.

    1. AdamWill


      it depends on what the alternative is, and the alternative in this case is 'everyone self-signs and then pleads with hardware manufacturers to trust their keys'. not what you'd call ideal.

  5. Ken Hagan Gold badge

    What's the actual intention here?

    We appear to be trying to design a system to stop anyone from updating the BIOS or boot sector apart from, er, anyone.

    What's the attack we are trying to thwart here? If it is software updating the BIOS without the end-user's permission, then there are simpler ways of doing it. A physical switch springs to mind. If it is software updating the BIOS *with* the end-user's permission, well, EITHER there is a back door OR there isn't.

    If someone offers "free porn" but the access method is "Burn this ISO, switch off secure boot, insert CD and power cycle the machine" then how many end-users are going to be both willing and able to do that, *especially* if almost identical instructions are soon to be found all over the web as *the* usual way to try out a live linux CD?

    1. Big-nosed Pengie

      What's the attack we are trying to thwart here?


    2. Anonymous Coward

      DIP Switch

      Goes off and sinks life savings into the worlds last remaining DIP switch maker.

      A physical switch to enable write mode on a mobo would stop BIOS malware, especially if it combines with disabling all but the few services and mobo features required to perform a BIOS update - so that users HAVE to switch it back to "DISABLE WRITE", get more than a few MB of RAM and boot into the OS of their choice.

      This wont affect the less technically minded at all; they already call their tech savvy friends to change the mouse!!!!

    3. Magnus_Pym

      What's the attack we are trying to thwart here?

      Windows XP.

      (or any other version of any OS other than the version of windows Microsoft are currently pushing)

      This is not an attack on Linux. It's an attack on the ability of users who don't want to drink the latest Microsoft kool-aid. How will users be able to stick with XP when new PC's come out with this and Win8 pre installed. No keys no load.

      A few years later when win 9 is released new pc's will not have the old win8 keys built into the bios. Oh no. You want a new PC you will do as you are damn well told.

  6. Neil Barnes Silver badge

    One thing I haven't yet seen comment on:

    How does this UEFI security mechanism impact upon virtual machines and the images therein? Though it is of course *entirely* unacceptable to be required to pay a windows tax to be able to run Linux in a VM, it would be nice to know that the option is at least available. Possibly more likely is someone wanting to run Windows in a VM under a Linux environment - that seems as if it isn't going to work?

    More seriously, what happens when you've got a rack full of blades running various VMs? (An area about which I cheerfully admit I know nothing, but seek education.)

    1. Ian McNee

      No effect on VMs

      VMs don't see the physical BIOS and the physical BIOS doesn't start the boot process for VMs, the BIOS for a guest OS is virtualised by the hypervisor. Some virtualisation software like VirtualBox give the option of a virtual UEFI BIOS and it seems likely that they may offer the *option* of a virtualised secure boot. However M$ does not have the whip-hand over companies like Oracle and VMware the way it does over x86 OEMs so it's hard to imagine them upsetting a large chunk of their user base by effectively locking out Linux et al for no tangible benefit.

      Even so this is no reason to accept the Beast of Redmond trying yet again to pull a fast one in using its monopoly position to undermine competitors.

  7. John Sager
    Thumb Down

    I'm not hopeful

    I suspect many PC manufacturers will just lock the mobo with a M$ key - we've all heard the tales about suppliers having private agreements with M$ not to supply system pre-loaded with Linux. Why should things be any different this time around? Hopefully bare mobo suppliers and system builders will be more inclined to follow the Linux Foundation guidelines. I expect we'll eventually get a (hard-won) list of mobos & systems that can boot Linux and other OSs, and those to be avoided at all costs.

  8. sisk

    Absolute neccessity

    I'd go so far as to say that this is neccessary if you want UEFI to serve it's intended purpose. If Linux geeks have to break UEFI to install Linux then they will. If that happens then malware writers will come along behind them, pick up thier work, and use it to install malware.

    What you've got here is the same situation that game consoles face: the crackers may not have the skill to break it, but the Linux hackers do. Let the Linux guys do what they want and they'll never make the tools for crackers to use down the line. Case in point: the PS3, thought to be unhackable until the people who wanted to run Linux on it had to hack it to do so.

  9. dervheid

    Why the fuck...

    should microstuffed, or anyone else for that matter, be allowed to dictate to me what I can, or can't do to MY hardware?

    Yes, I KNOW there's a 'workaround', but if the swiss cheese that is a windows OS was actually secure in it's own right...

  10. minky

    "...allowing Linux distress..."

    Bit like Windows distress, but at least you don't have to pay for it.

  11. Anonymous Coward
    Anonymous Coward


    It's worth bearing in mind that AMI are recommending that it's best practice for all OEMs to have secure boot selectable ie: The world's largest BIOS/UEFI manufacturer are telling OEMs that they should allow secure boot to be switched on/off by the user.

    Add to this the basic common sense that MS aren't going to mandate hardware being sold that won't run their existing operating systems (Vista and 7 both support UEFI) and we see the storm in a teacup that's being whipped up here.

    Now I'm sure there will be the usual "M$ are teh Evilz" comments, possibly a few suggesting that MS will want to force everyone to upgrade. Just take a step back and think, if this was any other company would they go out of their way to piss off their major customers (corporates routinely put old OSes on new hardware). No, they wouldn't and neither will MS - if only for the avoidnace of the massive court case it would precipitate.

    1. AdamWill


      "Add to this the basic common sense that MS aren't going to mandate hardware being sold that won't run their existing operating systems (Vista and 7 both support UEFI) and we see the storm in a teacup that's being whipped up here."

      Wait, you just put the phrases "basic common sense" and "MS" together. Oops.

      What's the basic common sense for MS in allowing you to run older versions of Windows on newly-purchased hardware? They've been wanting to get people off old versions of Windows for years and now they have the perfect excuse: 'sorry, can't do that, security reasons, old chap'.

      1. Anonymous Coward
        Anonymous Coward

        Not so...

        I've worked for major corporates for the last 14 years and MS have gone out of their way to support old OSes. It makes them a lot of money too! I was using fully supported NT4 only three years ago.

        1. AdamWill

          corporates, yes

          sure, corporates are fine, because - as you say - they'll pay. they're on service contracts, they don't buy boxes. home users aren't. microsoft isn't getting any extra money out of Joe Windows XP any more, and really, really, really wants him to upgrade. ditto Joe Windows 7, when Windows 8 comes out.

    2. MacGyver

      Ever seen a Sony BIOS?

      I have 2 Sony Laptops that have 3 user settable settings in the BIOS (set user password, set boot-up sequence, and set bios password) , if I want to turn on VM ability (or any thing else) I have to blindly push entries into it from the command line. Don't for one second think that manufactures wouldn't lock their users out of changing secure boot, they will, if for no other reason than to reduce their help line calls (to India).

      I worked for Gateway a long time ago, and we were told in very crafty wording by Microsoft, "If you want to install our OS on your PCs, you will STOP installing Netscape!" So don't tell me that Microsoft won't flex their influence if the mood strikes and lock-out the users from their machine if the choice is there.

      This type of "feature" needs to be mandated by law to be visibly shown to future purchasers of any product that "blocks" users from installing their own OS software. Something like "OS is locked into Microsoft products ONLY!" across every picture on the box and on all web-based advertising.

      I would have never bought a Sony if I for one moment thought the bios was crippled by the manufacturer, and I have never seen a store that lets you boot into the bios while looking at a new PC.

      1. Anonymous Coward
        Anonymous Coward


        What makes you think that not allowing enable/disable of secure boot will reduce calls to the manufacturer's helpdesk? The sort of people who just buy a generic Win8 machine and use it won't ever go into the UEFI, whereas the people who want to disable it will and they'll be the ones calling the helpdesk to find out why there isn't an option and what can be done about it.

        Not including the ability to disable UEFI will actually increase calls to the helpdesk.

    3. Ken Hagan Gold badge

      Re: won't run their existing operating systems

      "MS aren't going to mandate hardware being sold that won't run their existing operating systems"

      Of course they are. If you want the "designed for Windows 8" logo on your box, you will have to (a) lock the BIOS, and (b) pre-load an "OEM licensed" copy of Windows 8.

      In Microsoft's universe, if you want to run Win7 then you should have bought a computer with an OEM-licensed copy of Win7 on it to start with. MS *hate* the idea that a computer should exist that is *not* tied to a particular instance of a particular OS.

      I wouldn't put it past them to produce a special version of Win7 for volume licence customers so that they can retrospecitively back-date this DRM onto that OS.

      Fortunately, the rest of the world disagrees and enough of the rest of the world probably disagrees enough to make this whole scheme a non-starter.

  12. Sureo

    "...allow secure boot to be easily disabled and enabled through a firmware configuration interface..."

    Yes otherwise I'm not buying the motherboard/system/whatever.

    1. Dave Bell

      I have a Windows serial number on the packaging for my distribution copy. I need to type it in the install Windows. It's enough hassle that I can see why MS might want to move to this new system.

      But if I get a computer with this locking and Windows installed, and I still get the Windows serial number, it's rather obvious to use that serial number to authorise switching off the protection. Then I could install Linux, or whatever. And if the system is properly coded, it's going to be hard for the black hats to install their root-kits and stuff, because they can't know what my system's Windows serial number is.

      No, it can't work. It's so obvious. I must be wrong.

      1. Magnus_Pym

        Easier still

        When the user inserts an install disk that tries to change the boot sector security key.

        "please switch off boot sector lock before installing the OS"

        Then after it is installed

        ""please switch on boot sector lock before running the installed the OS"

  13. James Gibbons

    What about disk tools?

    I guess this means the Acronis boot disk will not load when I need to restore a virus crapped out Microsoft system. But oh wait, Windows 8 has the imaging feature built in. Clever those people from Redmond. Back to their usual monopolistic ways I guess.

  14. duncan campbell

    Smudge@mcr and the https comment following have it: there is no

    way you can trust MS, or any certificate vendor for that matter.

    The fact is this is nothing more than a mechanism for MS to render

    the hardware base that Linux and the BSDs rest on obsolete by

    design: the UEFI is nothing more than a "Built In Obsolescence"

    function. It does not even appear to effectively solve the problem,

    and is certainly not as secure as, say a dip switch.

  15. OnTheSpecialBus

    Anybody remember winmodems ?

    A long while ago, just after the last ice-age, it was possible to buy a bit of hardware called a winmodem.

    It was a cheaper to make and slightly cheaper to buy way to get a modem in your PC.

    It was cheaper because it was a brain dead card with a lump of software from Microsoft to make it work and dropped packets if you played an online game like quake due to CPU load.

    Mine went in the bin long before I found out they didnt support Linux

    Any manufacturer desparate enough to tie their hardware to a single OS is probably so close to chapter-11 that you would be best to avoid them completely.

    Vmware might have some input to make on excluding them from hardware too, its not all freeloading beardy sandal wearers that want to boot something other than MS products.

    1. AdamWill


      you seem to have your history a bit wrong. Once winmodems came out they were very successful; it became quite difficult to buy a modem that *wasn't* a winmodem. Especially PCI ones.

      1. Tom 38 Silver badge
        Thumb Down

        Also lots of winmodems ran very happily under linux, particularly lucent ones. After all, a soft modem is really just a sound card that samples/produces the right tones and shoves it over an rj-11, so under linux you could actually do a whole lot more, like using it as an answering machine.

        They were also super cheap, so you could get on the net for £15 rather than £75.

  16. Goat Jam

    Just go ahead and buy the MS locked kit

    Then return the next day because it is not fit for purpose.

    Rinse, lather, repeat until the manufacturers get the idea.

  17. Anonymous Coward

    What was the name...?

    ... of that MIPS-based Chinese system manufacturer, who uses open BIOSes, and are they available in the West?

  18. PaulVD


    You won't get your money back, because the computer WAS fit for purpose. It was sold to you as a machine that runs Windows 8, and it did that. Wanting it to run Linux (or XP, for that matter) is like buying a petrol-engined car and expecting to run it on diesel. (Anyone managed to get a refund on an iPhone because it won't run Android?)

    The problem is that some of us will want to buy machines that are not tied to Windows 8, and it is not at all clear that enough manufacturers can be bothered supplying that market. The Windows 8 logo will be really important to them, and they can get that without the extra fiddling needed to support other operating systems.

    1. Tom 38 Silver badge


      It's not quite like that, is it. After all, he hasn't specified how he buys the computer, he could be buying components and building it himself. If that then doesn't work with your choice of operating system, then why shouldn't you get a refund?

      Are you suggesting that BSD/Linux users should have to go and find a motherboard certified for BSD/Linux?

      This isn't actually that far from the current truth, a lot of motherboard manufacturers write shoddy BIOS and ACPI tables that completely violate the specs, but work only within MS's loose interpretation of the specs.

      MS don't mind this, they encourage it by getting paid to certify kit that violates the specs as 'Designed for Windows N' and adding workarounds to their own code. This reinforces their 'Open source is hard to use' FUD.

      1. Anonymous Coward
        Anonymous Coward


        Think you've kind of missed the point there!

        Buying a petrol car and expecting it to run on Diesel is (a bad idea and) a terrible analogy.

        Although MS might try and chuck that kind of excuse back at you, I'd expect a court to take the adult view and recognise that you shelled out for a general computing device. Unless there was something on there that explicitly showed you could _only_ run Windows 8, you'd probably be in for a good chance of winning (were you willing to go that far).

        Of course, it'd probably be better just not to buy the thing in the first place, but we all need to upgrade our hardware sometime!

        The trick is, when you're purchasing, make it very very clear to the salesguy that you plan on running Linux/BSD/whatever, hell ask if you can have it without Windows (to which you'll almost certainly get no!)

    2. eulampios

      antitrust law forbids this

      If a single company sides with a number of independent ones to control the market in its entirety, they all seek troubles from the antitrust authorities.

      Especially, when the the prototype of your "petrol-driven automobile" example is absolutely irrelevant, because it were it could justify ANY possible pro-trust behavior. Infect, from the fact that all the PC's I own and had to buy with the Windows logo run Linuxes/FreeBSD flawlessly, in fact much better than the original "petrol-engined " junk.

  19. Tim Bates

    Not just Linux...

    The way I understand it, it could also effect:

    * Volume license users with downgrade rights - Which versions of Windows have signed bootloaders? Do Vista and 7?

    * System imagine tools similar to Ghost, Acronis, etc.

    * System tools, like hard disk tests, RAM tests, etc. Especially non-vendor specific ones.

    * Offline virus scanners that boot off a CD.

    Now, any and all of these could end up with signed bootloaders, but doesn't the system's UEFI need to know to trust each signature? If they only trust MS, all the system tools are still screwed. How many can be trusted while still keeping this whole thing secure?

    To me, it seems like a big pain in the arse with extremely small results. Rootkits have to be one of the rarer infections, I'd have thought.

  20. mark l 2 Silver badge

    Even if the OEMs don't implement the ability to add your own keys to the 'bios' i predict that MS keys will stay secure for about a month before they are hacked and posted on the internet and the secure boot will be useless anyway.

    1. Ken Hagan Gold badge

      Re: key security

      I see no reason why these keys should be any less easy to secure than the ones that MS use to sign their own code, or Windows Update downloads. Unless there is a black-hat out there keeping *very* quiet, these have remained secure for over a decade.

      This isn't like DVD encryption, where the keys had to be distributed amongst a large number of vendors and a decryption device had to be shipped to millions of consumers.

  21. M.A


    unless I am free to implement the OS of choice LINUX) without jumping through loads of hoops i am not interested in buying.

This topic is closed for new posts.

Other stories you might like