The UEFI interface can enroll the hash of the Linux kernel to be booted securely and he has no need to sign anything…
Let’s hope that behaviour is widespread. One still has to find a way to get the kernel onto the hard drive. Perhaps one can install on one machine and copy/move to another or turn off “secure boot” temporarily. This is good news, at least for x86/amd64 systems. On a similar note, Intel now claims it is not abandoning socketed CPUs…
17509
12809
206
3
2
23964 
11881 
11732 
4666 
4281 
1644 
198 
14 
2 
0 
0 
0 
How to Circumvent UEFI Secure Boot
http://www.osnews.com/comments/26591
Eventually what will happen is that UEFI will become exploitable and malware will come out taking advantage of this, affecting everyone.
M$ will revoke keys, and people will become screaming howler monkeys.
I would imagine the exploit for the so called secure boot is going to be pretty simple. Since as I understand it the method to make the boot secure involves a set of signing keys, one in the UEFI “Bios” and another in the actual Windows operating system, I would guess all it might take to make one of these supposedly secure Windows systems to crap out is infect the OS with something that trashes the half of the process, or key, that exists in Windows. Since that half is trashed the UEFI boot process has no paired key…..no more boot at all. End of game for Windows user.
My guess is the whole scheme will fall a part in the near future and it will be because of some simple exploit or flaw in the idea.
lpbear wrote, “Since that half is trashed the UEFI boot process has no paired key…..no more boot at all. End of game for Windows user.”
Ahhh, yet another route to unbootability. M$ relies on that to have
suckersconsumers buy new machines because it’s cheaper than fixing them sometimes and with malware there’s no guarantee of putting everything right.“UEFI secure boot” is nothing about malware afflicting users. It is ALL about preventing things like paradox and windows loader.
No, it’s about mafia$oft having one more way to extort customers.
Yes, it is!
With or withou (U2!) UEFI windows malware will continue to have a happy life!
eug problem here is items like Windows Loader will be able to alter to chain load instead of a Linux kernel or even possible chain load from MS own loader.
http://neosmart.net/blog/2012/announcing-easybcd-2-2-windows-8-dual-booting-and-more/
So UEFI really is limited on how much help it is unless you lock users out from altering the system completely.
If Ms goal is to prevent windows loader and paradox on x86 they have been wasting there.
Now the Windows Arm RT device that is a different matter. Only way to prevent windows loader and paradox is prevent other OS’s from running end of story.
Greg Kroah-Hartman focus is direct booting not chain loading from the MS boot loader.
oiaohm wrote, “So UEFI really is limited on how much help it is unless you lock users out from altering the system completely.”
True.
Incidentally, I had a problem with the old BIOS recently. On one of our PCs, the BIOS was changed to “wait for F1 on error” (no idea how that happened). Of course it would not boot with our wireless keyboard. I had to bring Beast’s Fujitsu “aircraft carrier” keyboard to the machine to get in and root around. After looking and failing to find “halt on all errors” or something similar, I reasoned that F1 must be on the keyboard… It worked. I will bet UEFI and “secure boot” will launch no end of similar problems over the years as M$ struggles to survive. I can see M$ using “secure boot” to prevent old versions of that other OS running on new hardware. Nothing prevents M$ from “updating” “secure boot” or its “keys” to jerk around the markets indefinitely. I think all these work-arounds are just a stop-gap. What the world needs is a good lawsuit to put M$ in its place once and for all time. The world missed that chance in DOJ v M$.
Secure boot: Microsoft shows up Linux
http://www.itwire.com/opinion-and-analysis/open-sauce/57920-secure-boot-microsoft-shows-up-linux
UEFI and UEFI SecureBoot + Linux, is the nightmare over?
http://lxnay.wordpress.com/2013/01/02/uefi-and-uefi-secureboot-linux-is-the-nightmare-over/
More fun with Windows 8 UEFI, Secure Boot, Fedora and Ubuntu
http://mrpogson.com/2012/12/07/greg-kroah-hartman-shows-uefi-booting-unsigned-kernel
The rEFInd boot loader for UEFI Systems: A life (and sanity) saver
http://www.zdnet.com/the-refind-boot-loader-for-uefi-systems-7000010275/
Booting Linux using UEFI can brick Samsung laptops
http://www.h-online.com/open/news/item/Booting-Linux-using-UEFI-can-brick-Samsung-laptops-1793958.html
Protection against Samsung UEFI bug merged into Linux kernel
http://www.h-online.com/open/news/item/Protection-against-Samsung-UEFI-bug-merged-into-Linux-kernel-1795332.html
The current state of UEFI and Linux
http://mjg59.dreamwidth.org/22028.html
Linux Foundation’s Secure Boot bootloader restructured
http://www.h-online.com/open/news/item/Linux-Foundation-s-Secure-Boot-bootloader-restructured-1796276.html
Very good, eug. Your link finding skills are unprecedented. You’re almost like a dog.
Could secure boot lead to Linux v Linux strife?
http://www.itwire.com/opinion-and-analysis/open-sauce/58562-could-secure-boot-lead-to-linux-v-linux-strife
UEFI strikes again
http://www.tuxmachines.org/node/59594
Samsung, Linux and the Bothersome Bricking Problem
http://www.linuxinsider.com/story/Samsung-Linux-and-the-Bothersome-Bricking-Problem-77278.html
Linux acquitted in Samsung laptop UEFI deaths
http://www.bit-tech.net/news/bits/2013/02/11/linux-samsung-deaths-2/1
Enough with the UEFI drama already
http://www.dedoimedo.com/computers/uefi-drama.html
http://hackaday.com/2013/02/26/mac-efi-pin-lock-brute-force-attack-unsuccessful/
Supporting third-party keys in a Secure Boot world
http://mjg59.dreamwidth.org/23400.html
http://www.tuxmachines.org/node/60046
http://www.zdnet.com/more-experiments-with-linux-only-uefi-secure-boot-installation-7000014095/